-
-
Notifications
You must be signed in to change notification settings - Fork 633
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ui.download
doesn't work for all browsers connected to the auto-index page
#4016
Comments
ui.download
from the auto index page with multiple browsers / clients connected causes the file to download to on all connected clients and fail on some
Thanks for the detailed report, @PeterQuinn396! Let's break it down:
I'll mark this issue as bug since we need to address point 1. |
ui.download
from the auto index page with multiple browsers / clients connected causes the file to download to on all connected clients and fail on some ui.download
doesn't work for all browsers connected to the auto-index page
Hi @falkoschindler! Thanks for getting back to me, I really appreciate it. Completely understood on points 1 and 2. For point 3, this does seem solve the problem for the simple example I provided here, after serving the file with However, for my actual use case, the file isn't known when the server starts up. It is meant to write out the current state of the application when the download is triggered. I managed to combine your suggestion with my example before, I will just share it here for completeness. It does appear to solve my issue well enough currently, so thank you very much for the suggestion! from nicegui import ui, core
from nicegui.events import ClickEventArguments
def main():
append_info = "current app state"
def download(click_event_args: ClickEventArguments):
# server needs to generate file / modify prior to download
with open("small_file.txt", "a") as f:
f.write(f"{append_info}\n")
src = core.app.add_static_file(
local_file="small_file.txt", url_path="/download", single_use=True
)
print(f"hit download, made {src}")
b = ui.button("Download", on_click=download)
b.on(
"click",
js_handler="""
(e) => {
const anchor = document.createElement("a");
anchor.href = "/download";
anchor.target = "_blank";
anchor.download = "small_file.txt";
document.body.appendChild(anchor);
setTimeout(() => anchor.click(), 500);
document.body.removeChild(anchor);
}
""",
)
ui.run(reload=False, dark=True)
if __name__ == "__main__":
main()
Just one more thing, mostly out of curiosity, regarding the
In your response, you mention that user events don't contain socket information, while this doc line seems to indicate that buttons clicks do contain socket information. I'm just trying to reconcile those two statements (maybe there is a difference between user events and button clicks?). Web dev is not my strong suit, so please forgive me if there is something obvious I am missing. Thank you! |
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
@PeterQuinn396 To finally answer your last question:
I think the documentation is wrong in this respect. I tried tracing back the statement to when it was written, but it looks like it comes from before the major re-write for version 1.0 where we replaced the underlying JustPy with our own transport layer. Maybe the socket ID was part of user events back then or it was planned and never implemented. Anyway, I'll fix the documentation and create a new feature request (#4218) to add socket IDs to UI event arguments. Oh and I'll add a delay before removing single-use routes. |
Description
First off, NiceGUI is a great tool and I love working with it, thank you so much for making it and supporting it!
Problem
I've come across a strange behavior that I believe is potentially problematic.
I am using a nicegui webpage to monitor and control the state of a piece of hardware, using the auto index page to ensure that anyone viewing the webpage sees the same state of the hardware.
When using the auto index page with multiple clients (either different web browers on the same machine, or browsers on different machines), when one user clicks a
ui.button
element which triggers aui.download
call, the download is initiated on all connected clients.This triggers a race condition between the browsers / clients to download the file. The first client to access it receives the file, all the others show a download failed error, as the file download url can only be used once:
nicegui/nicegui/functions/download.py
Line 19 in 1f78c86
The situation can arise where the user who clicked the download button does not receive the file, but it goes to a user on a different machine, who also happens to be viewing the auto index page.
This seems like a potentially problematic situation, as arbitrary files can be downloaded onto another persons machine, and the desired files don't up on the correct target machine.
Minimal working example
Using ubuntu 22 and python 3.10, and latest version of nicegui==2.5.0
Create a small file to download later
Run the following code from the same folder
Open the URL from the terminal in two different webbrowers on the same machine (ex chrome and firefox)
Press the download button, both will attempt to download the file, but one will fail. It may be the browser that requested the download, or the other one, its not very predictable
Closing one of the browsers fixes allows the single one to consistently download the file as expected
Attempted fixes / investigation so far
I couldn't see anyway to work with
ui.download
function arguments to change this behaviour, so I looked for alternatives to have only the user that initiated the download receive the file.My understanding with NiceGUI is that per user interactions are done with the
ui.page()
decorator. So I tried a small example below:However, it looks like the
ui.navigate.to()
function uses a similar mechanism asui.download()
, so all the clients connected to the webpage try to navigate to the new page.The documentation for the
navigate.to
function here seems to suggest there is a way to make the function only run for the triggering client when using the auto page index, but I have not been able to figure out how to make that work. Thenavigate.to
function does not provide an explicit socket parameter suggested by the note, and theClickEventArguments
fields don't seem to expose a socket parameter.Separately, while reading through the code, I also came across this function, which seems related to controlling responses to clients connected to the webpage, but I wasn't able to find much documentation for how to use it.
nicegui/nicegui/client.py
Line 324 in 1f78c86
Conclusion
I just wanted to make the team aware of what could be seen as a potential security issue of downloading files onto another machine remotely.
As for resolving my current issue, I think my question boils down to:
ui.download
,ui.navigate.to()
)If anyone has any ideas about how that might be achievable, I would really appreciate any insight here.
Apologies for the long post, I just wanted to make sure it was documented as clearly as possible.
Thank you very much!
The text was updated successfully, but these errors were encountered: