Skip to content
This repository has been archived by the owner on Mar 22, 2022. It is now read-only.

Stateless socket auth #517

Closed
marshallswain opened this issue May 25, 2017 · 3 comments
Closed

Stateless socket auth #517

marshallswain opened this issue May 25, 2017 · 3 comments
Labels
Feature Proposal

Comments

@marshallswain
Copy link
Member

This would optionally make feathers-socketio work the same as feathers-rest. With REST calls, you pass the token in every request in a header. Socket requests don't send headers, but it would be nice to be able to pass a client param with an accessToken and have just that single request be authenticated. This would make WebSocket-based SSR much simpler.
@amaury1093 amaury1093 mentioned this issue Jun 16, 2017
Closed
@Avnerus
Copy link

Avnerus commented Aug 27, 2017

Hi! I tried to implement this myself and it seemed to work, but I would like to make sure I did it right. I could make a pull request after your comments.
Basically I have an alarm clock service using mongoose and with the hook:

app.service('alarms').before({
  find: [
    authHooks.queryWithCurrentUser()
  ]
});

It works statefully with socketio from the client, if I call authtenticate first with a JWT token.
I understood that if I want it to work with stateless auth (for SSR), I should add the auth hook to the stateless service. Thus it became:

app.service('alarms').before({
  find: [
    authentication.hooks.authenticate(['jwt']),
    authHooks.queryWithCurrentUser()
  ]
});

Then from node I just add {accessToken: xxxx} to my socket call (I get the token from the cookie after verifying it).
However, the authenticate hook couldn't extract the JWT token from the socket call. I noticed it builds the request for passport to extract the JWT from. But request.body gets populated with hook.data, which works only on a dedicated authentication request. On a standard request, the accessToken would be in hook.params.query. Thus I added the following line before building the request here

    if (hook.params.provider == "socketio" && !hook.data.strategy) {
        hook.data = hook.params.query;
    }

That seemed to be enough for everything to work and I can use authenticated socket requests from node to do SSR.
What do you think?
/Avner

@Avnerus
Copy link

Avnerus commented Aug 29, 2017

So, it's a bit more complicated than that. I had to also make sure to delete query.accessToken after usage, because otherwise it would interfere with the query. Unfortunately that makes the experience a bit less seamless.

@daffl daffl mentioned this issue Jan 31, 2018
Merged
@daffl daffl mentioned this issue Jun 5, 2018
Closed
@daffl daffl mentioned this issue Jun 14, 2018
Closed
@daffl daffl mentioned this issue Oct 6, 2018
Closed
@daffl
Copy link
Member

daffl commented May 8, 2019

This has been done in Feathers v4 authentication.

Please see the migration guide for more information. Closing this issue in order to archive this repository. Related issues can be opened at the new code location in the Feathers main repository.

@daffl daffl closed this as completed May 8, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Feature Proposal
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@Avnerus @marshallswain @daffl @ekryski