socketio-jwt/lib/index.js

var xtend = require('xtend');

function parseCookie(auth, cookieHeader) {
  var cookieParser = auth.cookieParser(auth.secret);
  var req = {
    headers:{
      cookie: cookieHeader
    }
  };
  var result;
  cookieParser(req, {}, function (err) {
    if (err) throw err;
    result = req.signedCookies;
  });
  return result;
}

function authorize(options) {
  var defaults = {
    passport:     require('passport'),
    key:          'connect.sid',
    secret:       null,
    store:        null,
    success:      function(data, accept){accept(null, true)},
    fail:         function(data, message, critical, accept){accept(null, false)}
  };

  var auth = xtend(defaults, options);

  auth.userProperty = auth.passport._userProperty || 'user';

  if (!auth.cookieParser) {
    throw new Error('cookieParser is required use connect.cookieParser or express.cookieParser');
  }

  return function(data, accept){
    data.cookie = parseCookie(auth, data.headers.cookie || '');
    data.sessionID = data.query.session_id || data.cookie[auth.key] || '';
    data[auth.userProperty] = {
      logged_in: false
    };

    if(data.xdomain && !data.sessionID)
      return auth.fail(data, 'Can not read cookies from CORS-Requests. See CORS-Workaround in the readme.', false, accept);

    auth.store.get(data.sessionID, function(err, session){
      if(err)
        return auth.fail(data, 'Error in session store.', true, accept);
      if(!session)
        return auth.fail(data, 'No session found', false, accept);
      if(!session[auth.passport._key])
        return auth.fail(data, 'Passport was not initialized', true, accept);
      
      var userKey = session[auth.passport._key][auth.userProperty];

      if(!userKey)
        return auth.fail(data, 'User not authorized through passport. (User Property not found)', false, accept);

      auth.passport.deserializeUser(userKey, function(err, user) {
        if (err)
          return auth.fail(data, err, true, accept);
        if (!user)
          return auth.fail(data, "User not found", false, accept);
        data[auth.userProperty] = user;
        data[auth.userProperty].logged_in = true;
        auth.success(data, accept);
      });

    });
  };
}

function filterSocketsByUser(socketIo, filter){
  var handshaken = socketIo.sockets.manager.handshaken;
  return Object.keys(handshaken || {})
    .filter(function(skey){
      return filter(handshaken[skey].user);
    })
    .map(function(skey){
      return socketIo.sockets.manager.sockets.sockets[skey];
    });
}

exports.authorize = authorize;
exports.filterSocketsByUser = filterSocketsByUser;
remove connect and cookie dependency 2013-06-05 13:38:33 +02:00			`var xtend = require('xtend');`

			`function parseCookie(auth, cookieHeader) {`
			`var cookieParser = auth.cookieParser(auth.secret);`
			`var req = {`
			`headers:{`
			`cookie: cookieHeader`
			`}`
			`};`
			`var result;`
			`cookieParser(req, {}, function (err) {`
			`if (err) throw err;`
			`result = req.signedCookies;`
			`});`
			`return result;`
			`}`
added option of success or fail callbacks. Needed to still allow users access to sockets even if they weren't logged in, but needed specific data if they were. 2012-10-26 18:13:28 +02:00
			`function authorize(options) {`
fix #6 use same parameters than express.session 2013-02-05 23:15:04 +01:00			`var defaults = {`
remove connect and cookie dependency 2013-06-05 13:38:33 +02:00			`passport: require('passport'),`
			`key: 'connect.sid',`
			`secret: null,`
			`store: null,`
major changes passport.socketio now lets the user decide whether to accept a connection or not. to do so, you have tu provide your own 'fail'-method. this will be called unless the user is successfuly authenticated (still uses the 'success'-method). The method will be called with four parameters: - data: <Object> Handshake Data - message <String> Error-Message - critical <Bool> True if the User is and will be unable to use socket.io because of errors in the authorization-system or somewhere else. False if the user would still be able to use the system (indicates that he's just not logged-in) - accept: <function> plain old accept function. If there's no fail-method given, passport.socketio allows every not-critical-failed connection. Also there is now a 'logged_in' <Bool>-Property inside your User-Key. 2013-11-06 18:19:00 +01:00			`success: function(data, accept){accept(null, true)},`
close socket.io by default 2013-11-15 10:41:53 +01:00			`fail: function(data, message, critical, accept){accept(null, false)}`
added option of success or fail callbacks. Needed to still allow users access to sockets even if they weren't logged in, but needed specific data if they were. 2012-10-26 18:13:28 +02:00			`};`
initial 2012-09-05 20:14:36 +02:00
a little simpler 2013-11-15 10:47:51 +01:00			`var auth = xtend(defaults, options);`
Allow 0 value for serialized user (id) 2013-06-30 21:06:21 +02:00
added option of success or fail callbacks. Needed to still allow users access to sockets even if they weren't logged in, but needed specific data if they were. 2012-10-26 18:13:28 +02:00			`auth.userProperty = auth.passport._userProperty \|\| 'user';`
initial 2012-09-05 20:14:36 +02:00
a little simpler 2013-11-15 10:47:51 +01:00			`if (!auth.cookieParser) {`
remove connect and cookie dependency 2013-06-05 13:38:33 +02:00			`throw new Error('cookieParser is required use connect.cookieParser or express.cookieParser');`
			`}`

initial 2012-09-05 20:14:36 +02:00			`return function(data, accept){`
major changes passport.socketio now lets the user decide whether to accept a connection or not. to do so, you have tu provide your own 'fail'-method. this will be called unless the user is successfuly authenticated (still uses the 'success'-method). The method will be called with four parameters: - data: <Object> Handshake Data - message <String> Error-Message - critical <Bool> True if the User is and will be unable to use socket.io because of errors in the authorization-system or somewhere else. False if the user would still be able to use the system (indicates that he's just not logged-in) - accept: <function> plain old accept function. If there's no fail-method given, passport.socketio allows every not-critical-failed connection. Also there is now a 'logged_in' <Bool>-Property inside your User-Key. 2013-11-06 18:19:00 +01:00			`data.cookie = parseCookie(auth, data.headers.cookie \|\| '');`
step 1 2013-11-19 10:45:09 +01:00			`data.sessionID = data.query.session_id \|\| data.cookie[auth.key] \|\| '';`
major changes passport.socketio now lets the user decide whether to accept a connection or not. to do so, you have tu provide your own 'fail'-method. this will be called unless the user is successfuly authenticated (still uses the 'success'-method). The method will be called with four parameters: - data: <Object> Handshake Data - message <String> Error-Message - critical <Bool> True if the User is and will be unable to use socket.io because of errors in the authorization-system or somewhere else. False if the user would still be able to use the system (indicates that he's just not logged-in) - accept: <function> plain old accept function. If there's no fail-method given, passport.socketio allows every not-critical-failed connection. Also there is now a 'logged_in' <Bool>-Property inside your User-Key. 2013-11-06 18:19:00 +01:00			`data[auth.userProperty] = {`
			`logged_in: false`
			`};`
initial 2012-09-05 20:14:36 +02:00
step 1 2013-11-19 10:45:09 +01:00			`if(data.xdomain && !data.sessionID)`
			`return auth.fail(data, 'Can not read cookies from CORS-Requests. See CORS-Workaround in the readme.', false, accept);`
initial 2012-09-05 20:14:36 +02:00
fix #6 use same parameters than express.session 2013-02-05 23:15:04 +01:00			`auth.store.get(data.sessionID, function(err, session){`
major changes passport.socketio now lets the user decide whether to accept a connection or not. to do so, you have tu provide your own 'fail'-method. this will be called unless the user is successfuly authenticated (still uses the 'success'-method). The method will be called with four parameters: - data: <Object> Handshake Data - message <String> Error-Message - critical <Bool> True if the User is and will be unable to use socket.io because of errors in the authorization-system or somewhere else. False if the user would still be able to use the system (indicates that he's just not logged-in) - accept: <function> plain old accept function. If there's no fail-method given, passport.socketio allows every not-critical-failed connection. Also there is now a 'logged_in' <Bool>-Property inside your User-Key. 2013-11-06 18:19:00 +01:00			`if(err)`
			`return auth.fail(data, 'Error in session store.', true, accept);`
			`if(!session)`
			`return auth.fail(data, 'No session found', false, accept);`
thanks to @chill117 we can't check undefined for undefined 2013-11-14 21:48:01 +01:00			`if(!session[auth.passport._key])`
			`return auth.fail(data, 'Passport was not initialized', true, accept);`
major changes passport.socketio now lets the user decide whether to accept a connection or not. to do so, you have tu provide your own 'fail'-method. this will be called unless the user is successfuly authenticated (still uses the 'success'-method). The method will be called with four parameters: - data: <Object> Handshake Data - message <String> Error-Message - critical <Bool> True if the User is and will be unable to use socket.io because of errors in the authorization-system or somewhere else. False if the user would still be able to use the system (indicates that he's just not logged-in) - accept: <function> plain old accept function. If there's no fail-method given, passport.socketio allows every not-critical-failed connection. Also there is now a 'logged_in' <Bool>-Property inside your User-Key. 2013-11-06 18:19:00 +01:00
			`var userKey = session[auth.passport._key][auth.userProperty];`

			`if(!userKey)`
			`return auth.fail(data, 'User not authorized through passport. (User Property not found)', false, accept);`
initial 2012-09-05 20:14:36 +02:00
added option of success or fail callbacks. Needed to still allow users access to sockets even if they weren't logged in, but needed specific data if they were. 2012-10-26 18:13:28 +02:00			`auth.passport.deserializeUser(userKey, function(err, user) {`
fixed a security issue 2013-11-18 15:36:52 +01:00			`if (err)`
			`return auth.fail(data, err, true, accept);`
			`if (!user)`
			`return auth.fail(data, "User not found", false, accept);`
major changes passport.socketio now lets the user decide whether to accept a connection or not. to do so, you have tu provide your own 'fail'-method. this will be called unless the user is successfuly authenticated (still uses the 'success'-method). The method will be called with four parameters: - data: <Object> Handshake Data - message <String> Error-Message - critical <Bool> True if the User is and will be unable to use socket.io because of errors in the authorization-system or somewhere else. False if the user would still be able to use the system (indicates that he's just not logged-in) - accept: <function> plain old accept function. If there's no fail-method given, passport.socketio allows every not-critical-failed connection. Also there is now a 'logged_in' <Bool>-Property inside your User-Key. 2013-11-06 18:19:00 +01:00			`data[auth.userProperty] = user;`
			`data[auth.userProperty].logged_in = true;`
			`auth.success(data, accept);`
initial 2012-09-05 20:14:36 +02:00			`});`

			`});`
			`};`
			`}`

			`function filterSocketsByUser(socketIo, filter){`
			`var handshaken = socketIo.sockets.manager.handshaken;`
			`return Object.keys(handshaken \|\| {})`
			`.filter(function(skey){`
			`return filter(handshaken[skey].user);`
			`})`
			`.map(function(skey){`
			`return socketIo.sockets.manager.sockets.sockets[skey];`
			`});`
			`}`

			`exports.authorize = authorize;`
added option of success or fail callbacks. Needed to still allow users access to sockets even if they weren't logged in, but needed specific data if they were. 2012-10-26 18:13:28 +02:00			`exports.filterSocketsByUser = filterSocketsByUser;`