README
socket.io-auth
It provides a hook to authenticate socket.io without using query-strings to send credentials, which is not a good security practice.
It works by preventing access to socket object before authentication, which is
done by given auth function and submitted credentials on authenticate
event.
Installation
npm install socket.io-auth
Usage
Just pass socket.io server and auth
function to socket.io-auth
and add other
events on callback:
var io = require('socket.io')(4000)
// setup and authentication method
auth = function(data, done) {
// check for valid credential data
if (data.token == 'test') {
done();
} else {
done(new Error('bad credentials')) // or any error message
}
};
require('socket.io-auth')(io, auth, function(socket){
// use socket as before to implement other signals
socket.on('ping', function(data){
socket.emit('pong', data);
});
});
you can set authentication window with timeout option (default is 1s (1000ms)):
require('socket.io-auth')(io, auth, {timeout: 2000}, function(socket){
// rest of code ...
});
clients just need to authenticate after connection:
var socket = require('socket.io-client')('http://localhost:4000');
socket.on('connect', function(){
socket.emit('authenticate', {token: 'some token'});
socket.on('authenticated', function(){
// now it is an authenticated socket and works as before
});
});
Contribute
You are always welcome to open an issue or provide a pull-request!
Also checkout the tests:
$ npm test
socket.io-auth
before authentication
✓ marks socket as unauthenticated
✓ dose not sent messages to sockets
✓ disconnects unauthenticated sockets after timeout window
on authentication
with valid credentials
✓ authenticates and emits authenticated signal
with invalid credentials
✓ disconnects the socket
✓ emits unauthenticated with error message
after authentication
✓ handles all signals normally