socketio-jwt/lib/index.js

var xtend = require('xtend');
var jwt = require('jsonwebtoken');
var UnauthorizedError = require('./UnauthorizedError');

function noQsMethod(options) {
  var defaults = { required: true };
  options = xtend(defaults, options);

  return function (socket) {
    var server = this.server || socket.server;

    if (!server.$emit) {
      //then is socket.io 1.0
      var Namespace = Object.getPrototypeOf(server.sockets).constructor;
      if (!~Namespace.events.indexOf('authenticated')) {
        Namespace.events.push('authenticated');
      }
    }

    if(options.required){
      var auth_timeout = setTimeout(function () {
        socket.disconnect('unauthorized');
      }, options.timeout || 5000);
    }

    socket.on('authenticate', function (data) {
      if(options.required){
        clearTimeout(auth_timeout);
      }
      // error handler
      var onError = function(err, code) {
          if (err) {
            code = code || 'unknown';
            var error = new UnauthorizedError(code, {
              message: (Object.prototype.toString.call(err) === '[object Object]' && err.message) ? err.message : err
            });
            socket.emit('unauthorized', error, function() {
              socket.disconnect('unauthorized');
            });
            return; // stop logic, socket will be close on next tick
          }
      };

      if(typeof data.token !== "string") {
        return onError({message: 'invalid token datatype'}, 'invalid_token');
      }

      var onJwtVerificationReady = function(err, decoded) {

        if (err) {
          return onError(err, 'invalid_token');
        }

        // success handler
        var onSuccess = function() {
          socket.decoded_token = decoded;
          socket.emit('authenticated');
          if (server.$emit) {
            server.$emit('authenticated', socket);
          } else {
            //try getting the current namespace otherwise fallback to all sockets.
            var namespace = (server.nsps && socket.nsp &&
                             server.nsps[socket.nsp.name]) ||
                            server.sockets;

            // explicit namespace
            namespace.emit('authenticated', socket);
          }
        };

        if(options.additional_auth && typeof options.additional_auth === 'function') {
          options.additional_auth(decoded, onSuccess, onError);
        } else {
          onSuccess();
        }
      };

      var onSecretReady = function(err, secret) {
        if (err || !secret) {
          return onError(err, 'invalid_secret');
        }

        jwt.verify(data.token, secret, options, onJwtVerificationReady);
      };

      getSecret(socket.request, options.secret, data.token, onSecretReady);
    });
  };
}

function authorize(options, onConnection) {
  if (!options.handshake) {
    return noQsMethod(options);
  }

  var defaults = {
    success: function(data, accept){
      if (data.request) {
        accept();
      } else {
        accept(null, true);
      }
    },
    fail: function(error, data, accept){
      if (data.request) {
        accept(error);
      } else {
        accept(null, false);
      }
    }
  };

  var auth = xtend(defaults, options);

  return function(data, accept){
    var token, error;
    var req = data.request || data;
    var authorization_header = (req.headers || {}).authorization;

    if (authorization_header) {
      var parts = authorization_header.split(' ');
      if (parts.length == 2) {
        var scheme = parts[0],
          credentials = parts[1];

        if (scheme.toLowerCase() === 'bearer') {
          token = credentials;
        }
      } else {
        error = new UnauthorizedError('credentials_bad_format', {
          message: 'Format is Authorization: Bearer [token]'
        });
        return auth.fail(error, data, accept);
      }
    }

    //get the token from query string
    if (req._query && req._query.token) {
      token = req._query.token;
    }
    else if (req.query && req.query.token) {
      token = req.query.token;
    }

    if (!token) {
      error = new UnauthorizedError('credentials_required', {
        message: 'No Authorization header was found'
      });
      return auth.fail(error, data, accept);
    }

    var onJwtVerificationReady = function(err, decoded) {

      if (err) {
        error = new UnauthorizedError(err.code || 'invalid_token', err);
        return auth.fail(error, data, accept);
      }

      data.decoded_token = decoded;

      return auth.success(data, accept);
    };

    var onSecretReady = function(err, secret) {
      if (err) {
        error = new UnauthorizedError(err.code || 'invalid_secret', err);
        return auth.fail(error, data, accept);
      }

      jwt.verify(token, secret, options, onJwtVerificationReady);
    };

    getSecret(req, options.secret, token, onSecretReady);
  };
}

function getSecret(request, secret, token, callback) {
  if (typeof secret === 'function') {
    if (!token) {
      return callback({ code: 'invalid_token', message: 'jwt must be provided' });
    }

    var parts = token.split('.');

    if (parts.length < 3) {
      return callback({ code: 'invalid_token', message: 'jwt malformed' });
    }

    if (parts[2].trim() === '') {
      return callback({ code: 'invalid_token', message: 'jwt signature is required' });
    }

    var decodedToken = jwt.decode(token);

    if (!decodedToken) {
      return callback({ code: 'invalid_token', message: 'jwt malformed' });
    }

    secret(request, decodedToken, callback);
  } else {
    callback(null, secret);
  }
};

exports.authorize = authorize;
remove connect and cookie dependency 2013-06-05 08:38:33 -03:00			`var xtend = require('xtend');`
initial commit after fork of passport-socketio 2014-01-13 16:00:21 -03:00			`var jwt = require('jsonwebtoken');`
			`var UnauthorizedError = require('./UnauthorizedError');`
added option of success or fail callbacks. Needed to still allow users access to sockets even if they weren't logged in, but needed specific data if they were. 2012-10-26 11:13:28 -05:00
change the API 2014-01-14 08:30:39 -03:00			`function noQsMethod(options) {`
set required defaults to true 2015-05-29 08:52:14 -03:00			`var defaults = { required: true };`
			`options = xtend(defaults, options);`

add noqs method 2014-01-13 18:41:10 -03:00			`return function (socket) {`
add tests for namespace configuration 2015-08-31 11:04:04 -03:00			`var server = this.server \|\| socket.server;`
change the API 2014-01-14 08:30:39 -03:00
fixed all broken tests with socket.io 1.0, close #10 2014-06-05 15:45:41 -03:00			`if (!server.$emit) {`
			`//then is socket.io 1.0`
add tests for namespace configuration 2015-08-31 11:04:04 -03:00			`var Namespace = Object.getPrototypeOf(server.sockets).constructor;`
fixed all broken tests with socket.io 1.0, close #10 2014-06-05 15:45:41 -03:00			`if (!~Namespace.events.indexOf('authenticated')) {`
			`Namespace.events.push('authenticated');`
			`}`
			`}`
set required defaults to true 2015-05-29 08:52:14 -03:00
			`if(options.required){`
			`var auth_timeout = setTimeout(function () {`
			`socket.disconnect('unauthorized');`
			`}, options.timeout \|\| 5000);`
			`}`

add noqs method 2014-01-13 18:41:10 -03:00			`socket.on('authenticate', function (data) {`
set required defaults to true 2015-05-29 08:52:14 -03:00			`if(options.required){`
			`clearTimeout(auth_timeout);`
			`}`
Validation on socket authenticate, should check that the data.token exists and if it is the desired type? socket.emit( 'authenticate', {token: {} }); // will crash server if sent from client-side. 2015-11-01 20:44:25 +01:00			`// error handler`
			`var onError = function(err, code) {`
Add an "additionnal" option (Function(decoded, onSuccess, onError)). When the token is parser and validated the callback is triggered and allow addition of extra logic (e.g. validate the user status against database). Improve returned errors. 2015-05-07 11:49:00 +02:00			`if (err) {`
			`code = code \|\| 'unknown';`
			`var error = new UnauthorizedError(code, {`
			`message: (Object.prototype.toString.call(err) === '[object Object]' && err.message) ? err.message : err`
			`});`
			`socket.emit('unauthorized', error, function() {`
			`socket.disconnect('unauthorized');`
			`});`
			`return; // stop logic, socket will be close on next tick`
			`}`
Validation on socket authenticate, should check that the data.token exists and if it is the desired type? socket.emit( 'authenticate', {token: {} }); // will crash server if sent from client-side. 2015-11-01 20:44:25 +01:00			`};`
Add ability to generate secret dynamically This allow you to pass a function instead of an string in order to generate secret based on the new connection features. 2015-11-18 17:36:24 -03:00
Validation on socket authenticate, should check that the data.token exists and if it is the desired type? socket.emit( 'authenticate', {token: {} }); // will crash server if sent from client-side. 2015-11-01 20:44:25 +01:00			`if(typeof data.token !== "string") {`
			`return onError({message: 'invalid token datatype'}, 'invalid_token');`
			`}`
Add ability to generate secret dynamically This allow you to pass a function instead of an string in order to generate secret based on the new connection features. 2015-11-18 17:36:24 -03:00
			`var onJwtVerificationReady = function(err, decoded) {`
set required defaults to true 2015-05-29 08:52:14 -03:00
Added optional authentication and the ability to call another function to further validate the token * Optional authentication is useful when you wish to serve both secure and unsecured services via the same server socket * The ability to specify an additional function to be called to further validate the token is useful when you wish to be able to expire tokens for some reason 2014-10-24 17:01:53 +01:00			`if (err) {`
Add an "additionnal" option (Function(decoded, onSuccess, onError)). When the token is parser and validated the callback is triggered and allow addition of extra logic (e.g. validate the user status against database). Improve returned errors. 2015-05-07 11:49:00 +02:00			`return onError(err, 'invalid_token');`
add noqs method 2014-01-13 18:41:10 -03:00			`}`
set required defaults to true 2015-05-29 08:52:14 -03:00
Add an "additionnal" option (Function(decoded, onSuccess, onError)). When the token is parser and validated the callback is triggered and allow addition of extra logic (e.g. validate the user status against database). Improve returned errors. 2015-05-07 11:49:00 +02:00			`// success handler`
Add ability to generate secret dynamically This allow you to pass a function instead of an string in order to generate secret based on the new connection features. 2015-11-18 17:36:24 -03:00			`var onSuccess = function() {`
Add an "additionnal" option (Function(decoded, onSuccess, onError)). When the token is parser and validated the callback is triggered and allow addition of extra logic (e.g. validate the user status against database). Improve returned errors. 2015-05-07 11:49:00 +02:00			`socket.decoded_token = decoded;`
			`socket.emit('authenticated');`
			`if (server.$emit) {`
			`server.$emit('authenticated', socket);`
			`} else {`
add tests for namespace configuration 2015-08-31 11:04:04 -03:00			`//try getting the current namespace otherwise fallback to all sockets.`
			`var namespace = (server.nsps && socket.nsp &&`
			`server.nsps[socket.nsp.name]) \|\|`
			`server.sockets;`

add support for namespace authentication fixes #32 2015-07-18 19:20:19 -07:00			`// explicit namespace`
add tests for namespace configuration 2015-08-31 11:04:04 -03:00			`namespace.emit('authenticated', socket);`
Add an "additionnal" option (Function(decoded, onSuccess, onError)). When the token is parser and validated the callback is triggered and allow addition of extra logic (e.g. validate the user status against database). Improve returned errors. 2015-05-07 11:49:00 +02:00			`}`
Added optional authentication and the ability to call another function to further validate the token * Optional authentication is useful when you wish to serve both secure and unsecured services via the same server socket * The ability to specify an additional function to be called to further validate the token is useful when you wish to be able to expire tokens for some reason 2014-10-24 17:01:53 +01:00			`};`
set required defaults to true 2015-05-29 08:52:14 -03:00
Merge branch 'master' of https://github.com/dbrugne/socketio-jwt into dbrugne-master Conflicts: lib/index.js 2015-05-29 09:00:34 -03:00			`if(options.additional_auth && typeof options.additional_auth === 'function') {`
fixed var name 2015-07-05 19:57:24 +03:00			`options.additional_auth(decoded, onSuccess, onError);`
fixed all broken tests with socket.io 1.0, close #10 2014-06-05 15:45:41 -03:00			`} else {`
Added optional authentication and the ability to call another function to further validate the token * Optional authentication is useful when you wish to serve both secure and unsecured services via the same server socket * The ability to specify an additional function to be called to further validate the token is useful when you wish to be able to expire tokens for some reason 2014-10-24 17:01:53 +01:00			`onSuccess();`
fixed all broken tests with socket.io 1.0, close #10 2014-06-05 15:45:41 -03:00			`}`
Add ability to generate secret dynamically This allow you to pass a function instead of an string in order to generate secret based on the new connection features. 2015-11-18 17:36:24 -03:00			`};`

			`var onSecretReady = function(err, secret) {`
			`if (err \|\| !secret) {`
			`return onError(err, 'invalid_secret');`
			`}`
add noqs method 2014-01-13 18:41:10 -03:00
Add ability to generate secret dynamically This allow you to pass a function instead of an string in order to generate secret based on the new connection features. 2015-11-18 17:36:24 -03:00			`jwt.verify(data.token, secret, options, onJwtVerificationReady);`
			`};`

			`getSecret(socket.request, options.secret, data.token, onSecretReady);`
			`});`
add noqs method 2014-01-13 18:41:10 -03:00			`};`
			`}`

			`function authorize(options, onConnection) {`
set required defaults to true 2015-05-29 08:52:14 -03:00			`if (!options.handshake) {`
			`return noQsMethod(options);`
			`}`

fix #6 use same parameters than express.session 2013-02-05 19:15:04 -03:00			`var defaults = {`
initial commit after fork of passport-socketio 2014-01-13 16:00:21 -03:00			`success: function(data, accept){`
add support for socket.io 1.0 2014-06-03 08:12:07 -03:00			`if (data.request) {`
			`accept();`
			`} else {`
			`accept(null, true);`
			`}`
initial commit after fork of passport-socketio 2014-01-13 16:00:21 -03:00			`},`
			`fail: function(error, data, accept){`
add support for socket.io 1.0 2014-06-03 08:12:07 -03:00			`if (data.request) {`
fixed all broken tests with socket.io 1.0, close #10 2014-06-05 15:45:41 -03:00			`accept(error);`
add support for socket.io 1.0 2014-06-03 08:12:07 -03:00			`} else {`
			`accept(null, false);`
			`}`
initial commit after fork of passport-socketio 2014-01-13 16:00:21 -03:00			`}`
added option of success or fail callbacks. Needed to still allow users access to sockets even if they weren't logged in, but needed specific data if they were. 2012-10-26 11:13:28 -05:00			`};`
initial 2012-09-05 15:14:36 -03:00
a little simpler 2013-11-15 10:47:51 +01:00			`var auth = xtend(defaults, options);`
Allow 0 value for serialized user (id) 2013-06-30 20:06:21 +01:00
initial 2012-09-05 15:14:36 -03:00			`return function(data, accept){`
initial commit after fork of passport-socketio 2014-01-13 16:00:21 -03:00			`var token, error;`
fixed all broken tests with socket.io 1.0, close #10 2014-06-05 15:45:41 -03:00			`var req = data.request \|\| data;`
			`var authorization_header = (req.headers \|\| {}).authorization;`
add support for socket.io 1.0 2014-06-03 08:12:07 -03:00
			`if (authorization_header) {`
			`var parts = authorization_header.split(' ');`
initial commit after fork of passport-socketio 2014-01-13 16:00:21 -03:00			`if (parts.length == 2) {`
			`var scheme = parts[0],`
			`credentials = parts[1];`
initial 2012-09-05 15:14:36 -03:00
minor 2015-05-17 22:05:00 -03:00			`if (scheme.toLowerCase() === 'bearer') {`
initial commit after fork of passport-socketio 2014-01-13 16:00:21 -03:00			`token = credentials;`
			`}`
			`} else {`
			`error = new UnauthorizedError('credentials_bad_format', {`
			`message: 'Format is Authorization: Bearer [token]'`
			`});`
			`return auth.fail(error, data, accept);`
			`}`
			`}`
major changes passport.socketio now lets the user decide whether to accept a connection or not. to do so, you have tu provide your own 'fail'-method. this will be called unless the user is successfuly authenticated (still uses the 'success'-method). The method will be called with four parameters: - data: <Object> Handshake Data - message <String> Error-Message - critical <Bool> True if the User is and will be unable to use socket.io because of errors in the authorization-system or somewhere else. False if the user would still be able to use the system (indicates that he's just not logged-in) - accept: <function> plain old accept function. If there's no fail-method given, passport.socketio allows every not-critical-failed connection. Also there is now a 'logged_in' <Bool>-Property inside your User-Key. 2013-11-06 18:19:00 +01:00
add support for socket.io 1.0 2014-06-03 08:12:07 -03:00			`//get the token from query string`
Make it look for both kinds of query add a check on req.query along with req._query for different versions 2014-06-06 13:09:06 -05:00			`if (req._query && req._query.token) {`
			`token = req._query.token;`
			`}`
			`else if (req.query && req.query.token) {`
req._query is now req.query Not sure exactly when this happened, but i had to make this change for my versions of node/js 2014-06-06 12:28:11 -05:00			`token = req.query.token;`
fixed all broken tests with socket.io 1.0, close #10 2014-06-05 15:45:41 -03:00			`}`
initial 2012-09-05 15:14:36 -03:00
initial commit after fork of passport-socketio 2014-01-13 16:00:21 -03:00			`if (!token) {`
			`error = new UnauthorizedError('credentials_required', {`
			`message: 'No Authorization header was found'`
initial 2012-09-05 15:14:36 -03:00			`});`
initial commit after fork of passport-socketio 2014-01-13 16:00:21 -03:00			`return auth.fail(error, data, accept);`
			`}`

Add ability to generate secret dynamically This allow you to pass a function instead of an string in order to generate secret based on the new connection features. 2015-11-18 17:36:24 -03:00			`var onJwtVerificationReady = function(err, decoded) {`
initial commit after fork of passport-socketio 2014-01-13 16:00:21 -03:00
			`if (err) {`
Add ability to generate secret dynamically This allow you to pass a function instead of an string in order to generate secret based on the new connection features. 2015-11-18 17:36:24 -03:00			`error = new UnauthorizedError(err.code \|\| 'invalid_token', err);`
initial commit after fork of passport-socketio 2014-01-13 16:00:21 -03:00			`return auth.fail(error, data, accept);`
			`}`

change user to decoded_token 2014-01-14 17:44:03 -03:00			`data.decoded_token = decoded;`
initial 2012-09-05 15:14:36 -03:00
fix(lib/index.js) return auth.success Next step would not execute because no function(socket, next) was returned in case of successful verification in the 'one roundtrip' (handshake) approach. Returning auth.success instead of just executing it solves this. Fixes #51 2015-10-08 14:06:33 +02:00			`return auth.success(data, accept);`
Add ability to generate secret dynamically This allow you to pass a function instead of an string in order to generate secret based on the new connection features. 2015-11-18 17:36:24 -03:00			`};`

			`var onSecretReady = function(err, secret) {`
			`if (err) {`
			`error = new UnauthorizedError(err.code \|\| 'invalid_secret', err);`
			`return auth.fail(error, data, accept);`
			`}`

			`jwt.verify(token, secret, options, onJwtVerificationReady);`
			`};`

			`getSecret(req, options.secret, token, onSecretReady);`
initial 2012-09-05 15:14:36 -03:00			`};`
			`}`

Add ability to generate secret dynamically This allow you to pass a function instead of an string in order to generate secret based on the new connection features. 2015-11-18 17:36:24 -03:00			`function getSecret(request, secret, token, callback) {`
			`if (typeof secret === 'function') {`
			`if (!token) {`
			`return callback({ code: 'invalid_token', message: 'jwt must be provided' });`
			`}`

			`var parts = token.split('.');`

			`if (parts.length < 3) {`
			`return callback({ code: 'invalid_token', message: 'jwt malformed' });`
			`}`

			`if (parts[2].trim() === '') {`
			`return callback({ code: 'invalid_token', message: 'jwt signature is required' });`
			`}`

			`var decodedToken = jwt.decode(token);`

			`if (!decodedToken) {`
			`return callback({ code: 'invalid_token', message: 'jwt malformed' });`
			`}`

			`secret(request, decodedToken, callback);`
			`} else {`
			`callback(null, secret);`
			`}`
			`};`

initial 2012-09-05 15:14:36 -03:00			`exports.authorize = authorize;`