Redis authentication support

[shantanuthatte]

Support for authentication with Redis support with 'requirepass' set.

[timcosta]

+1 this is super necessary.

[rauchg]

Thoughts about just passing in the clients that you call .auth on yourself?

[rauchg]

I want to avoid adding every single option redis could take.

[timcosta]

Understood, but from my point of view this is a fairly small change looking at the PR above, but saves a lot of time for anyone using this in a production instance, because essentially all redis production instances should be behind auth. I agree that not all options should be supported, but I feel that this one is a must.

[shantanuthatte]

What tjsail33 said. +1

[reqshark]

I think with all the script kiddies out there trying to get into our remote machines having an auth option encourages people to think about more auth, and that's a good thing, so I'm +1ing this

[rauchg]

On the surface it looks like a simple, 3 line patch, no-brainer to add. Enhances security and a clear developer need. But in reality, it makes a crucial error handling decision on behalf of the user.

In this case you decide to throw an uncatchable exception that could bring down the process when authentication fails. This might be ok in many scenarios, but some users might want to catch that and handle it in a particular way…

It's hard to encode all these scenarios into options passed in a hash. Now we need auth but we also need an optional authHandler function. And we need to document that the default behavior is to throw the error.

I think creating the redis clients on behalf of the user is already a mistake though. I did it in the interest of usability, but I'm considering removing it now.

[reqshark]

i'm very intersted in the socket.io adapter and I'm wondering how it would work without creating a client on behalf of the user. So you would pass in a connection object instead?

[rauchg]

Yep you can already do that by supplying pubClient and subClient.

[rauchg]

Something we could do is expose the clients we create on behalf of the user as part of the adapter properties, pass along the auth option, and then let them attach error listeners manually. I believe node-redis fires an error event if no callback is supplied to the command. The issue there is that you lose the context of the error.

[toddbluhm]

I think just passing in clients is the way to go, instead of creating them for the user. I say that because some users already use the redis clients for other things too.

[BrandonCopley]

How would I pass in the client? is there a sample you can show me? my redis server is remote and needs authentication.

[shantanuthatte]

Here's how I do it:

var redisApp = require("redis");
var socketpub = redisApp.createClient(6379, "127.0.0.1", {auth_pass: "my password", return_buffers: true});
var socketsub = redisApp.createClient(6379, "127.0.0.1", {auth_pass: "my password", return_buffers: true});

OR

socketpub.auth("my password");
socketsub.auth("my password");

Finally,

var redis = require('socket.io-redis');
io.adapter(redis({pubClient: socketpub, subClient: socketsub}));

[BrandonCopley]

@shantanuthatte thanks!

[geoffrey]

+1 need this !

[rauchg]

Please look at how @shantanuthatte did it.