Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Passing JWT to Node.js WebSocket in Authorization header on initial connection

Tags:

node.js

websocket

authorization

jwt

I'm setting up a Node.js server to communicate with WebSockets to my web app. I was planning on using JSON Web Tokens to limit access to only users who have already authenticated with our webapp. While researching, I am having trouble finding a WebSocket package for Node.js that supports client-side setting of the Authorization header and using that on the initial connection call?

I regularly see recommendations to pass the token via query param, which could be less secure than passing the token via the Authorization header. Am I missing something? Are there any good, well-maintained WebSocket libraries that allow setting the Authorization header client-side so that I can prevent unwanted connections to the server?

like image 935
Thelonias Avatar asked Jul 28 '15 15:07

Thelonias

People also ask

Can WebSockets have headers?

Warning: The server can't send more than one Sec-Websocket-Protocol header. If the server doesn't want to use any subprotocol, it shouldn't send any Sec-WebSocket-Protocol header. Sending a blank header is incorrect. The client may close the connection if it doesn't get the subprotocol it wants.

How do I authenticate WebSocket connection?

Authentication FlowThe client makes a WebSocket handshake request with the external authentication token passed as a query-string parameter in the handshake endpoint URL. The server checks the cache to see if the external authentication token is valid.

1 Answers

Browser-based WebSocket API does not make it possible to specify HTTP headers. On the other hand, the query param approach works and is not that bad (when used over HTTPS), so it's often used instead.

Although there are WebSocket implementations for Node.js that make it possible to specify HTTP headers, this only works when running the client in Node.js. It doesn't work when running in a browser.

Einaros' ws is one such example. Passing a JWT token via Authorization header is simple when running in Node.js:

var WebSocket = require("ws");

' does not work in browsers
var token = "Replace_this_with_your_JWT_token";
var options = {
    headers: {
        "Authorization" : "JWT " + token
    }
};

var ws = new WebSocket("wss://example.com/path", options);
...

But when used from Browserify, requiring ws simply returns the ordinary browser-based WebSocket API that is unable of passing custom headers. And unless web browsers add support for passing headers, passing via the query param is the way to go.

like image 135
Lukas Pokorny Avatar answered Oct 07 '22 09:10

Lukas Pokorny
Sign in to Comment

Related questions

Error handling with Node.js, Async and Formidable
postcss-svgo: TypeError: Cannot set property 'multipassCount' of undefined (Gatsby)
How can I make sure that a job doesn't run twice in Bull?
NodeJS (Server): ReferenceError: require is not defined when type: module
Nodejs : Redirect URL
Module not found error in node.js
How to support multiple private npm packages living in one git repo?
How do I capture utf-8 decode errors in node.js?
Node.js - child_process and cluster confusion
XML to PEM in Node.js
How to start a new project with MEAN and sails.js
Check if a symlink exists in node.js
Pre-Signed S3 URL Signature Does Not Match
Having trouble streaming response to client using expressjs
How do I force gulp calls to run synchronously?
Arrow functions not working in node --harmony under Ubuntu
Ability to abort asynchronous call
How to get directory size in node.js without recursively going through directory?
Socket.io: How to count clients in a room with Socket.io-redis adapter
What's the difference between saveUninitialized and resave?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!