I have no idea how authenticate login user with socket.io
Authenticate user and socket server
All socket.io connections start with an http request. You can do any authentication you want at that initial connection point.
You can also access any cookies such as a session cookie that may already exist to indicate auth that has already been done.
The socket.io library itself has middleware that can be used to implement an authentication check.
And, finally, socket.handshake contains the headers and other info from the original socket.io connect request that can be used later during any socket.io message.
Related
Wondering about my security approach.
We have a web server with some kind of backend, and a JS frontend.
Users have to login through the frontend, with regular GET/POST requests, they get a HTTP-only session cookie set as well as a particular "wstoken" string that is available to the JS (by setting it with <script>wstoken = 'xxx';</script>
The frontend then opens a WS connection to the API server and sends an authentication request with the wstoken. If the wstoken matches what we have for the user in the DB, we accept the authentication request and consider that WS connection to be authed to that user.
I'm wondering if I'm doing it right.
I'd like to use an Application Load Balancer (ALB) to authenticate requests with Cognito to my node express back-end. After authenticating, the ALB maintains session with a session cookie, and will forward a few headers to the back-end in form x-amzn-oidc-* (e.g. x-amzn-oidc-accesstoken).
My application backend needs these claims to carry out requests. So how do I develop and test token signature verification locally?
Edit:
Similar question here.
Headers containing identifying information and access tokens here
We have a Google http(S) LB in front of a Google Compute VM, and we are routing a subdomain to the backend which exposes only a wss endpoint. I couldn't find any example for javascript code how to use Authentication with Google IAP and OIDC Tokens.
Does Google IAP support query parameters for the authentication ?
I found this entry:
Bearer authentication for websocket
Thanks for any advice
There is no method in the JavaScript WebSockets API to customize WebSocket headers from JavaScript, you’re limited to the “implicit” auth (i.e. Basic or cookies) that are sent from the browser. Further, it’s common to have the server that handles WebSockets be completely separate from the one handling “normal” HTTP requests. This can make shared authorization headers difficult or impossible. One way to attain this is using a “ticket”-based authentication system.
When the client-side code decides to open a WebSocket, it contacts
the HTTP server to obtain an authorization “ticket”.
The server generates the ticket. It typically contains some sort of
user/account ID, the IP of the client requesting the ticket, a
timestamp, and any other sort of internal record keeping you might
need.
The server stores this ticket (i.e. in a database or cache), and
returns it to the client.
The client opens the WebSocket connection, and sends along this
“ticket” as part of an initial handshake.
The server can then compare this ticket, check source IPs, verify
that the ticket hasn’t been re-used and hasn’t expired, and do any
other sort of permission checking. If all goes well, the WebSocket
connection is now verified.
Refer to the link for websocket security and related stack posts HTTP headers in websockets client API and Websocket authentication.
We're developing a web application that will fetch some data over a websocket. We serve it from CloudFront over SSL, the back-end is on AWS. We authenticate the users with Cognito for signing in with the application, and we would like to use the Cognito token to set up authentication for the websocket as well. Also, we want the token to be part of the first connection attempt, so that we don't open a connection to anyone, and then wait for some magic message containing auth, that could probably lead to DDoS attacks.
The first thought was to add the token to an authorization header, but the websocket standard doesn't support adding headers.
Second, we thought about adding an X-Authorization cookie with the token, that way the cookie would be sent as part of the request to open a socket. This failed (probably) because in development, the cookie domain is set to "localhost", and will not be sent to the websocket url of aa.bb.com.
Our next move is to append the token to the URL as a query parameter, and it seems to be working.
Now, my question is, is this safe enough, or should we consider something like a two-step approach, first get a sign-in token from another endpoint, then use that one as a query parameter when opening the websocket ?
As long as your traffic is over SSL whatever solution works has the same security as the SSL no matter what method is used i.e. GET, POST...
I have some access to socks5 server (host, port, username and password). I need to be authorized and then make several requests to different servers by TCP via this socks5 proxy. How I can make it with node.js?
I found library socks-client and it is ok, but I have to be authorized for each request to remote server (by using method 'connect'). How can I solve my problem?
That's the nature of the SOCKS protocol. You connect, authenticate, and then if successful normal data is transferred back and forth on the same connection. There is no way to re-use a connection, so you have to repeat the process for every new connection you want to make.