Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Close the socket when authentication expires #260

Closed
dominykas opened this issue Nov 20, 2018 · 1 comment
Closed

Close the socket when authentication expires #260

dominykas opened this issue Nov 20, 2018 · 1 comment
Assignees
Labels
Milestone

Comments

@dominykas
Copy link
Contributor

@dominykas dominykas commented Nov 20, 2018

When a websocket requires authentication, and the server uses some sort of token based authentication, the credentials usually have a limited lifetime. The nes clients are free to overrideReconnectionAuth() and provide new credentials for the case when the websocket drops, however if the websocket does not drop - it still assumes the old credentials on the server side. This means that the websocket is open to send/receive information even though the client may no longer have valid credentials, which could be a security issue in some contexts.

Proposal

  • Registration options should accept an auth.expiresAt callback.
  • When the authentication endpoint accepts valid credentials, it should const expiresAt = await auth.expiresAt(request.auth);. After the client authenticates, the server should const expiresAt = await auth.expiresAt(credentials, artifacts);.
  • The websocket should be closed on the server side at expiresAt time. undefined means never expire.
  • When the client calls overrideReconnectionAuth() reauthenticate(), it should also make a request to the authentication endpoint, so that the server can update the expiresAt time and extend the websocket lifetime.
@hueniverse

This comment has been minimized.

Copy link
Member

@hueniverse hueniverse commented Nov 23, 2018

@dominykas This is mostly done now. Need to update the API doc. Requires hapi v17.8.1 which is reflected in the plugin requirements.

hueniverse added a commit that referenced this issue Nov 24, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.