Auth0 with Socket.IO forcing authentication

Question

I need to protect services exported by Feathers database adapter, with token authentication. We did this for REST with:

var authenticate = jwt({
  secret: new Buffer(process.env.AUTH0_CLIENT_SECRET, 'base64'),
  audience: process.env.AUTH0_CLIENT_ID
});

To prevent un-authenticated clients from accessing REST services, we do:

app.use('/api', authenticate);

Access to websockets should be locked down, as well. I found some examples. The below should theoretically enable authentication for socket.io.

app.configure(feathers.socketio(function(io) {
  io.on('connection', socketioJwt.authorize({
    secret: new Buffer(process.env.AUTH0_CLIENT_SECRET, 'base64'),
    audience: process.env.AUTH0_CLIENT_ID,
    timeout: 5000 // 5 seconds to send the authentication message
  })).on('authenticated', function(socket) {
//    console.log('token: ' + socket.decoded_token.name);
    socket.emit('news', { hello: 'world' });
    socket.on('my other event', function (data) {
      console.log(data);
    });
  });
}));

This is not happening, however. The client socket.io requests do not have the token, yet the server has no problem take care of them.

Where do I start looking?

score 1 · Answer 1 · answered Dec 19 '15 at 07:17

1

The best way to force authentication is to use feathers-hooks. We also have a guide on how you can do authentication and authorization.

Our docs are a little confusing at the moment so it's easy to miss, but we'll be fixing that soon!

answered Dec 19 '15 at 07:17

ekryski

111
1
2

Am I understanding you correctly that the recommended way is to utilize passport-auth0 etc? When you configured app to use feathers-passport after 'rest' and 'socketio' and hooks, are both 'rest' and socketio going to require authentication? Are those app.configure all that is necessary to create the proper "stack"? I don't know whether your documentation is confusing. I have been doing Node.JS for two weeks. The abundance of packages is still overwhelming. I sort of figured out one way to forcing authentication of socket.io requests, but did not get my client and server to play nice, yet. – Moshe Shmukler Dec 19 '15 at 15:27

score 0 · Answer 2 · answered Dec 18 '15 at 07:50

I might have found the problem. When I use the below snippet [before io.on()] to lock socket.io down, it seems to work.

io.use(socketioJwt.authorize({
  secret: new Buffer(process.env.AUTH0_CLIENT_SECRET, 'base64'),
  audience: process.env.AUTH0_CLIENT_ID,
  handshake: true
}));

Now, I need to figure how to make the client and server play nicely.

Auth0 with Socket.IO forcing authentication

2 Answers2