Closed jondubois closed 8 years ago
Any news? ^_^
Interested in this as well.
It's next on my TODO list.
I'm currently making some changes to authentication (making it localStorage-based instead of cookie-based, also it will be fully customizable on both the client and server) so I need to finish that before moving on to passport... Sometime this week hopefully :(
Look perhaps at https://github.com/sahat/satellizer and the nodeJS module. It works for me :+1:
@rrNuvoPoint Thanks for mentioning this! Satellizer looks like a very good solution to this problem.
@MegaGM @vnistor Note that you can do Authentication either over HTTP or over WebSockets.
Assuming I understood satellizer correcrly, a typical HTTP auth flow could be:
socketCluster.connect(...)
socket.request.headers.cookie
(WebSockets)^ Alternatively, you could pass the JWT token as a query parameter (in the URL) if you don't want to use cookies. But note that there are some drawbacks to this approach. See related article: https://facundoolano.wordpress.com/2014/10/11/better-authentication-for-socket-io-no-query-strings/
A typical WebSocket flow could be:
socketCluster.connect(...)
socket.emit('authFacebook', facebookAuthCode)
socket.on('authFacebook', handlerFunction)
socket.setAuthToken({username: 'bob123'})
socket.setAuthToken(...)
as often as you like - Each time it will send the client a fresh token and reset the expiryThe second flow (WebSocket based) is currently the easiest way to do OAuth since SC manages the JWT tokens for you (you don't need to know anything about JWT to use it). If you choose the HTTP approach, you have to generate, sign, parse and validate the JWT token yourself which is more work.
I will try to make it easier to generate the JWT token as part of the HTTP flow too so that should make the first flow easier.
Then once that's done I will think about how to integrate with PassportJS.
Since SC v2.2.35, you can access the default AuthEngine, from worker.auth
inside your workerController. This allows you to sign (create) tokens and also verify tokens provided by clients: https://github.com/SocketCluster/socketcluster/blob/master/lib/auth.js - This may be useful if you want to do custom authentication over HTTP but don't want to write your own token signing/verification engine.
I think satellizer seems like the best solution since SC is designed to work with JWT tokens.
See https://github.com/TopCloud/socketcluster/issues/53