Description
Using socket.io 0.8.4 from NPM, I'm struggling to get global authorisation working, so it can be handled on the client side. Using modified code from the Wiki, I'm checking for the existence of an Express session cookie and 'unauthorizing' the client if it doesn't exist.
io.configure(function (){
io.set('authorization', function (handshakeData, callback) {
if(!handshakeData.headers.cookie){
callback('No session cookie', false); //This generates a 500 error in the browser
}else{
var cookies = parseCookie(handshakeData.headers.cookie);
var sessionID = cookies['connect.sid'];
if (!sessionID) {
callback('No session', false); //This generates a 500 error in the browser
} else {
handshakeData.sessionID = sessionID;
callback(null, true)
}
}
});
my app requires a session cookie (from connect), so if the session cookie isn't present (because, perhaps, it has expired), I want to flag the io.authorization as failed.
The problem seems to be that calling callback(error, false)
returns a 500 error to the browser, so it can't be handled client side. Surely this is incorrect as this can't easily be handled by the client?
The example on the Wiki shows using the socket.on('error')
event to handle this but that doesn't get triggered.
..or is the example on the Wiki out of date?
I also see that even though authorisation is 'failed', I still see a debug - authorised
message in the debug log - which is why I think this might be a bug.
Also the Wiki states that there are 3 possible response codes for a handshake: 401 Unauthorized, 503 Service Unavailable, or 200 OK.
This appears to be incorrect as both 500 and 403 responses are possible.
Activity
thomasfr commentedon Oct 22, 2011
If you pass null, false to the callback, you will get a 403.
But the error object you get on the client side only shows "handshake unauthorized", so maybe it would be a good addition to add a complete error object with response codes to the client side.
Or even better a seperate event for each of the possible authorization failures: "not authorized", "service unavailable" and for the 200 "OK" we already have the connect event.
What do you think?
demian85 commentedon Dec 15, 2011
+1
I don't know how to show the client why he was unable to connect!
deakster commentedon Apr 26, 2012
This is still the case in 0.9.6. It's not possible to tell the client why the handshake failed (server full? incorrect user/pass? invalid session?).
The only thing the client ever receives is "handshake error".
martinj commentedon Jun 11, 2012
+1
Would be nice to be able to pass at least something back to the client.
zheileman commentedon Aug 14, 2012
Any chance for this handshake custom error propagating to the client? Thanks.
1stvamp commentedon Aug 16, 2012
👍 for this
charliebecker commentedon Sep 19, 2012
+1 for this
seqq commentedon Nov 26, 2012
one more +1
abrkn commentedon Dec 5, 2012
+1
macrauder commentedon Dec 12, 2012
+1 for this
2fours commentedon Feb 26, 2013
+1 for me too please
asgoth commentedon Mar 14, 2013
+1
hongkongkiwi commentedon Apr 5, 2013
+1
ghellere commentedon Apr 8, 2013
+1
magicalhobo commentedon Apr 26, 2013
The documentation appears to be wrong on this, but I've found that it is possible to have custom error messages. You just need to assign them ids so the parser can serialize them efficiently.
Server
Client
11 remaining items