-
Notifications
You must be signed in to change notification settings - Fork 10.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature Request: Add negotiation (redirect, token) mechanism on client and server #4825
Comments
@darrachequesne I wonder whether you can have a look at this feature request. Is it OK to have such a data contract between client and server? And if we can have the agreement, I can take this issue and post a pull request. |
@zackliu thanks for opening this 👍 I'm not sure if it should be integrated directly in the Socket.IO protocol. Maybe some kind of extension? Or as an additional package? |
@darrachequesne Thanks for replying. I think for the server side, an extension may be enough as it only returns a negotiation response. But for the client side, it needs to be integrated into clients' constructing process. And as it's about connection not socket, maybe the change is more suitable in Engine.IO package.
Every time it needs to reconnect, do the negotiation again. As it changes the interior process, I think this has to change directly in Engine.IO package. Of course, it should be optional. |
The process is very clear, thanks for the explanation 👍 Still, I'm not sure if we should add this feature to the client, because of the impact on the bundle size. How about an additional package? import { io } from "socket.io-client";
export async function createClient() {
const socket = io({
autoConnect: false,
});
// do the negotiation (upon initial setup and reconnection)
socket.connect();
return socket;
} |
I'm not sure whether everything is achievable outside the class. E.g. For long polling the token should be in Authorization header but for websocket, it should be in query. |
Yes, sure! Having the code will surely help. |
Feature description and some design details
It's a feature request about adding a negotiation mechanism.
/negotiate
and response a JSON:new io(negotiateFactory: async () => await negotiateAsync());
And client read and parse the JSON, and then it can make connection according to the negotiation result.url
is required for client to make connection andtoken
can be set inAuthorization
header for long polling andaccess_token
query string for websocket (websocket only support limited headers).The reason why I want to add this feature
The feature benefits some scenarios:
token
can be used to secure and auth the Engine.IO connection. Nowadays most of the auth is applied on Socket.IO level. But anyway an attacker can make Engine.IO connection without any auth to consume server's resource. Add a token upon Engine.IO connection and server can verify and reject it inio.engine.use()
middleware. And negotiate every reconnection make sure you can refresh the token.url
point to the server directly first, and server can update and change it's negotiate result to redirect client to cloud provider (brokers) without changing any codes in clients.The text was updated successfully, but these errors were encountered: