Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

No way to share token between socket-rest-express #607

Closed
yd021976 opened this Issue Nov 18, 2017 · 2 comments

Comments

Projects
None yet
2 participants
@yd021976
Copy link

yd021976 commented Nov 18, 2017

Steps to reproduce

Context
I have a web SPA application that consumes feathers services via socketIO and users authenticate via socketIO.
My SPA application also sometimes need to access "static" ressources (express routes) that require an authenticated user to access the ressources.
Access to static ressources via simple HTML tags like "img" should/must automatically pass the auth token.

--> So question is : How can i authenticate users via socketIO and then access express mount point without auth again ?

server-side (just the express mount point, because all auth mechanism and services access with sockets works great)
app.use('/uploads', auth.express.authenticate('jwt'),feathers.static(app.get('uploads')));

Client side (once user is authenticated via socketIO)
<img src="http://localhost:3030/uploads/myBeatifullImage.png"></img>
==> This doesn't work, feathers return a 401 code because no token

Expected behavior

Once user is authenticated, authentication should work (with cookie or other means) either with sockets or rest or express

Actual behavior

Once authenticated via socketIO, i can see the token in localStorage. But no cookie is set.
Even if i manually/programmatically set the cookie after authentification, when i want to access static ressources, feathers-auth do not read the cookie and fallback to 401 "not authorized".

My actual work around is (potentially security hole) :

  1. client side, after authentification :
var auth = this.client.service('authentication');
// Create the feathers-jwt cookie for authenticate HTTP requests
let d = new Date();
let numOfDays = 1;
d.setTime(d.getTime() + (1 * 24 * 60 * 60 * 1000)); // expire in one day
let expires = "epxires=" + d.toUTCString();
let cookieName = "feathers-jwt"; // TODO send this from server some how
document.cookie = cookieName + "=" + this.authToken + ";" + expires + ";path=/"; 
  1. server-side for my static ressources
app.use(
  '/uploads',
  // we need the header cookie to get the access token and then authenticate the user
  // NOTE : Maybe it's security hole
  // TODO create question and check answer at stackoverflow sites
  function(req, res, next) {
    var cookies = ck.parse(req.headers.cookie);
    let cookieName = app.get('authentication').cookie.name;
    if (cookies[cookieName]) {
      req.headers.authorization = "Bearer " + cookies[cookieName];
    }
    next();
  },
  auth.express.authenticate('jwt'),
  feathers.static(app.get('uploads'))
);

System configuration

Tell us about the applicable parts of your setup.

Module versions (especially the part that's not working):
"body-parser": "^1.17.2",
"compression": "^1.6.2",
"cookie": "^0.3.1",
"cors": "^2.8.3",
"feathers": "^2.1.4",
"feathers-authentication": "^1.2.6",
"feathers-authentication-hooks": "^0.1.4",
"feathers-authentication-jwt": "^0.3.1",
"feathers-authentication-local": "^0.4.3",
"feathers-blob": "^1.3.1",
"feathers-configuration": "^0.4.1",
"feathers-errors": "^2.8.1",
"feathers-hooks": "^2.0.1",
"feathers-hooks-common": "^3.5.5",
"feathers-nedb": "^2.7.0",
"feathers-rest": "^1.8.1",
"feathers-socketio": "^2.0.0",
"fs-blob-store": "^5.2.1",
"googleapis": "^20.0.1",
"helmet": "^3.6.1",
"mmmagic": "^0.4.5",
"multer": "^1.3.0",
"nedb": "^1.8.0",
"pdf-image": "^1.1.0",
"pdf2img": "^0.5.0",
"serve-favicon": "^2.4.3",
"winston": "^2.3.1"
NodeJS version: v6.10.3

Operating System: macos high sierra

Browser Version: Safari 11

@yd021976

This comment has been minimized.

Copy link
Author

yd021976 commented Nov 19, 2017

In addition, ii have the same problem if i use "rest client" for authenticating user in my web SPA.
1 - Auth user with REST ==> User is auth, and the cookie "feathers-jwt" is created
2 - then, a simple can't be granted with the cookie

Am i wrong ?

@daffl

This comment has been minimized.

Copy link
Member

daffl commented Jan 22, 2018

There is now a recipe showing how to use Feathers authentication with Express middleware (including server side rendering) at https://docs.feathersjs.com/guides/auth/recipe.express-middleware.html

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.