Ad

Socket.io: Check Authentication On Every Event Or Connection

- 1 answer

I would like to make sure a user is logged in before they are sending chats. To do this, should I use a authentication middleware that triggers on every connection or use a middleware that trigger on each event?

I am worried if I use the former, the user can sign in then signout (without losing the connection) and continue to send messages while not logged in).

However, looking through all the different stackoverflow posts, no one has mentioned this issue. Can anyone tell me what approach is commonly used?

Ad

Answer

Based on the comments following your question there are two items you can configure to better protect your users.

Tune your socket.io implementation:

  1. Upgrade your socket.io implementation to use 2.x.
  2. Make use of the 'socket.io#origins' configuration to eliminate the default CORS wildcard for any domain.
  3. Use authenticated sessions within the socket.io connection. See 'socket.io#adapter' or the 'session.socket.io' module alternative.

Tune your sites security headers:

  1. Run your site (if publicly available) through https://securityheaders.com to test your current implementation.
  2. Make use of the guide(s) at OWASP for more options regarding securing your site such as this one regarding use of the newer security headers available in browsers. https://www.owasp.org/index.php/List_of_useful_HTTP_headers

source : https://security.stackexchange.com/questions/89660/how-to-secure-my-node-js-socket-io-application-properly

Ad
source: stackoverflow.com
Ad