Open xmlking opened 6 years ago
So what about to add support guards for handleConnection?
what happen on this?? is this implement or not??
Also I am wondering about this.
just newly stumble on here, similar implementation by this
Instead of using authGuard
on handleConnection
, I think the following approach can solve this problem alternatively.
// in gateway
async handleConnection(socket) {
const user: User = await this.jwtService.verify(
socket.handshake.query.token,
true
);
this.connectedUsers = [...this.connectedUsers, String(user._id)];
// Send list of connected users
this.server.emit('users', this.connectedUsers);
}
// in jwtService
async verify(token: string, isWs: boolean = false): Promise<User | null> {
try {
const payload = <any>jwt.verify(token, APP_CONFIG.jwtSecret);
const user = await this.usersService.findById(payload.sub._id);
if (!user) {
if (isWs) {
throw new WsException('Unauthorized access');
} else {
throw new HttpException(
'Unauthorized access',
HttpStatus.BAD_REQUEST
);
}
}
return user;
} catch (err) {
if (isWs) {
throw new WsException(err.message);
} else {
throw new HttpException(err.message, HttpStatus.BAD_REQUEST);
}
}
}
I would love if this was an option for lifecycle hooks as well.
What is the status of this?
@Hwan-seok Thanks for providing your solution but I have one question. I don't see how this implementation prevents the server from crashing, similar to what is being reported in #2028 . Am I missing something?
Hi @ChrisKatsaras, A lot of time has passed since my last nestjs gateway coding.. so maybe I cannot explain it accurately. Please be aware of it.
Websocket Exception Filters
and Guards
are not do their job on HandleConnection
and it is intended as kamilmysliwiec said.
Look what I found at https://github.com/nestjs/nest/issues/336
So, my past solution seems to be wrong, I think it should be change as follows
async handleConnection(socket) {
const user = whatEverFindOrVerifyUser();
if (!user) {
socket.disconnect(true); // you can omit "true"
}
}
I found socket.disconnect
from https://socket.io/docs/server-api/#socket-disconnect-close
I hope it will help!
Thanks for the quick response @Hwan-seok . This is very helpful!
Circling back to the original question, are there any plans to add guards to the handleConnection
method in the future? @kamilmysliwiec
@Hwan-seok I've also noticed one minor issue with your solution.
In handleConnection
we verify and disconnect the connection if it's invalid. This works fine except there is a period of time between when the handleConnection
function starts and when the authentication returns the result where the connection can receive events without being properly authenticated.
Has anyone found a solution for this? Any help is greatly appreciated! 😃
As @ChrisKatsaras, I have suffered from this too. However, I don't think that that lapse of time is a minor issue :sweat_smile:
As @ChrisKatsaras, I have suffered from this too. However, I don't think that that lapse of time is a minor issue 😅
I agree, @tonivj5 ! Here's to hoping someone can help us out 🤞
@ChrisKatsaras
I forgot to attach await
statement on my above example.
You're using await
statement on const user = await whatEverFindOrVerifyUser();
right?
Because it does not make sense that jumps over Connection handshake
step on lifecycle
Hey @Hwan-seok ! Thanks for the quick reply. Unfortunately, adding await doesn't solve the problem due to the fact that the WebSocket establishes the connection (either before or at the beginning of handleConnection). For this reason, it doesn't matter if you await or not as the connection has been established and can receive events emitted from the server (assuming they are scoped to that socket e.g global emission).
The good news is I did find another solution to the problem! We can make use of NestJS Adapters https://docs.nestjs.com/websockets/adapter in order to determine if the connection is valid. The code below is a skeleton of how you can go about validating incoming connections.
export class AuthenticatedWsIoAdapter extends IoAdapter {
createIOServer(port: number, options?: any): any {
options.allowRequest = async (request, allowFunction) => {
// Do your validation here
// return allowFunction(null, true); Success
// return allowFunction("FORBIDDEN", false); Failure
}
return super.createIOServer(port, options);
}
}
By extending IoAdapter
, we can use createIOServer
and write custom validation for the allowRequest
function.
Here is a more detailed description of allowRequest
:
All you need to do then is use the adapter like so:
app.useWebSocketAdapter(new AuthenticatedWsIoAdapter(app));
After this, connections will be validated through the allowRequest
function before entering handleConnection
in our gateway.
Hope this helps you, @tonivj5 and let me know if I missed anything!
Thanks @ChrisKatsaras! I didn't explore that solution :clap:. The only problem I still see, it's that it's out of the DI (injector) :cry:. I inject a service and depend on providers to check user authenticity.
Hey @tonivj5 , I just used @ChrisKatsaras 's answer and it works great!
The only problem I still see, it's that it's out of the DI (injector) :cry:
The IoAdapter's constructor has an INestApplicationContext
, which means you can use DI! :smile:
I've used it like such:
import { INestApplicationContext } from '@nestjs/common';
import { JwtService } from '@nestjs/jwt';
import { IoAdapter } from '@nestjs/platform-socket.io';
import { extract, parse } from 'query-string';
export class AuthenticatedSocketIoAdapter extends IoAdapter {
private readonly jwtService: JwtService;
constructor(private app: INestApplicationContext) {
super(app);
this.jwtService = this.app.get(JwtService);
}
createIOServer(port: number, options?: SocketIO.ServerOptions): any {
options.allowRequest = async (request, allowFunction) => {
const token = parse(extract(request.url))?.token as string;
const verified = token && (await this.jwtService.verify(token));
if (verified) {
return allowFunction(null, true);
}
return allowFunction('Unauthorized', false);
};
return super.createIOServer(port, options);
}
}
Hope this helps!
Thanks for adding that information @xWiiLLz ! Glad I could help out 😄
Thank you very much @xWiiLLz and @ChrisKatsaras! :clap::+1:
I will test it with my use-case :smiley:
I've been playing around with @ChrisKatsaras & @xWiiLLz 's approach, but am struggling to figure out how you would be able to tell which user is authenticated within future messages after the handshake.
In the past, with vanilla socket.io, I'd handle the handshake in a similar way but also store the user's ID (sometimes even a copy of the user) on the socket during the handshake, which could then be retrieved by accessing socket.user.id
(or whatever) during future messages.
Is it possible to replicate this with Nest's approach to WebSockets?
@Jamie452 I'm also looking into this; curious if you find something out. I'll report here / blog about it if I do :)
@Jamie452 I'm also looking into this; curious if you find something out. I'll report here / blog about it if I do :)
Hey, I can share the workaround I'm using in my personal project later tonight. Will get back to you both!
@Jamie452 I'm also looking into this; curious if you find something out. I'll report here / blog about it if I do :)
@dsebastien what I ended up doing was a combination of the two previously posted suggestions. It's far from perfect but lets me get on for the time being.
I'm checking the JWT is valid in options.allowRequest
and then storing the user's data on the socket in the gateways handleConnection
method, where you can get the handshake headers using socket.handshake.headers.authorization
.
Here's what my code looks like, interested to see how you handled it @xWiiLLz;
authenticated-socket-io.adapter.ts
export class AuthenticatedSocketIoAdapter extends IoAdapter {
private httpStrategy: HttpStrategy
constructor(
private app: INestApplicationContext,
) {
super(app)
this.httpStrategy = this.app.get(HttpStrategy)
}
create(port: number, options?: any): any {
return this.createIOServer(port, options)
}
createIOServer(port: number, options?: ServerOptions): any {
options.allowRequest = async (request, allowFunction) => {
try {
// This is where I validate the user has a valid JWT token, but don't necessarily care who they are
await this.httpStrategy.validate(request.headers.authorization.replace("Bearer ", ""))
} catch (e) {
console.warn("Failed to authenticate user:", e)
return allowFunction("Unauthorized", false)
}
return allowFunction(null, true)
}
return server
}
}
app.gateway.ts
interface SocketWithUserData extends Socket {
userData: UserJWTData
}
async handleConnection(socket: SocketWithUserData, ...args: any[]) {
try {
socket.userData = await this.httpStrategy.validate(socket.handshake.headers.authorization.replace("Bearer ", ""))
} catch (e) {
this.logger.error("Socket disconnected within handleConnection() in AppGateway:", e)
socket.disconnect(true)
return
}
}
@SubscribeMessage("whoAmI")
onWhoAmI(socket: SocketWithUserData, data: any): void {
socket.emit("whoAmI", socket.userData)
}
Hey,
So I guess my code is doing something similar to @Jamie452 , but using guards and the JwtService.
Here's the relevant parts.
connected-socket.ts
import * as SocketIO from 'socket.io';
export interface ConnectedSocket extends SocketIO.Socket {
conn: SocketIO.EngineSocket & {
token: string;
userId: number;
};
}
base-gateway.ts
@UsePipes(new ValidationPipe())
@UseInterceptors(ClassSerializerInterceptor)
@UseGuards(SocketSessionGuard)
@UseFilters(new SocketExceptionFilter())
export class BaseGateway implements OnGatewayConnection, OnGatewayDisconnect {
constructor(protected jwtService: JwtService) {}
@WebSocketServer()
protected server: Server;
async handleConnection(client: ConnectedSocket, ...args: any[]) {
const authorized = await SocketSessionGuard.verifyToken(
this.jwtService,
client,
client.handshake.query.token,
);
if (!authorized) {
throw new UnauthorizedException();
}
console.log(`${client.conn.userId} Connected to gateway`);
}
...
}
socket-session.guard.ts
@Injectable()
export class SocketSessionGuard implements CanActivate {
constructor(private jwtService: JwtService) {}
async canActivate(context: ExecutionContext): Promise<boolean> {
console.log('SocketSession activated');
const client = context?.switchToWs()?.getClient<ConnectedSocket>();
return SocketSessionGuard.verifyToken(
this.jwtService,
client,
client.request['token'],
);
}
static async verifyToken(
jwtService: JwtService,
socket: ConnectedSocket,
token?: string,
) {
if (
socket.conn.userId &&
(await jwtService.verifyAsync(socket.conn.token))
) {
return true;
}
if (!token) return false;
socket.conn.token = token;
const { sub } = await jwtService.decode(token);
socket.conn.userId = sub;
console.log(`Setting connection userId to "${sub}"`);
return true;
}
}
Hope this helps 😊
Sorry about not providing this sample earlier, was in the middle of moving and completely forgot about that thread!
@xWiiLLz why do you have @UseGuards(SocketSessionGuard)
that's not actually doing anything? Why not inject the guard in the constructor and make the method non-static? Also why are you putting the token in the query rather than the header?
@xWiiLLz why do you have
@UseGuards(SocketSessionGuard)
that's not actually doing anything? Why not inject the guard in the constructor and make the method non-static? Also why are you putting the token in the query rather than the header?
I assume the validateConnection is just called once (at the handshake). With the guard, you can verify the token (expiry, token refresh logic...) at every call, as you would with a REST controller.
Is there a way we can get the namespace the socket is trying to connect, in the adapter? I want to run different verifications for different namespace connections and the request URL doesn't seem to hold the namespace in it.
Possible implementation of authorization for native ws and WsAdapter with correct handshake response. Auth can be different for every gateway (as it required in my case).
some.gateway.ts
...
import * as net from "net";
import {Server} from 'ws';
import {getClientIp} from 'request-ip';
...
afterInit(wss: Server): any {
const httpServer: net.Server = wss._server;
httpServer.removeAllListeners("upgrade");
httpServer.on('upgrade', async (req, socket, head) => {
const userIp = getClientIp(req);
try {
await this.authUserService.check(req.headers);
this.logger.log(`Auth good for user with IP: ${userIp}`);
wss.handleUpgrade(req, socket, head, function done(ws) {
wss.emit('connection', ws, req);
});
} catch (e) {
if (e instanceof ValidationError) {
this.logger.warn(`Auth bad for user with IP ${userIp}: ${e.message}`);
return abortHandshake(socket, 401);
} else {
this.logger.error(`Auth user error: ${e.message}`, e.stack);
return abortHandshake(socket, 500);
}
}
});
}
...
abortHandshake
implementation can be found here
P.S. As far I undestand, this behavior also can be achieved with using verifyClient function of ws, similar to allowRequest and socketio, but it's not a best practice
Hey guys, when using the ws not socket.io lib for websockets, intercepting the websocket upgrade and performe some validation can also be done using the websocket gateway decorator like this:
@WebSocketGateway({
cookie: 'sid',
path: '/ws',
allowUpgrades: false,
transports: ['websocket'],
verifyClient: (info, cb) => {
console.log(info.req);
cb(true, 200, 'you are verified', {
cookie: 'sid: hello world',
});
},
})
the verifyClient option gets past down to the websocket-server.js. There is no need to change anything, except to provide the needed information, that this option exist. I am not sure, how this could work with Authgards and session etc. If you have an idea how to use it with express-session, let me know.
For more information, I have submitted a feature request
I hope this helps anybody.
Thank you @xWiiLLz for the great examples! Especially the adapter and guard! One thing I would like to mention is that for the security reasons you shouldn't put your secret token in the URL, but use a header instead. Luckily the code will stay the same because you have access to the headers in both places:
const token = request.headers.authorization; // in adapter
const token = client.handshake.headers.authorization; // in guard
And on the client side you just add the token when creating the socket.io-client
instance, for example:
const socket = io(environment.host, {
extraHeaders: {
authorization: userToken,
},
});
Maybe we should add some samples provided here in the docs
@DmitrySergeyev Hi, your code is very interesting, but how do you access wss._server ?
same happened in #9231 Its quite dumb to do auth in each emited events in server, anyone find a way to access original socket.io and apply a middleware on it?
https://socket.io/docs/v4/middlewares/ Clearly mentioned that we can apply a middleware for one-time auth only when connection establish, before actual connect to server
But in the adapter i go through all parameters i can use, i find nothing helpfun for socket auth example in here
Adapter
options {
transports: [ 'websocket' ],
cors: { origin: '*' },
allowRequest: [AsyncFunction (anonymous)]
}
options.path undefined
request IncomingMessage {
_readableState: ReadableState {
objectMode: false,
highWaterMark: 16384,
buffer: BufferList { head: null, tail: null, length: 0 },
length: 0,
pipes: [],
flowing: null,
ended: true,
endEmitted: false,
reading: false,
constructed: true,
sync: true,
needReadable: false,
emittedReadable: true,
readableListening: false,
resumeScheduled: false,
errorEmitted: false,
emitClose: true,
autoDestroy: true,
destroyed: false,
errored: null,
closed: false,
closeEmitted: false,
defaultEncoding: 'utf8',
awaitDrainWriters: null,
multiAwaitDrain: false,
readingMore: true,
dataEmitted: false,
decoder: null,
encoding: null,
[Symbol(kPaused)]: null
},
_events: [Object: null prototype] {},
_eventsCount: 0,
_maxListeners: undefined,
socket: <ref *1> Socket {
connecting: false,
_hadError: false,
_parent: null,
_host: null,
_readableState: ReadableState {
objectMode: false,
highWaterMark: 16384,
buffer: BufferList { head: null, tail: null, length: 0 },
length: 0,
pipes: [],
flowing: null,
ended: false,
endEmitted: false,
reading: true,
constructed: true,
sync: false,
needReadable: true,
emittedReadable: false,
readableListening: false,
resumeScheduled: false,
errorEmitted: false,
emitClose: false,
autoDestroy: true,
destroyed: false,
errored: null,
closed: false,
closeEmitted: false,
defaultEncoding: 'utf8',
awaitDrainWriters: null,
multiAwaitDrain: false,
readingMore: false,
dataEmitted: false,
decoder: null,
encoding: null,
[Symbol(kPaused)]: false
},
_events: [Object: null prototype] { end: [Function: onReadableStreamEnd] },
_eventsCount: 1,
_maxListeners: undefined,
_writableState: WritableState {
objectMode: false,
highWaterMark: 16384,
finalCalled: false,
needDrain: false,
ending: false,
ended: false,
finished: false,
destroyed: false,
decodeStrings: false,
defaultEncoding: 'utf8',
length: 0,
writing: false,
corked: 0,
sync: true,
bufferProcessing: false,
onwrite: [Function: bound onwrite],
writecb: null,
writelen: 0,
afterWriteTickInfo: null,
buffered: [],
bufferedIndex: 0,
allBuffers: true,
allNoop: true,
pendingcb: 0,
constructed: true,
prefinished: false,
errorEmitted: false,
emitClose: false,
autoDestroy: true,
errored: null,
closed: false,
closeEmitted: false,
[Symbol(kOnFinished)]: []
},
allowHalfOpen: true,
_sockname: null,
_pendingData: null,
_pendingEncoding: '',
server: Server {
maxHeaderSize: undefined,
insecureHTTPParser: undefined,
_events: [Object: null prototype],
_eventsCount: 5,
_maxListeners: undefined,
_connections: 1,
_handle: [TCP],
_usingWorkers: false,
_workers: [],
_unref: false,
allowHalfOpen: true,
pauseOnConnect: false,
httpAllowHalfOpen: false,
timeout: 0,
keepAliveTimeout: 5000,
maxHeadersCount: null,
maxRequestsPerSocket: 0,
headersTimeout: 60000,
requestTimeout: 0,
_connectionKey: '6::::4005',
[Symbol(IncomingMessage)]: [Function: IncomingMessage],
[Symbol(ServerResponse)]: [Function: ServerResponse],
[Symbol(kCapture)]: false,
[Symbol(async_id_symbol)]: 15
},
_server: Server {
maxHeaderSize: undefined,
insecureHTTPParser: undefined,
_events: [Object: null prototype],
_eventsCount: 5,
_maxListeners: undefined,
_connections: 1,
_handle: [TCP],
_usingWorkers: false,
_workers: [],
_unref: false,
allowHalfOpen: true,
pauseOnConnect: false,
httpAllowHalfOpen: false,
timeout: 0,
keepAliveTimeout: 5000,
maxHeadersCount: null,
maxRequestsPerSocket: 0,
headersTimeout: 60000,
requestTimeout: 0,
_connectionKey: '6::::4005',
[Symbol(IncomingMessage)]: [Function: IncomingMessage],
[Symbol(ServerResponse)]: [Function: ServerResponse],
[Symbol(kCapture)]: false,
[Symbol(async_id_symbol)]: 15
},
parser: null,
on: [Function: socketListenerWrap],
addListener: [Function: socketListenerWrap],
prependListener: [Function: socketListenerWrap],
setEncoding: [Function: socketSetEncoding],
_paused: false,
[Symbol(async_id_symbol)]: 18,
[Symbol(kHandle)]: TCP {
reading: true,
onconnection: null,
_consumed: true,
[Symbol(owner_symbol)]: [Circular *1]
},
[Symbol(kSetNoDelay)]: false,
[Symbol(lastWriteQueueSize)]: 0,
[Symbol(timeout)]: null,
[Symbol(kBuffer)]: null,
[Symbol(kBufferCb)]: null,
[Symbol(kBufferGen)]: null,
[Symbol(kCapture)]: false,
[Symbol(kBytesRead)]: 0,
[Symbol(kBytesWritten)]: 0,
[Symbol(RequestTimeout)]: undefined
},
httpVersionMajor: 1,
httpVersionMinor: 1,
httpVersion: '1.1',
complete: true,
rawHeaders: [
'Host',
'localhost:4005',
'Connection',
'Upgrade',
'Pragma',
'no-cache',
'Cache-Control',
'no-cache',
'User-Agent',
'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36',
'Upgrade',
'websocket',
'Origin',
'http://localhost:4002',
'Sec-WebSocket-Version',
'13',
'Accept-Encoding',
'gzip, deflate, br',
'Accept-Language',
'zh-TW,zh;q=0.9,en-US;q=0.8,en;q=0.7',
'Sec-WebSocket-Key',
'MciI8xIiBAf5mUHc0MWT+Q==',
'Sec-WebSocket-Extensions',
'permessage-deflate; client_max_window_bits'
],
rawTrailers: [],
aborted: false,
upgrade: true,
url: '/socket.io/?EIO=4&transport=websocket',
method: 'GET',
statusCode: null,
statusMessage: null,
client: <ref *1> Socket {
connecting: false,
_hadError: false,
_parent: null,
_host: null,
_readableState: ReadableState {
objectMode: false,
highWaterMark: 16384,
buffer: BufferList { head: null, tail: null, length: 0 },
length: 0,
pipes: [],
flowing: null,
ended: false,
endEmitted: false,
reading: true,
constructed: true,
sync: false,
needReadable: true,
emittedReadable: false,
readableListening: false,
resumeScheduled: false,
errorEmitted: false,
emitClose: false,
autoDestroy: true,
destroyed: false,
errored: null,
closed: false,
closeEmitted: false,
defaultEncoding: 'utf8',
awaitDrainWriters: null,
multiAwaitDrain: false,
readingMore: false,
dataEmitted: false,
decoder: null,
encoding: null,
[Symbol(kPaused)]: false
},
_events: [Object: null prototype] { end: [Function: onReadableStreamEnd] },
_eventsCount: 1,
_maxListeners: undefined,
_writableState: WritableState {
objectMode: false,
highWaterMark: 16384,
finalCalled: false,
needDrain: false,
ending: false,
ended: false,
finished: false,
destroyed: false,
decodeStrings: false,
defaultEncoding: 'utf8',
length: 0,
writing: false,
corked: 0,
sync: true,
bufferProcessing: false,
onwrite: [Function: bound onwrite],
writecb: null,
writelen: 0,
afterWriteTickInfo: null,
buffered: [],
bufferedIndex: 0,
allBuffers: true,
allNoop: true,
pendingcb: 0,
constructed: true,
prefinished: false,
errorEmitted: false,
emitClose: false,
autoDestroy: true,
errored: null,
closed: false,
closeEmitted: false,
[Symbol(kOnFinished)]: []
},
allowHalfOpen: true,
_sockname: null,
_pendingData: null,
_pendingEncoding: '',
server: Server {
maxHeaderSize: undefined,
insecureHTTPParser: undefined,
_events: [Object: null prototype],
_eventsCount: 5,
_maxListeners: undefined,
_connections: 1,
_handle: [TCP],
_usingWorkers: false,
_workers: [],
_unref: false,
allowHalfOpen: true,
pauseOnConnect: false,
httpAllowHalfOpen: false,
timeout: 0,
keepAliveTimeout: 5000,
maxHeadersCount: null,
maxRequestsPerSocket: 0,
headersTimeout: 60000,
requestTimeout: 0,
_connectionKey: '6::::4005',
[Symbol(IncomingMessage)]: [Function: IncomingMessage],
[Symbol(ServerResponse)]: [Function: ServerResponse],
[Symbol(kCapture)]: false,
[Symbol(async_id_symbol)]: 15
},
_server: Server {
maxHeaderSize: undefined,
insecureHTTPParser: undefined,
_events: [Object: null prototype],
_eventsCount: 5,
_maxListeners: undefined,
_connections: 1,
_handle: [TCP],
_usingWorkers: false,
_workers: [],
_unref: false,
allowHalfOpen: true,
pauseOnConnect: false,
httpAllowHalfOpen: false,
timeout: 0,
keepAliveTimeout: 5000,
maxHeadersCount: null,
maxRequestsPerSocket: 0,
headersTimeout: 60000,
requestTimeout: 0,
_connectionKey: '6::::4005',
[Symbol(IncomingMessage)]: [Function: IncomingMessage],
[Symbol(ServerResponse)]: [Function: ServerResponse],
[Symbol(kCapture)]: false,
[Symbol(async_id_symbol)]: 15
},
parser: null,
on: [Function: socketListenerWrap],
addListener: [Function: socketListenerWrap],
prependListener: [Function: socketListenerWrap],
setEncoding: [Function: socketSetEncoding],
_paused: false,
[Symbol(async_id_symbol)]: 18,
[Symbol(kHandle)]: TCP {
reading: true,
onconnection: null,
_consumed: true,
[Symbol(owner_symbol)]: [Circular *1]
},
[Symbol(kSetNoDelay)]: false,
[Symbol(lastWriteQueueSize)]: 0,
[Symbol(timeout)]: null,
[Symbol(kBuffer)]: null,
[Symbol(kBufferCb)]: null,
[Symbol(kBufferGen)]: null,
[Symbol(kCapture)]: false,
[Symbol(kBytesRead)]: 0,
[Symbol(kBytesWritten)]: 0,
[Symbol(RequestTimeout)]: undefined
},
_consuming: false,
_dumped: false,
parser: null,
_query: [Object: null prototype] { EIO: '4', transport: 'websocket' },
[Symbol(kCapture)]: false,
[Symbol(kHeaders)]: {
host: 'localhost:4005',
connection: 'Upgrade',
pragma: 'no-cache',
'cache-control': 'no-cache',
'user-agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36',
upgrade: 'websocket',
origin: 'http://localhost:4002',
'sec-websocket-version': '13',
'accept-encoding': 'gzip, deflate, br',
'accept-language': 'zh-TW,zh;q=0.9,en-US;q=0.8,en;q=0.7',
'sec-websocket-key': 'MciI8xIiBAf5mUHc0MWT+Q==',
'sec-websocket-extensions': 'permessage-deflate; client_max_window_bits'
},
[Symbol(kHeadersCount)]: 24,
[Symbol(kTrailers)]: null,
[Symbol(kTrailersCount)]: 0,
[Symbol(RequestTimeout)]: undefined
}
request.headers {
host: 'localhost:4005',
connection: 'Upgrade',
pragma: 'no-cache',
'cache-control': 'no-cache',
'user-agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36',
upgrade: 'websocket',
origin: 'http://localhost:4002',
'sec-websocket-version': '13',
'accept-encoding': 'gzip, deflate, br',
'accept-language': 'zh-TW,zh;q=0.9,en-US;q=0.8,en;q=0.7',
'sec-websocket-key': 'MciI8xIiBAf5mUHc0MWT+Q==',
'sec-websocket-extensions': 'permessage-deflate; client_max_window_bits'
}
request.socket.eventNames [ 'end' ]
socket.auth undefined
client connect 5csfs8KnqMl1L3ZKAAAC
I can not find any useful information if i want to do authentication for specific namespace in websocket gateway For example, in client i put a jwt token in socket.io-client's option's auth I can print it out in GateWay handleConnection's parameter, but i can not find any data in adapter
client.handshake.auth {
jwt: 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySUQiOiI0NDBjMjg0YS03YmFkLTQ3NDgtYjg3MS0yZjRiNmY5Mjg2ZWEiLCJpYXQiOjE2NDUzNTc3NjQsImV4cCI6MTY0NTk2MjU2NH0.ad8pa4gujJ5fzTNnAkQAHe_dSWiZQH993S6snBxbGfA'
}
Hey @tonivj5 , I just used @ChrisKatsaras 's answer and it works great!
The only problem I still see, it's that it's out of the DI (injector) 😢
The IoAdapter's constructor has an
INestApplicationContext
, which means you can use DI! 😄I've used it like such:
import { INestApplicationContext } from '@nestjs/common'; import { JwtService } from '@nestjs/jwt'; import { IoAdapter } from '@nestjs/platform-socket.io'; import { extract, parse } from 'query-string'; export class AuthenticatedSocketIoAdapter extends IoAdapter { private readonly jwtService: JwtService; constructor(private app: INestApplicationContext) { super(app); this.jwtService = this.app.get(JwtService); } createIOServer(port: number, options?: SocketIO.ServerOptions): any { options.allowRequest = async (request, allowFunction) => { const token = parse(extract(request.url))?.token as string; const verified = token && (await this.jwtService.verify(token)); if (verified) { return allowFunction(null, true); } return allowFunction('Unauthorized', false); }; return super.createIOServer(port, options); } }
Hope this helps!
It looks good but should be pass the JWT token in URL query parameter ? It looks not safe
I've been playing around with @ChrisKatsaras & @xWiiLLz 's approach, but am struggling to figure out how you would be able to tell which user is authenticated within future messages after the handshake.
In the past, with vanilla socket.io, I'd handle the handshake in a similar way but also store the user's ID (sometimes even a copy of the user) on the socket during the handshake, which could then be retrieved by accessing
socket.user.id
(or whatever) during future messages.Is it possible to replicate this with Nest's approach to WebSockets?
It also how i deal with auth in native websocket, by storing information i need into context when connected So i can access whenever i want I can believe the removal of middleware support, it is a must for any further customization. I can not store any information into socket in handleConnect function The only way i can access is to put a Guard function on every subscribeMessage, and it is wasting overhead of the connection to check token, get user info in DB, blablabla in EVERY event emit
Hey,
So I guess my code is doing something similar to @Jamie452 , but using guards and the JwtService.
Here's the relevant parts.
connected-socket.ts
import * as SocketIO from 'socket.io'; export interface ConnectedSocket extends SocketIO.Socket { conn: SocketIO.EngineSocket & { token: string; userId: number; }; }
base-gateway.ts
@UsePipes(new ValidationPipe()) @UseInterceptors(ClassSerializerInterceptor) @UseGuards(SocketSessionGuard) @UseFilters(new SocketExceptionFilter()) export class BaseGateway implements OnGatewayConnection, OnGatewayDisconnect { constructor(protected jwtService: JwtService) {} @WebSocketServer() protected server: Server; async handleConnection(client: ConnectedSocket, ...args: any[]) { const authorized = await SocketSessionGuard.verifyToken( this.jwtService, client, client.handshake.query.token, ); if (!authorized) { throw new UnauthorizedException(); } console.log(`${client.conn.userId} Connected to gateway`); } ... }
socket-session.guard.ts
@Injectable() export class SocketSessionGuard implements CanActivate { constructor(private jwtService: JwtService) {} async canActivate(context: ExecutionContext): Promise<boolean> { console.log('SocketSession activated'); const client = context?.switchToWs()?.getClient<ConnectedSocket>(); return SocketSessionGuard.verifyToken( this.jwtService, client, client.request['token'], ); } static async verifyToken( jwtService: JwtService, socket: ConnectedSocket, token?: string, ) { if ( socket.conn.userId && (await jwtService.verifyAsync(socket.conn.token)) ) { return true; } if (!token) return false; socket.conn.token = token; const { sub } = await jwtService.decode(token); socket.conn.userId = sub; console.log(`Setting connection userId to "${sub}"`); return true; } }
Hope this helps 😊
Sorry about not providing this sample earlier, was in the middle of moving and completely forgot about that thread!
I don't know if it is a bug or not, Guard is not working in Gateway level You can reference to my issue at #9231
This is my workaround solution, perfectly before handleConnection and without any adapter I create a namespace specific middleware function, use jwtService from jwtModule and my userService as parameter
auth.middleware.ts
import { JwtService } from '@nestjs/jwt';
import { Socket } from 'socket.io';
import { JwtPayload } from 'src/auth/jwt/jwt-payload.interface';
import { Player } from 'src/typs';
import { UserService } from 'src/user/user.service';
export interface AuthSocket extends Socket {
user: Player;
}
export type SocketMiddleware = (socket: Socket, next: (err?: Error) => void) => void
export const WSAuthMiddleware = (jwtService:JwtService, userService:UserService):SocketMiddleware =>{
return async (socket:AuthSocket, next) => {
try {
const jwtPayload = jwtService.verify(
socket.handshake.auth.jwt ?? '',
) as JwtPayload;
const userResult = await userService.getUser(jwtPayload.userID);
if (userResult.isSuccess) {
socket.user = userResult.data;
next();
} else {
next({
name: 'Unauthorizaed',
message: 'Unauthorizaed',
});
}
} catch (error) {
next({
name: 'Unauthorizaed',
message: 'Unauthorizaed',
});
}
}
}
ws.gateway.ts
import {
UseFilters,
UseGuards,
UsePipes,
ValidationPipe,
} from '@nestjs/common';
import {
ConnectedSocket,
SubscribeMessage,
WebSocketGateway,
WebSocketServer,
MessageBody,
} from '@nestjs/websockets';
import { Server as SocketIOServer, Socket } from 'socket.io';
import { CreateGameDataDTO } from './dto/message-dto';
import { WsClientEvent } from '../typs';
import { WSCommExceptionsFilter } from './WSFilter.filter';
import { NestGateway } from '@nestjs/websockets/interfaces/nest-gateway.interface';
import { JwtService } from '@nestjs/jwt';
import { UserService } from 'src/user/user.service';
import { AuthSocket, WSAuthMiddleware } from './auth.middleware';
@UsePipes(new ValidationPipe())
@UseFilters(new WSCommExceptionsFilter())
@WebSocketGateway({
transports: ['websocket'],
cors: {
origin: '*',
},
namespace: '/', //this is the namespace, which manager.socket(nsp) connect to
})
export class WsRoomGateway implements NestGateway {
constructor(
private readonly jwtService:JwtService,
private readonly userService:UserService,
){}
@WebSocketServer()
server: SocketIOServer;
afterInit(server: SocketIOServer) {
const middle = WSAuthMiddleware(this.jwtService, this.userService)
server.use(middle)
console.log(`WS ${WsRoomGateway.name} init`);
}
handleDisconnect(client: Socket) {
console.log('client disconnect', client.id);
}
handleConnection(client: AuthSocket, ...args: any[]) {
console.log('client connect', client.id, client.user);
}
@SubscribeMessage(WsClientEvent.CREATE_ROOM)
handleCreateRoom(
@ConnectedSocket() client: AuthSocket,
@MessageBody() body: CreateGameDataDTO,
) {
client.send('test', body);
}
}
In console, when user senc connect request with jwt Token in auth option of socket.io-client or anywhere you want accessable in Socket, it will be authed before handleConnect, and user obj will be availble in cutomized Socket AuthSocket
If user not pass the jwt Token, the next(err) will reject the connection, make whole websocket connection much clear, no need to do Guard auth in all @SubscribeMessage
Based on Manuelbaun's answer, I've implemented auth for ws connection, my implementation :
info.req.url
within verifyClient(info, cb)
, set info.req.client.isValid
to true if verified@UseGuards(WebSocketGuard)
above @SubscribeMessage('events')
if neededWebSocketGuard
, implement canActive as belowexport class WebSocketGuard extends AuthGuard('websocket') {
canActivate(context: ExecutionContext) {
const client = context.switchToWs().getClient();
return client._socket.isValid;
}
}
This issue has been open since 2018, and I think none of the solutions are too great, when NestJS itself should just allow attaching guards to handleConnection.
Why was this marked as won't fix without at least an explanation given?
@jackykwandesign has the best answer. Thank you.
In my case fetching user data is asynchronous, so I found this workaround:
import { ConnectedSocket, OnGatewayConnection, SubscribeMessage, WebSocketGateway, } from '@nestjs/websockets';
import { UseGuards } from '@nestjs/common';
import { WsAuthGuard } from './ws-auth.guard';
import { WsAuthService } from './ws-auth.service';
import { Socket } from 'socket.io';
@WebSocketGateway(3001, { cors: true, transports: ['websocket'], path: '/io' })
@UseGuards(WsAuthGuard)
export class SocketIoController implements OnGatewayConnection {
constructor(private readonly wsAuthService: WsAuthService) {}
handleConnection(@ConnectedSocket() client: Socket) {
this.wsAuthService.onClientConnect(client);
}
@SubscribeMessage('test')
async test(@ConnectedSocket() client: Socket) {
return JSON.stringify(client.data);
}
}
import { Injectable } from '@nestjs/common';
import { Socket } from 'socket.io';
@Injectable()
export class WsAuthService {
private initializationMap = new Map<string, Promise<any>>();
onClientConnect(socket: Socket) {
this.initializationMap.set(socket.id, this.initialize(socket));
}
async finishInitialization(socket: Socket): Promise<any> {
await this.initializationMap.get(socket.id);
}
private async initialize(socket: Socket): Promise<any> {
// asynchronously get user data
const user = await new Promise((resolve) =>
setTimeout(() => resolve({ id: 1234, hasPower: true, foo: 'bar' }), 2000),
);
// store result to socket data
socket.data.user = user;
this.initializationMap.delete(socket.id);
}
}
import { CanActivate, ExecutionContext, Injectable } from '@nestjs/common';
import { WsAuthService } from './ws-auth.service';
import { Socket } from 'socket.io';
@Injectable()
export class WsAuthGuard implements CanActivate {
constructor(private readonly wsAuthService: WsAuthService) {}
async canActivate(context: ExecutionContext): Promise<boolean> {
const client = context.switchToWs().getClient<Socket>();
// wait until client data initialization will be finished
await this.wsAuthService.finishInitialization(client);
// your canActivate logic
return client.data.user.hasPower;
}
}
The logic: 1) Delegate client handleConnection to WsAuthService.onClientConnect 2) Store client initialization Promise in WsAuthService 3) Await promise resolution in WsAuthGuard (event will not be processed until Guard will not finish check)
Cheers 🍻
Related: https://github.com/nestjs/nest/issues/1254 https://github.com/nestjs/nest/issues/336
Strongly support you! The auth should be at handleConnection, to auth it in message handler is totally of no sense. If the connection is created securely, the auth check is useless here.
We wrote our 1st version of code in Java, and now want to migrate to NestJS and hit this problem.
I'm submitting a...
Current behavior
Currently gateway’s handleConnection method don’t support guards.
Expected behavior
It would be helpful set current user on socket after successfully connected.
Minimal reproduction of the problem with instructions
What is the motivation / use case for changing the behavior?
Environment