sockets - How to authenticate with Node.js/Express + Passport + Websockets? -


i building angular2-login-seed uses passport.js oauth strategies authentication. default method of authentication these tools use of http cookie signed express. passport, can tell, manages actual set cookie header express can authenticate each subsequent request via request.isauthenticated() , access data set passport via req.session.passport.datahere.

i want incorporate realtime data in application via websockets. of course means socket stream coming server client. communication entirely separate regular http server request meaning:

  1. it not contain http cookie http requests contain

  2. express not broker interaction sockets, managed whatever implementation used in backend (sock.js, socket.io)

this makes difficult streamline authentication between http requests express, , websocket data backend separate methods of communication.

from research, leaves me 2 options. 1 of use library give socket implementation (preferably sock.js on socket.io need more research) access express session. authenticate socket connection want. issue have no idea how express cookie stream front since javascript cannot access (http cookie).

another common solution i've seen people jump use jwts (json web tokens). implementations revolving around store jwt in localstorage on front end. spa (in case angular2 services) send every request 'stateless' server authentication , send via websocket authenticate websocket connection (the front end js has access localstorage obviously). couple things come mind when thinking implementation:

  1. is possible have passport oauth strategies use jwt instead of regular session information? modification entail? can tell passport strategies use form of oauth1 or oauth2 parent strategies authentication defaults using cookies.

  2. would storing vital information in localstorage open application security breaches (xss, csrf, etc)

  3. if so, common workaround i've seen store jwt in cookie cannot accessed, spoofed, or forged. puts me in position in before using jwt, might not bother.

  4. does mean i'd have use sort of state management store in backend (redis example) manage authentication , decoding of jwt body? (i know nothing redis, etc).

the idea of connecting authentication between server http requests , socket data odd seemingly vital authenticating socket connection. i'm little surprised easier method not exist. i've done research , have seen things such socketio-jwt, express-jwt, etc don't know if manageable transition passport strategies, or if easier opening express session data socket implementation, or if i'm going wrong!

any or guidance appreciated thanks.

then authenticate socket connection want. issue have no idea how express cookie stream front since javascript cannot access (http cookie).

with express-socket.io-session session auth done on handshake, , handshake http request, if cookies http-only work. (tested myself)


Comments

Popular posts from this blog

Django REST Framework perform_create: You cannot call `.save()` after accessing `serializer.data` -

Why does Go error when trying to marshal this JSON? -