search

feathersjs / feathers

The API and real-time application framework
https://feathersjs.com
MIT License
15.08k stars 751 forks source link

Socket connection is disconnected when jwt expired. #3508

Open fxpoet opened 4 months ago

fxpoet commented 4 months ago

Steps to reproduce

  1. I did set jwt expire time very shortly for testing token refreshing. set 5seconds. config/default.json

  2. after 5seconds. feathers debug printed "Removing authentication information and expiration timer from connection" and then socket connection was disconnected.

  3. Normally socket.IO would try to reconnect, but no reconnection attempt was made. The reason seems to be a normal disconnection from the server.

  4. so when I do service('users').find (), It freezes. (because socket is disconnected)

Expected behavior

Even if the jwt expire time expires, I expected the socket connection to remain connected and only the authentication information to be deleted.

Actual behavior

  1. at @feathersjs/authentication/src/jwt.ts@52 It will fire app.emit('dissconect) when jwt expire time.

  2. at @feathersjs/authentication/src/jwt.ts@64 I will remove auth info in socket connection when app.on('disconnect')

  3. @feathersjs/socketio/src/middleware@7 when app.on('disconnect') -> socket.disconnect()

app.emit('disconnect') is executed, the socket is actually disconnected. I don't know if disconnecting when the jwt expires is the intended design.

I changed it to app.emit('auth-expired') instead of app.emit('disconnect'), and changed the event name in the jwt to the corresponding event name, and it worked as I expected.

Module versions (especially the part that's not working):

5.0.25

Meatysoda commented 3 months ago

maybe you can emit a 'create', 'authentication' event when deadline comes?

fxpoet commented 3 months ago

In the case of socket connections, there are also anonymous connections that are not related to authentication. Therefore, when the jwt expires, the connection should remain intact and only the authentication information should be deleted to return to an anonymous state. However, the current implementation disconnects the connection and does not attempt to reconnect, so it causes a freeze when .find() is performed.

fxpoet commented 3 months ago

Currently, I have implemented it so that the JWT is refreshed when it expires.