How to validade an API token outside of a HTTP request

[un-versed]

It's possible to check an api token outside of a HTTP request?

I'm trying to implement socket.io server in my existing adonis application, but I didn't figure out how to authenticate the socket.io connection.

I already have the token input, I just need to verify it

Ws.io.use((socket, next) => {
  const token = socket.handshake.auth.token

  if (token) {
    console.log(token)
  }
  
  next()
})

Any tips on this?

[RomainLanz]

Hey @un-versed! 👋🏻

For the moment, you cannot use the auth module outside of the HTTP Context.
What you have to do is do some manual verification by checking the database or your redis server to ensure the token is valid.

[un-versed]

Any tips on how Adonis encrypt/decrypt the tokens before sending to client?

I can't figure out how the first part of the token is encrypted. The second part, is a sha256, but the what does the first part mean?

My token is being generated like this:
[xxx].[xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx]

After decrypting the hash, I could just search for it on my database?

[tavaresgerson]

Hi @un-versed!

I resolve this problem with sending user's credentials in query/auth, for example:

Client:

this.socket = io('http://localhost:3333', {
  transports: ['polling', 'websocket'],
  auth: {
    email: 'johndoe@mail.com',
    password: 'yourPass',
  },
}).connect()

Server:

class Ws {
  public io: Server
  private booted = false

  public boot () {
    if (this.booted) {
      return
    }

    this.booted = true
    this.io = new Server(AdonisServer.instance!, {
      cors: {
        origin: '*',
      },
      allowEIO3: true,
    })

    this.io.use(async (socket, next) => {
      const { email, password } = socket.handshake.auth
      const authorized = await this.check(email, password)

      // Check if account exists and is valid
      if (authorized) {
        return false
      }

      next()
    })
  }

  private async check (email, password) {
    const user = await User.findByOrFail('email', email)
    return !(await Hash.verify(user.password, password))
  }
}

export default new Ws()

Don't worry about credentials being passed, connecting with SSL/HTTPs will not make this information visible.

I used with reference the documentation in here - https://docs.adonisjs.com/cookbooks/socketio-with-adonisjs

Take care!

[simo97]

i do it the same way