8

I've red this tutorial: http://howtonode.org/socket-io-auth. It shows how to authenticate users using express and socket.io. But is there a way to authenticate users using only socket.io without the need for express?

edit:

For session handling I use RedisStore (https://github.com/LearnBoost/Socket.IO/wiki/Configuring-Socket.IO). Whats left is a module to create authentication cookies. Does anyone know of a socket.io implementation I can use to create an authentication cookie like you can do with session handling?

Improve this question
4
  • Are you using Socket.IO as a standalone? The authenticator doesn't create cookies, it just passes them to Socket.IO. Commented Nov 2, 2013 at 19:53
  • @hexacyanide at the moment I'm using express with socket.io. Express only creates the auth cookie. I don't use it's routing, middleware, .... Session between express and socket.io is shared with connect-redis. I think it's a way too big dependency to use express only to sign cookies. So I'm looking for a solution that doesn't depend on express (connect). I could implement my own untested and insecure auth procedure but like Golo Roden suggested it's not advisable. Commented Nov 3, 2013 at 11:07
  • So in other words, you'd like an implementation that runs on the base HTTP server? Because if you don't want to use an HTTP server entirely, then would you want to use cookies? Commented Nov 3, 2013 at 16:14
  • @hexacyanide Yes. Just need a node module that can handle signed auth cookies. I know how to implement a simple HTTP server using node. But don't know of any tested node module that can create signed cookies. I just want to use the HTTP server for the first req/res cycle. I'm using cookies, because you can protect them from XSS and make them HTTPS only. Commented Nov 3, 2013 at 16:46

3 Answers 3

Reset to default
10

I know this is bit old, but for future readers in addition to the approach of parsing cookie and retrieving the session from the storage (eg. passport.socketio ) you might also consider a token based approach.

In this example I use JSON Web Tokens which are pretty standard. You have to give to the client page the token, in this example imagine an authentication endpoint that returns JWT:

var jwt = require('jsonwebtoken');
// other requires

app.post('/login', function (req, res) {

  // TODO: validate the actual user user
  var profile = {
    first_name: 'John',
    last_name: 'Doe',
    email: '[email protected]',
    id: 123
  };

  // we are sending the profile in the token
  var token = jwt.sign(profile, jwtSecret, { expiresInMinutes: 60*5 });

  res.json({token: token});
});

Now, your socket.io server can be configured as follows:

var socketioJwt = require('socketio-jwt');

var sio = socketIo.listen(server);

sio.set('authorization', socketioJwt.authorize({
  secret: jwtSecret,
  handshake: true
}));

sio.sockets
  .on('connection', function (socket) {
     console.log(socket.handshake.decoded_token.email, 'has joined');
     //socket.on('event');
  });

The socket.io-jwt middleware expects the token in a query string, so from the client you only have to attach it when connecting:

var socket = io.connect('', {
  query: 'token=' + token
});

I wrote a more detailed explanation about this method and cookies here.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

So for this, the token isn't used like a session? As in, the token isn't stored anywhere except for the client? Is decoding a token using a secret the same (in terms of security) as using a token as a session id within a session store? I'm just trying to wrap my head around the benefits of this token-based method.
@José F. Romaniello Although I asked for a cookie based authentication, I will accept your answer. Back then in 2013 I thought cookies were the way go. After reading you article (and some others on auth0), I will give tokens a try.
3

Instead or wiring up authentication and session handling code manually, I'd recommend to go with a dedicated module, such as session.socket.io (but please note that this is a module that requires Express as well).

I guess (but don't know) that there were downvotes because you need some sort of session handling, and you most probably do not want to do this manually as well ;-). Hence it's a quite good idea to stick with Express here.

Nevertheless, it's an interesting question, although I can not answer on how to do it without Express.

Improve this answer

1 Comment

for session handling I use RedisStore. Found it on github.com/LearnBoost/Socket.IO/wiki/Configuring-Socket.IO.
1

I am quite new to node.js, just started a few days ago. and i only can answer to the first part to the question, which is user authentication without the use of express. and i also got no session-style handling yet.
the reason I am still answering to this question is to help out other people who are new to node with a more simple alternative solution for the beginning.

the solution i am currently using in my learning project (a socket.io - based chat, what else?) is using the http server for authentication.
if you can't get a valid authentication on the http server, you'll never get access to the page with the socket.io interface.

the user authentication on the http server is handled by reading out some POST data. only if the POST data is valid user data the user is allowed to move on to the chat where the socket.io interface is.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.