Skip to content

Add a RO websocket, enforce it on the backend instead of the frontend #203

New issue
New issue
Open
#204
Open
Add a RO websocket, enforce it on the backend instead of the frontend#203
#204
Assignees
thelamer
Labels
enhancementNew feature or request
@danielpodwysocki

Description

@danielpodwysocki
danielpodwysocki
opened on Sep 22, 2025

Is your enhancement request related to a problem? Please describe.

In more secure environments, we need to guarantee the read-only mode is truly read-only - meaning only the person who "owns" the desktop can send keystrokes.

The current read-only endpoint is enforced via the JS frontend. Keystrokes will still be accepted by the open websocket.

Describe the solution you'd like
I would like to have a websocket endpoint that is guaranteed to be RO on the backend and is not just guarded by the frontend.

It can then be guarded by my ingress/reverse proxy with its own authentication, allowing me to plug in the correct authorization for my use case/deployment/organization etc.

Since in most modern envs such things are handled outside the application, I think it'd be great to keep it lean and allow the existing infrastructure to handle authentication and routing the traffic here - all that'd need is for Selkies to listen on a separate port where the input is ignored.

By simply adding another DataStreamingServer with a None input_handler, I managed to get this working.

I'll submit a PR - do let me know if there are better ways to solve this however, I'm happy to contribute here, as we use Selkies with similar use cases quite heavily.

This issue loosely relates to #39 , but doesn't implement it fully.

  • [ x ] I confirm that this issue is relevant to the scope of this project. If you know that upstream projects are the cause of this problem, please raise the issue there.
  • [ x ] I confirm that I have read other open and closed issues and that duplicates do not exist.
  • [ x ] I confirm that I have described the solution as well as the problem in detail, and if possible, explained how to solve the problem.
  • [ x ] I confirm that no portion of this issue contains credentials or other private information, and it is my own responsibility to protect my privacy.
  • [ x ] I confirm that the authors of this issue does not willfully breach or infringe legal regulations, in any and all global law, regarding trademarks, trade names, logos, patents, or any and all other forms of external intellectual property, as well as adhering to software license terms of open-source and proprietary software projects.

Metadata

Metadata

Assignees

Labels

enhancementNew feature or request

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions