14

I'm working on a small multiplayer game. I'd like to introduce authentication. I'm using Node.js and Socket.io.

When the user arrives that the main page - I want them to join the game whether they are logged in or not - but they will be unable to do anything within it (only watch).

How could I then go about authenticating the user on the already open socket?

Could I maintain the authentication still if they left the site and came back? Can you pass a cookie through a web socket?

EDIT

To further my question. One of the possible thoughts I've had is to provide the websocket connection, then when they try to login in, it passes username and password as a message to the websocket.

client.on('onLogin', loginfunction);

I could then take the username and password, check against the database, then take the session ID of the socket and pass it somewhere to say that session is authenticated to that user.

Is this secure? Could I still implement a cookie on the socket so they could come back? Is there any way within socket.io of stating that the socket is now authenticated instead of manually checking on each message received?

Cheers

Chris Evans
  • 993
  • 2
  • 13
  • 30
  • Is there a way perhaps of setting the connection as authenticated within socket.io after the connection has been established and handshake complete? The user could supply login details when ready to an existing connection, server could validate and return a unique session ID. Client side javascript could then save a cookie for future use. – Chris Evans Jan 06 '12 at 10:49
  • See [this article](http://www.danielbaulig.de/socket-ioexpress/) on how to authenticate socket.io sessions. – fent Jan 06 '12 at 10:15
  • Yes, I have actually read that article already. Whilst I'm quite happy setting a cookie, it doesn't allow for logging in on the same page if the socket is already open. It also suffers presumably if the user has cookies disabled? – Chris Evans Jan 06 '12 at 10:33
  • You want to be able to re-login users on the same page? And 99.99% of users have cookies enabled. It's more likely that they'd have Javascript disabled if anything. – fent Jan 06 '12 at 11:03

3 Answers3

6

This isn't actually too hard, but you're approaching it the wrong way. A couple things:

  1. You cannot set a cookie with socket.io; you can, however, get the cookie values of any connected client at any time. In order to set a cookie, you will have to send a new http response, meaning the user must first send a new http request (aka refresh or go to a new page, which it sounds is not a possibility for you here).

  2. Yes: socket.io is secure (to the extent that any transmitted data can be).

As such, you can do the following:

On the user's initial connection, create a cookie with a unique session ID, such as those generated from Express's session middleware. You will need to configure these not to expire on session end though (otherwise it will expire as soon as they close their browser).

Next you should create an object to store the cookie session IDs. Each time a new connect.sid cookie is set, store in your new object with a default value of false (meaning that the user has been authenticated by session, but not by logon)

On the user's login, send a socket emit to the server, where you can then authenticate the login credentials, and subsequently update the session id object you created to read true (logged in) for the current socket id.

Now, when receiving a new http request, read the cookie.sid, and check if its value in your object is true.

It should look something like the following:

var express = require('express'),
http = require('http'),
cookie = require('cookie');

var app = express();
var server = http.createServer(app);
var io = require('socket.io').listen(server);


app.use(express.cookieParser());
app.use(express.session({ 
    secret: 'secret_pw',
    store: sessionStore,
    cookie: { 
        secure: true,
        expires: new Date(Date.now() + 60 * 1000), //setting cookie to not expire on session end
        maxAge: 60 * 1000,
        key: 'connect.sid'
    }
}));

var sessionobj = {}; //This is important; it will contain your connect.sid IDs.

//io.set('authorization'...etc. here to authorize socket connection and ensure legitimacy


app.get("/*", function(req, res, next){
    if(sessionobj[req.cookies['connect.sid']]){
        if(sessionobj[req.cookies['connect.sid']].login == true){
            //Authenticated AND Logged in
        }
        else{
            //authenticated but not logged in
        }
    }
    else{
        //not authenticated
    }

});


io.sockets.on('connection', function(socket){
    sessionobj[cookie.parse(socket.handshake.headers.cookie)['connect.sid'].login = false;
    sessionobj[cookie.parse(socket.handshake.headers.cookie)['connect.sid'].socketid = socket.id;

    socket.on('login', function(data){
        //DB Call, where you authenticate login
        //on callback (if login is successful):
        sessionobj[cookie.parse(socket.handshake.headers.cookie)['connect.sid']] = true;
    });

    socket.on('disconnect', function(data){
        //any cleanup actions you may want
    });

});
Ari
  • 3,489
  • 5
  • 26
  • 47
  • correct me if I am wrong, but aren't sessions that never expire are generally considered insecure – brthornbury Dec 18 '13 at 03:25
  • @Mozoby My code is setting the cookie to expire after a certain amount of time has passed - it is not indefinite. I did so because the original question seemed to indicate that returning users should still be logged in, which means that I cannot leave the cookies to expire on browser close like they do by default. – Ari Dec 18 '13 at 04:08
2

Chris, I'm won't be able to answer since I'm not an expert on socket.io, but I can maybe try to point you in another direction that can help you - and take away some development time.

But first, a disclaimer: I work for Realtime.co and am not trying to do any sort of advertising. I work closely with developers and I'm just trying to help you by providing you an out-of-the-box solution for your problem. Also, being a gamer, I can't stay away from trying to help people getting their games out there!

Realtime uses an authentication/authorization layer in which you can provide user read/write permissions to channels. When users enters the website you can give them read only permissions to the game channel and once they login, you can then give them write permissions. This can be easily done by doing an authentication post and reconnecting to the server (it can all be done client side). I would do it server-side, though, to increase security.

Realtime has a Node.js API so you can easily integrate it with your server. Since it also has APIs for many other platforms (including mobile) and they all work the same way, you can actually have your game working in multiple platforms over the same communication layer, while having full control over channels.

Thanks for reading.

Edit:

You can read the documentation here for more info: http://docs.xrtml.org/

SergioMSCosta
  • 324
  • 2
  • 8
0

Socket.io has an option to pass extraHeaders. One can use that to pass a token from the client. The server would use the desired authentication algorithm to decrypt the token and get the user_id.

socket.js

import io from 'socket.io-client';

export const socket = io('https://remote-url');

export const socketAuth = () => {
  socket.io.disconnect();  //This uses the same socket and disconnect with the server. 
  socket.io.opts.extraHeaders = {
    'x-auth-token': JSON.parse(window.localStorage.getItem('auth-token')),
  };
  socket.io.opts.transportOptions = {
    polling: {
      extraHeaders: {
        'x-auth-token': JSON.parse(window.localStorage.getItem('auth-token')),
      },
    },
  };  
  socket.io.open(); //Opens up a new connection with `x-auth-token` in headers

};

client.js

  import { socket, socketAuth } from 'utils/socket';
  socket.on('unauthenticated-messages', () => {
    someAction();
  });

  //After user logs in successfully
  socketAuth();

  socket.on('authenticated-messages', () => {
    someAction();
  });
Ronak Jain
  • 1,723
  • 2
  • 24
  • 35