Securing Socket.io

Question

I am using a Node.js based https server that authenticates using HTTP Basic (which is fine as the data are sent over the SSL encrypted connection).

Now I want to provide a Socket.io connection which should be

1. encrypted and
2. for authenticated users only.

The question is how to do this. I already found out that I need to specify { secure: true } in the client JavaScript code when connecting to the socket, but how do I force on the server-side that socket connections can only be run over SSL, and that it works only for authenticated users?

I guess that the SSL thing is the easy part, as the Socket.io server is bound to the https server only, so it should run using SSL only, and there should be no possibility to run it over an (additionally) running http server, right?

Regarding the other thing I have not the slightest idea of how to ensure that socket connections can only be established once the user successfully authenticated using HTTP Basic.

Any ideas?

Answer 1

Edit: Of course OP is right in their other answer; what's more, with socket.io >1.0 you might use socket.io-express-session.

Original answer:

Socket.io supports authorization via the io.set('authorization', callback) mechanism. See the relevant documentation: Authorizing. Here's a simple example (this authenticates using a cookie-based session, and a connect/express session store -- if you need something else, you just implement another 'authorization' handler):

var utils = require('connect').utils;

// Set up a session store of some kind
var sessionId = 'some id';
var sessionStore = new MemoryStore();
// Make express app use the session store
app.use(express.session({store: sessionStore, key: sessionId});

io.configure(function () {
    io.set('authorization', function (handshakeData, callback) {
        var cookie = utils.parseCookie(handshakeData.headers.cookie);

        if(!(sessionId in cookie)) {
            return callback(null, false);
        }

        sessionStore.get(cookie[sessionId], function (err, session) {
            if(err) {
                return callback(err);
            }

            if(!('user' in session)) {
                return callback(null, false);
            }

            // This is an authenticated user!
            // Store the session on handshakeData, it will be available in connection handler
            handshakeData.session = session;

            callback(null, true);
        });
    });
});

Answer 2

Although the answer by Linus is basically right, I now solved it in a more easy way using the session.socket.io - which basically does the same thing, but with way less custom-code to write.