atinux
commented
3 days ago Hey @IlyaSemenov
I believe this issue should be opened on H3 side actually on how to handle session with the websocket handler.
Open IlyaSemenov opened 4 days ago
atinux
commented
3 days ago Hey @IlyaSemenov
I believe this issue should be opened on H3 side actually on how to handle session with the websocket handler.
As a developer, I need to authenticate users inside a websocket session. In nuxt (h3),
defineWebSocketHandlerprovides the API which doesn't pass the originatingH3Event, only raw URL and headers.I assumed there would be a low-level function such as
getUserSessionFromHeaders({ ... })orgetUserSessionFromCookie("....")but I didn't manage to find one.getUserSessionseems to be simply callingh3.useSessionand the whole machinery seems to expect the full blownH3Eventeven though in fact it only needs a string.I believe the documentation should include a recommended recipe for websocket users / other non-h3event authentication needs.
In the meanwhile, I ended up with a quite awkward approach where I have a GET API handler that encrypts the result of
requireUserSession, then call it on the client side and push the encrypted session to websocket, which then decrypts it (and also handles expiration to prevent replay attacks). This is a lot of redundant code and an extra HTTP request per connection, and definitely could be improved if there were a way to directly decode the rawnuxt-sessioncookie content.