README
Socket.io JWT decoder
Authenticate socket.io incoming connections with JWTs. This is useful if you are build a single page application and you are not using cookies as explained in this blog post: Cookies vs Tokens. Getting auth right with Angular.JS.
- Socket.io JWT decoder just works for Socket.IO >= 1.0. *
Installation
npm install socketio-jwt-decoder
Example usage
The previous approach uses a second roundtrip to send the jwt, there is a way you can authenticate on the handshake by sending the JWT as a query string, the caveat is that intermediary HTTP servers can log the url.
var io = require("socket.io")(server);
var socketioJwt = require("socketio-jwt-decoder");
io.use(socketioJwt.authorize({
secret: 'your secret or public key',
otherOption: someValue // you can pass other arguments to jsonwebtoken
}));
io.on('connection', function (socket) {
if (socket.decoded_token) { // authentication successful
console.log('hello!', socket.handshake.decoded_token.name);
}
})
For more validation options see auth0/jsonwebtoken.
Client side:
Append the jwt token using query string:
var socket = io.connect('http://localhost:9000', {
'query': 'token=' + your_jwt
});
Handling token expiration
Server side:
When you sign the token with an expiration time:
var token = jwt.sign(user_profile, jwt_secret, {expiresInMinutes: 60});
Your client-side code should handle it as below.
Client side:
socket.on("error", function(error) {
if (error.type == "UnauthorizedError" || error.code == "invalid_token") {
// redirect user to login page perhaps?
console.log("User's token has expired");
}
});
Contribute
You are always welcome to open an issue or provide a pull-request!
Also check out the unit tests:
npm test
License
Licensed under the MIT-License. 2015 Juan Jesús García López