WebSocket Client handshake headers (Authorization) #1286
Comments
|
I was encountering the same thing when trying to find a way to do auth for my websockets. From what I've seen so far auth via headers in websockets is not recommended. Multiple sources have pointed to using a ticketing system described here: https://devcenter.heroku.com/articles/websocket-security |
|
The limitation I see for using headers for auth is that javascript does not support custom headers for the websocket handshake. I haven't come across any material that mentions auth via headers in websockets is not recommended. In fact even the spec mentions:
|
|
For future readers, please see https://stackoverflow.com/a/4361358 I'm afraid there is nothing we can at the Socket.IO level. Slightly related: the // client
const socket = io({
auth: {
token: "abcd"
}
});
// server
io.use((socket, next) => {
const token = socket.handshake.auth.token;
// check token, then
next();
});Documentation: https://socket.io/docs/v3/client-initialization/#auth |
Note: for support questions, please use one of these channels: stackoverflow or slack
For bug reports and feature requests for the Swift client, please open an issue there.
For bug reports and feature requests for the Java client, please open an issue there.
You want to:
Current behaviour
According to the documentation websocket transport will not append header cause the WebSocket handshake does not honor custom headers. (For background see the WebSocket protocol RFC)
Steps to reproduce (if the current behaviour is a bug)
Expected behaviour
It seems to me this is not exactly what RFC explains. Let's read item 12 in the section 4:
Please, add handshake headers overwrite support for websocket transport
Setup
Other information (e.g. stacktraces, related issues, suggestions how to fix)
The text was updated successfully, but these errors were encountered: