This repository has been archived on 2024-11-11. You can view files and clone it, but cannot push or open issues or pull requests.
socketio-jwt/README.md
divlo a14d4e937b feat: usage of auth option to send credentials
BREAKING CHANGE: extraHeaders with Authorization doesn't work anymore

See: https://socket.io/docs/v3/middlewares/#Sending-credentials
2021-02-22 13:00:53 +01:00

4.2 KiB

Thream/socketio-jwt

Authenticate socket.io incoming connections with JWTs.

Node.js CI codecov Dependabot badge npm version TypeScript Standard Style Licence MIT Conventional Commits Contributor Covenant

📜 About

Authenticate socket.io incoming connections with JWTs.

Compatible with socket.io >= 3.0.0.

This repository was originally forked from auth0-socketio-jwt & it is not intended to take any credit but to improve the code from now on.

💾 Install

npm install --save @thream/socketio-jwt

⚙️ Usage

Server side

import { Server } from 'socket.io'
import { authorize } from '@thream/socketio-jwt'

const io = new Server(9000)
io.use(
  authorize({
    secret: 'your secret or public key'
  })
)

io.on('connection', async (socket) => {
  // jwt payload of the connected client
  console.log(socket.decodedToken)
  const clients = await io.sockets.allSockets()
  if (clients != null) {
    for (const clientId of clients) {
      const client = io.sockets.sockets.get(clientId)
      client?.emit('messages', { message: 'Success!' })
      // we can access the jwt payload of each connected client
      console.log(client?.decodedToken)
    }
  }
})

Server side with jwks-rsa (example)

import jwksClient from 'jwks-rsa'
import { Server } from 'socket.io'
import { authorize } from '@thream/socketio-jwt'

const client = jwksClient({
  jwksUri: 'https://sandrino.auth0.com/.well-known/jwks.json'
})

const io = new Server(9000)
io.use(
  authorize({
    secret: async (decodedToken) => {
      const key = await client.getSigningKeyAsync(decodedToken.header.kid)
      return key.getPublicKey()
    }
  })
)

io.on('connection', async (socket) => {
  // jwt payload of the connected client
  console.log(socket.decodedToken)
  // You can do the same things of the previous example there...
})

authorize options

  • secret is a string containing the secret for HMAC algorithms, or a function that should fetch the secret or public key as shown in the example with jwks-rsa.
  • algorithms (default: HS256)

Client side

import { io } from 'socket.io-client'

// Require Bearer Token
const socket = io('http://localhost:9000', {
  auth: { token: `Bearer ${yourJWT}` }
})

// Handling token expiration
socket.on('connect_error', (error) => {
  if (error.data.type === 'UnauthorizedError') {
    console.log('User token has expired')
  }
})

// Listening to events
socket.on('messages', (data) => {
  console.log(data)
})

💡 Contributing

Anyone can help to improve the project, submit a Feature Request, a bug report or even correct a simple spelling mistake.

The steps to contribute can be found in the CONTRIBUTING.md file.

📄 License

MIT