Security News
npm Updates Search Experience with New Objective Sorting Options
npm has a revamped search experience with new, more transparent sorting options—Relevance, Downloads, Dependents, and Publish Date.
@thream/socketio-jwt
Advanced tools
Authenticate socket.io incoming connections with JWTs.
Authenticate socket.io incoming connections with JWTs.
Compatible with socket.io >= 3.0.0
.
This repository was originally forked from auth0-socketio-jwt & it is not intended to take any credit but to improve the code from now on.
npm install --save @thream/socketio-jwt
import { Server } from 'socket.io'
import { authorize } from '@thream/socketio-jwt'
const io = new Server(9000)
io.use(
authorize({
secret: 'your secret or public key'
})
)
io.on('connection', async (socket) => {
// jwt payload of the connected client
console.log(socket.decodedToken)
const clients = await io.sockets.allSockets()
if (clients != null) {
for (const clientId of clients) {
const client = io.sockets.sockets.get(clientId)
client?.emit('messages', { message: 'Success!' })
// we can access the jwt payload of each connected client
console.log(client?.decodedToken)
}
}
})
jwks-rsa
(example)import jwksClient from 'jwks-rsa'
import { Server } from 'socket.io'
import { authorize } from '@thream/socketio-jwt'
const client = jwksClient({
jwksUri: 'https://sandrino.auth0.com/.well-known/jwks.json'
})
const io = new Server(9000)
io.use(
authorize({
secret: async (decodedToken) => {
const key = await client.getSigningKeyAsync(decodedToken.header.kid)
return key.getPublicKey()
}
})
)
io.on('connection', async (socket) => {
// jwt payload of the connected client
console.log(socket.decodedToken)
// You can do the same things of the previous example there...
})
onAuthentication
(example)import { Server } from 'socket.io'
import { authorize } from '@thream/socketio-jwt'
const io = new Server(9000)
io.use(
authorize({
secret: 'your secret or public key',
onAuthentication: async decodedToken => {
// return the object that you want to add to the user property
// or throw an error if the token is unauthorized
}
})
)
io.on('connection', async (socket) => {
// jwt payload of the connected client
console.log(socket.decodedToken)
// You can do the same things of the previous example there...
// user object returned in onAuthentication
console.log(socket.user)
})
authorize
optionssecret
is a string containing the secret for HMAC algorithms, or a function that should fetch the secret or public key as shown in the example with jwks-rsa
.algorithms
(default: HS256
)onAuthentication
is a function that will be called with the decodedToken
as a parameter after the token is authenticated. Return a value to add to the user
property in the socket object.import { io } from 'socket.io-client'
// Require Bearer Token
const socket = io('http://localhost:9000', {
auth: { token: `Bearer ${yourJWT}` }
})
// Handling token expiration
socket.on('connect_error', (error) => {
if (error.data.type === 'UnauthorizedError') {
console.log('User token has expired')
}
})
// Listening to events
socket.on('messages', (data) => {
console.log(data)
})
Anyone can help to improve the project, submit a Feature Request, a bug report or even correct a simple spelling mistake.
The steps to contribute can be found in the CONTRIBUTING.md file.
FAQs
Authenticate socket.io incoming connections with JWTs.
The npm package @thream/socketio-jwt receives a total of 3,265 weekly downloads. As such, @thream/socketio-jwt popularity was classified as popular.
We found that @thream/socketio-jwt demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
npm has a revamped search experience with new, more transparent sorting options—Relevance, Downloads, Dependents, and Publish Date.
Security News
A supply chain attack has been detected in versions 1.95.6 and 1.95.7 of the popular @solana/web3.js library.
Research
Security News
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.