0

I have encountered two possibilities and would prefer a solution that performs the check prior to fully establishing the websocket.

var express = require("express.io");
var app = express().http().io();

app.use(express.json());
app.use(express.cookieParser());
app.use(express.session({secret: process.env.COOKIESECRET}));

Option 1: How to get the Express session object?
UPDATE: This might not be workable as Express.io registers its own "authorize" function which makes the Express session available to Socket.io.

app.io.configure(function() {
  app.io.set("authorize", function(handshake, authorize) {
    // Cookie is available...?
    //handshake.headers.cookie
  });
});

Option 2: Easy to get Express session, but connection already established.

app.io.route("test", function(req) {
  if(!req.session.IsAuthorized) {
    req.io.disconnect();
  }
});
Ioan
  • 2,382
  • 18
  • 32

1 Answers1

1

You can pass in a reference to your sessionstore so it is available when you configure your socket server:

var sessionStore = new express.session.MemoryStore();

app.use(express.session({secret: process.env.COOKIESECRET, store: sessionStore}));

I think you should be able to get the rest from there by matching the handshake.headers object to stuff in your session store. Note that the default store is held in memory, which is not great for production purposes (but fine for now I guess). The above relates to your option 1 method.

DF_
  • 3,743
  • 25
  • 34
  • Although I'm having trouble getting a Redis store working using [this](http://stackoverflow.com/questions/15169418/how-can-i-get-sessions-to-work-using-redis-express-socket-io) and [this](https://github.com/techpines/express.io/tree/master/examples#scaling-with-redis), I didn't specifically ask about that. My understanding has been that Express.io already combines Express and Socket.io session handling, as evidenced in Option 2. Express.io already has an "authorization" function defined which matches the session as you suggest. – Ioan Feb 19 '14 at 14:20
  • What is your question? I gave you the way to access the session before an established connection, which I understood to be your question. – DF_ Feb 19 '14 at 14:41
  • I've updated the question with new findings. What you recommend is already done by Express.io, making Option 1 unworkable (as far as I understand). – Ioan Feb 19 '14 at 15:19
  • You are correct that app.io.configure sets its own authorize function, but you can override it if you wish (as with anything in JavaScript). – DF_ Feb 19 '14 at 19:37
  • I was hoping not to do that as it provides potentially useful features. I would rather work within the Express.io framework and not deal with things breaking after an update. – Ioan Feb 19 '14 at 21:29
  • I am unaware of how that would be possible if you want to stay in the constraints of the framework then, sorry. Unless you can override authorize function whilst maintaining a reference to the original function. – DF_ Feb 20 '14 at 01:17