220 lines
5.7 KiB
Markdown
220 lines
5.7 KiB
Markdown
[![Build Status](https://travis-ci.org/auth0/socketio-jwt.svg)](https://travis-ci.org/auth0/socketio-jwt)
|
|
|
|
Authenticate socket.io incoming connections with JWTs. This is useful if you are build a single page application and you are not using cookies as explained in this blog post: [Cookies vs Tokens. Getting auth right with Angular.JS](http://blog.auth0.com/2014/01/07/angularjs-authentication-with-cookies-vs-token/).
|
|
|
|
## Installation
|
|
|
|
```
|
|
npm install socketio-jwt
|
|
```
|
|
|
|
## Example usage
|
|
|
|
```javascript
|
|
// set authorization for socket.io
|
|
io.sockets
|
|
.on('connection', socketioJwt.authorize({
|
|
secret: 'your secret or public key',
|
|
timeout: 15000 // 15 seconds to send the authentication message
|
|
})).on('authenticated', function(socket) {
|
|
//this socket is authenticated, we are good to handle more events from it.
|
|
console.log('hello! ' + socket.decoded_token.name);
|
|
});
|
|
```
|
|
|
|
**Note:** If you are using a base64-encoded secret (e.g. your Auth0 secret key), you need to convert it to a Buffer: `Buffer('your secret key', 'base64')`
|
|
|
|
__Client side__:
|
|
|
|
```javascript
|
|
var socket = io.connect('http://localhost:9000');
|
|
socket.on('connect', function () {
|
|
socket
|
|
.emit('authenticate', {token: jwt}) //send the jwt
|
|
.on('authenticated', function () {
|
|
//do other things
|
|
})
|
|
.on('unauthorized', function(msg) {
|
|
console.log("unauthorized: " + JSON.stringify(msg.data));
|
|
throw new Error(msg.data.type);
|
|
})
|
|
});
|
|
```
|
|
|
|
## One roundtrip
|
|
|
|
The previous approach uses a second roundtrip to send the jwt, there is a way you can authenticate on the handshake by sending the JWT as a query string, the caveat is that intermediary HTTP servers can log the url.
|
|
|
|
```javascript
|
|
var io = require("socket.io")(server);
|
|
var socketioJwt = require("socketio-jwt");
|
|
|
|
//// With socket.io < 1.0 ////
|
|
io.set('authorization', socketioJwt.authorize({
|
|
secret: 'your secret or public key',
|
|
handshake: true
|
|
}));
|
|
//////////////////////////////
|
|
|
|
//// With socket.io >= 1.0 ////
|
|
io.use(socketioJwt.authorize({
|
|
secret: 'your secret or public key',
|
|
handshake: true
|
|
}));
|
|
///////////////////////////////
|
|
|
|
io.on('connection', function (socket) {
|
|
// in socket.io < 1.0
|
|
console.log('hello!', socket.handshake.decoded_token.name);
|
|
|
|
// in socket.io 1.0
|
|
console.log('hello! ', socket.decoded_token.name);
|
|
})
|
|
```
|
|
|
|
For more validation options see [auth0/jsonwebtoken](https://github.com/auth0/node-jsonwebtoken).
|
|
|
|
__Client side__:
|
|
|
|
Append the jwt token using query string:
|
|
|
|
```javascript
|
|
var socket = io.connect('http://localhost:9000', {
|
|
'query': 'token=' + your_jwt
|
|
});
|
|
```
|
|
|
|
## Handling token expiration
|
|
|
|
__Server side__:
|
|
|
|
When you sign the token with an expiration time:
|
|
|
|
```javascript
|
|
var token = jwt.sign(user_profile, jwt_secret, {expiresInMinutes: 60});
|
|
```
|
|
|
|
Your client-side code should handle it as below.
|
|
|
|
__Client side__:
|
|
|
|
```javascript
|
|
socket.on("unauthorized", function(error) {
|
|
if (error.data.type == "UnauthorizedError" || error.data.code == "invalid_token") {
|
|
// redirect user to login page perhaps?
|
|
console.log("User's token has expired");
|
|
}
|
|
});
|
|
```
|
|
|
|
## Handling invalid token
|
|
|
|
Token sent by client is invalid.
|
|
|
|
__Server side__:
|
|
|
|
No further configuration needed.
|
|
|
|
__Client side__:
|
|
|
|
Add a callback client-side to execute socket disconnect server-side.
|
|
|
|
```javascript
|
|
socket.on("unauthorized", function(error, callback) {
|
|
if (error.data.type == "UnauthorizedError" || error.data.code == "invalid_token") {
|
|
// redirect user to login page perhaps or execute callback:
|
|
callback();
|
|
console.log("User's token has expired");
|
|
}
|
|
});
|
|
```
|
|
|
|
__Server side__:
|
|
|
|
To disconnect socket server-side without client-side callback:
|
|
|
|
```javascript
|
|
io.sockets.on('connection', socketioJwt.authorize({
|
|
secret: 'secret goes here',
|
|
// No client-side callback, terminate connection server-side
|
|
callback: false
|
|
}))
|
|
```
|
|
|
|
__Client side__:
|
|
|
|
Nothing needs to be changed client-side if callback is false.
|
|
|
|
__Server side__:
|
|
|
|
To disconnect socket server-side while giving client-side 15 seconds to execute callback:
|
|
|
|
```javascript
|
|
io.sockets.on('connection', socketioJwt.authorize({
|
|
secret: 'secret goes here',
|
|
// Delay server-side socket disconnect to wait for client-side callback
|
|
callback: 15000
|
|
}))
|
|
```
|
|
|
|
Your client-side code should handle it as below.
|
|
|
|
__Client side__:
|
|
|
|
```javascript
|
|
socket.on("unauthorized", function(error, callback) {
|
|
if (error.data.type == "UnauthorizedError" || error.data.code == "invalid_token") {
|
|
// redirect user to login page perhaps or execute callback:
|
|
callback();
|
|
console.log("User's token has expired");
|
|
}
|
|
});
|
|
```
|
|
|
|
## Getting the secret dynamically
|
|
You can pass a function instead of an string when configuring secret.
|
|
This function receives the request, the decoded token and a callback. This
|
|
way, you are allowed to use a different secret based on the request and / or
|
|
the provided token.
|
|
|
|
__Server side__:
|
|
|
|
```javascript
|
|
var SECRETS = {
|
|
'user1': 'secret 1',
|
|
'user2': 'secret 2'
|
|
}
|
|
|
|
io.use(socketioJwt.authorize({
|
|
secret: function(request, decodedToken, callback) {
|
|
// SECRETS[decodedToken.userId] will be used a a secret or
|
|
// public key for connection user.
|
|
|
|
callback(null, SECRETS[decodedToken.userId]);
|
|
},
|
|
handshake: false
|
|
}));
|
|
|
|
```
|
|
|
|
## Contribute
|
|
|
|
You are always welcome to open an issue or provide a pull-request!
|
|
|
|
Also check out the unit tests:
|
|
```bash
|
|
npm test
|
|
```
|
|
|
|
## Issue Reporting
|
|
|
|
If you have found a bug or if you have a feature request, please report them at this repository issues section. Please do not report security vulnerabilities on the public GitHub issue tracker. The [Responsible Disclosure Program](https://auth0.com/whitehat) details the procedure for disclosing security issues.
|
|
|
|
## Author
|
|
|
|
[Auth0](auth0.com)
|
|
|
|
## License
|
|
|
|
This project is licensed under the MIT license. See the [LICENSE](LICENSE) file for more info.
|