```
const JWTOptions: JwtAuthOptions = {
secret: process.env.JWT_SECRET as string,
timeout: 5_000,
decodedPropertyName: 'decodedToken',
};
```
Without the change I made and the options snipped above where the secret is actualy "undefined" because the .env file wasn't loaded yet you get a really weird situation that's very hard to debug.
With "undefined" used as secret the client will successfully connect and send its "authenticate" event without a problem. But the server will not do anything. No errors, no timeouts, nothing.
Try to get the token from query string, which is stored in the sockets "handshake" object.
This should fix#95 and be a more elegant (say valid) approach.
on socket authenticate, should check that the data.token exists and if it is the desired type?
socket.emit( 'authenticate', {token: {} }); // will crash server if sent from client-side.
Next step would not execute because no function(socket, next) was returned in case of successful verification in the 'one roundtrip' (handshake) approach.
Returning auth.success instead of just executing it solves this.
Fixes#51
* Optional authentication is useful when you wish to serve both secure and unsecured services via the same server socket
* The ability to specify an additional function to be called to further validate the token is useful when you wish to be able to expire tokens for some reason
passport.socketio now lets the user decide whether to accept a
connection or not. to do so, you have tu provide your own 'fail'-method.
this will be called unless the user is successfuly authenticated (still
uses the 'success'-method). The method will be called with four
parameters:
- data: <Object> Handshake Data
- message <String> Error-Message
- critical <Bool> True if the User is and will be unable to use
socket.io because of errors in the authorization-system or somewhere
else. False if the user would still be able to use the system (indicates
that he's just not logged-in)
- accept: <function> plain old accept function.
If there's no fail-method given, passport.socketio allows every
not-critical-failed connection.
Also there is now a 'logged_in' <Bool>-Property inside your User-Key.