New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
allow access to handshake headers #648
Comments
Would like to have this as well. I think it might be better to say to 'set' the headers when making the request. |
The problem with expecting header changes is that certain transports don't allow them:
The only condition that would allow us to set specific headers is by forcing socket.io to only use XHR Polling |
I was expecting something similar to be able to authenticate the clients. Sending an authorization token (or a password) in the query string is not a good idea. |
I've created a module to send credentials in the body instead: https://github.com/invisiblejs/socketio-auth |
@rauchg can you explain that further, the documentation at https://github.com/Automattic/socket.io/wiki/authorizing#handshaking says:
Because:
Since:
So doesn't this indicate it can still establish a WS connection even though handshake was in XHR, and therefore using request headers for authorization is fine? |
It looks like you did have code for it at one stage #344 (comment) So I'm guessing there were issues so it never made it to the main repo apart from cookies which looks like it has since been removed. In which case it'd be good to update the server documentation which is a bit misleading http://socket.io/docs/server-api/#namespace#use%28fn:function%29:namespace var io = require('socket.io')();
io.use(function(socket, next){
if (socket.request.headers.cookie) return next();
next(new Error('Authentication error'));
}); as it indicates cookies (i.e. headers) can be used for authentication. And add a replacement to the obsolete authentication wiki document on the main site with examples for authentication and mention of problems with other approaches as I'm sure it's a common scenario. |
+1 for some resolution to this. The docs and examples ate up my time as I expected better access to setting headers for token auth as well. |
+1. There is an upcoming release of engine.io client which enables access to headers, which should facilitate resolving this issue. |
Is this available from the client JS library as well? Also, did it ever actually get in? I see it is merged but I don't think it's operational, could be wrong |
+1. I've run into a similar situation where I need to authenticate browser clients. socket.io-client doesn't seem to allow it. |
+1 any updates on this? |
Any updates on this? |
1 similar comment
Any updates on this? |
Since const socket = io({
transportOptions: {
polling: {
extraHeaders: {
'x-clientid': 'abc'
}
}
}
}); Added to the documentation here. |
I'm getting the following CORS error with this although I'm using
|
@4nubhav you have to pass a handlePreflightRequest function like this:
|
I use |
@4nubhav you should allow that header with const options = {
handlePreflightRequest: (req, res) => {
res.writeHead(200, {
'Access-Control-Allow-Headers': 'x-clientid', // <<< this
});
res.end();
},
};
const io = require('socket.io')(server, options); |
Update: in Socket.IO v3, the const socket = io({
extraHeaders: {
'x-clientid': 'abc'
}
}); Documentation for CORS: |
When establishing the connection, i can 'access' to query string via io.connect(url, {query:'key=value'})
I expected to be able to do something similar with the headers.
I would like to use this to build webapi, with token authentication.
The text was updated successfully, but these errors were encountered: