Forcing a client to disconnect when authtoken is null or invalid.

[d-m-cc]

Hi @jondubois and the SocketCluster crew!
I've been experimenting with SocketCluster to get a feel for how to work with the framework. So far, everything has come naturally but I do have a question:

I'd like to force a client to disconnect when/if the auth token is not specified (null) or invalid. I'm wondering where the best place (best practice) to do this is given that there are multiple events to hook into where I could conceivably do this:

For example, I could do the following, but is this recommended?

scServer.on('badSocketAuthToken', function (socket, tokenData) {
  socket.disconnect(4004, 'Invalid or missing auth token provided');
});

Alternatively, I could do the following:

scServer.on('connection', function (socket, status) {
  if (!status.isAuthenticated) {
    socket.disconnect(4004, 'Invalid or missing auth token provided');
  }
});

Or, alternatively, on the socket.on('connect') event.
Additionally, I'm guessing I could do this in middleware such as in MIDDLEWARE_AUTHENTICATE? (doubtful because I believe MIDDLEWARE_AUTHENTICATE only runs on successful auth token?)

Ultimately, I'm trying to achieve kicking off a client that does not have a valid auth token, as right now it appears the client stays connected to the server (just unauthenticated). Is this correct?
Suggestions around best practices about doing this are much appreciated.
Thanks!

[jondubois]

@dwmcc Yes, by default the socket doesn't need to be authenticated to connect to the server.

• badSocketAuthToken means that the client provided a token as part of the handshake but that token was invalid; if no token was provided, then this event will not trigger.
• MIDDLEWARE_AUTHENTICATE only executes if the socket token was valid; it's useful if you want to add additional authentication steps in addition to SC's JWT validation. Not useful for your use case.
• Using scServer.on('connection', ...) and socket.on('connect', ...) to check for the token and disconnect if not present are both good approaches.

If you want to optimize things further, you can also specify a query object when creating the socket on the client side which contains some kind of token. You will then be able to access the token from the query object from the server-side inside the MIDDLEWARE_HANDSHAKE_WS handshake; this is the first middleware which runs before the socket starts connecting; so it's the most efficient place to quickly kill connections. The req object passed to the middleware function in this case is a Node.js HTTP request (IncomingMessage object); so you can parse the query from req.url.

Using MIDDLEWARE_HANDSHAKE_WS may be overkill for most use cases.

[d-m-cc]

@jondubois fantastic -- thank you for your suggestions!