| title | name | alias | language | framework | image | tags | snippets | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Socket.io Tutorial |
Socket.io |
|
|
|
/media/platforms/socketio.svg |
|
|
When using Realtime frameworks like Socket.io, authentication is very important. If handled incorrectly, improper authentication could allow a malicious user to hijack the stream and obtain all user information.
For best security, configure Socket.io to work with JWT and particularly with Auth0.
Here is sample project that uses Express, and Socket.io and handles authentication using Json Web Tokens (JWT).
Create a token containing the user's profile information:
var jwt = require('jsonwebtoken');
// other requires
app.post('/login', function (req, res) {
// TODO: validate the user
var profile = {
first_name: 'John',
last_name: 'Doe',
email: '[email protected]',
id: 123
};
// send the profile in the token
var token = jwt.sign(profile, jwtSecret, { expiresInMinutes: 60*5 });
res.json({token: token});
});
var server = http.createServer(app);
For authentication, use the global authorization callback on Socket.io:
var socketioJwt = require('socketio-jwt');
var sio = socketIo.listen(server);
sio.set('authorization', socketioJwt.authorize({
secret: jwtSecret,
handshake: true
}));
sio.sockets
.on('connection', function (socket) {
console.log(socket.handshake.decoded_token.email, 'connected');
//socket.on('event');
});
server.listen(9000, function () {
console.log('listening on http://localhost:9000');
});
This example uses a simple module (socketio-jwt) for handling JWT. This module expects the JWT in the querystring during the handshake. The JWT is signed with the jwtSecret which is stored only on the server.
If the client sends a valid JWT, the handshake completes successfully and the connection event is triggered.
Here is js client-side code that uses the Socket.io server:
function connect_socket (token) {
var socket = io.connect('', {
query: 'token=' + token
});
socket.on('connect', function () {
console.log('authenticated');
}).on('disconnect', function () {
console.log('disconnected');
});
}
$('#login').submit(function (e) {
e.preventDefault();
$.post('/login', {
username: $('username').val(),
password: $('password').val()
}).done(function (result) {
connect_socket(result.token);
});
});
This method is much simpler than using cookies and sessions, and it is much easier to implement across different technologies.