background preloader

Token-based Authentication with Socket.IO

Token-based Authentication with Socket.IO
Introduction Authentication in realtime frameworks can be challenging. Perhaps this is because the way these systems work is quite different from a regular web app. The risk of not correctly authenticating your sockets traffic is that you could end up sniffing information on other users streams. This first diagram shows this common misconception: It is a common misconception that a user who is authenticated in the hosting web appliction, is also authenticated in the socket stream. Cookie-based and Token-based Auth There are two ways of solving this problem: the traditional cookie-based approach or a token-based approach. In our previous article, we wrote about the benefits of a token-based architecture: Cookies vs Tokens. Coupling: the first issue when using cookies is that you have to couple the web application authentication mechanism with the socket server authentication. Authenticating Sockets using Tokens Server Side Code speaks by itself. Then the socket.io server Client Side

WebSocket Security security websockets Table of Contents The WebSocket protocol is a young technology, and brings with it some risks. Decades of experience have taught the web community some best practices around HTTP security, but the security best practices in the WebSocket world aren’t firmly established, and continue to evolve. Nevertheless, some themes have emerged and they are described in this article. You should strongly prefer the secure protocol over the insecure transport. Heroku’s SSL endpoints support WSS, and we strongly recommend that you use it. Avoid tunneling It’s relatively easy to tunnel arbitrary TCP services through a WebSocket. We recommend avoiding tunneling if at all possible. Validate client input WebSocket connections are easily established outside of a browser, so you should assume that you need to deal with arbitrary data. Validate server data You should apply equal suspicion to data returned from the server, as well. Authentication/authorization

auth0/node-jsonwebtoken

Related: