Socket.IO Authentication

authentication node.js express socket.io

I am trying to use Socket.IO in Node.js, and am trying to allow the server to give an identity to each of the Socket.IO clients. As the socket code is outside the scope of the http server code, it doesn't have easy access to the request information sent, so I'm assuming it will need to be sent up during the connection. What is the best way to

1) get the information to the server about who is connecting via Socket.IO

2) authenticate who they say they are (I'm currently using Express, if that makes things any easier)


Use connect-redis and have redis as your session store for all authenticated users. Make sure on authentication you send the key (normally req.sessionID) to the client. Have the client store this key in a cookie.

On socket connect (or anytime later) fetch this key from the cookie and send it back to the server. Fetch the session information in redis using this key. (GET key)

Eg:

Server side (with redis as session store):

req.session.regenerate...
res.send({rediskey: req.sessionID});

Client side:

//store the key in a cookie
SetCookie('rediskey', <%= rediskey %>); //http://msdn.microsoft.com/en-us/library/ms533693(v=vs.85).aspx

//then when socket is connected, fetch the rediskey from the document.cookie and send it back to server
var socket = new io.Socket();

socket.on('connect', function() {
  var rediskey = GetCookie('rediskey'); //http://msdn.microsoft.com/en-us/library/ms533693(v=vs.85).aspx
  socket.send({rediskey: rediskey});
});

Server side:

//in io.on('connection')
io.on('connection', function(client) {
  client.on('message', function(message) {

    if(message.rediskey) {
      //fetch session info from redis
      redisclient.get(message.rediskey, function(e, c) {
        client.user_logged_in = c.username;
      });
    }

  });
});

I also liked the way pusherapp does private channels.enter image description here

A unique socket id is generated and sent to the browser by Pusher. This is sent to your application (1) via an AJAX request which authorizes the user to access the channel against your existing authentication system. If successful your application returns an authorization string to the browser signed with you Pusher secret. This is sent to Pusher over the WebSocket, which completes the authorization (2) if the authorization string matches.

Because also socket.io has unique socket_id for every socket. 

socket.on('connect', function() {
        console.log(socket.transport.sessionid);
});

They used signed authorization strings to authorize users.

I haven't yet mirrored this to socket.io, but I think it could be pretty interesting concept.

Related

Choosing Mobile Web HTML5 Framework [closed]
Get users by name property using Firebase
How to change a module variable from another module?
Admob Error in Eclipse for android:configChanges
How to read user input into a variable in Bash?
how to deal with google map inside of a hidden div (Updated picture)
How do I convert a TimeSpan to a formatted string? [duplicate]
What is the difference between sscanf or atoi to convert a string to an integer?
How to deploy an ASP.NET Application with zero downtime
What are Transient and Volatile Modifiers?
Prevent strace from abbreviating arguments?
What are the key differences between Apache Thrift, Google Protocol Buffers, MessagePack, ASN.1 and Apache Avro?