Skip to content

Authorization and handshake errors #545

Closed
@bigal488

Description

@bigal488

Using socket.io 0.8.4 from NPM, I'm struggling to get global authorisation working, so it can be handled on the client side. Using modified code from the Wiki, I'm checking for the existence of an Express session cookie and 'unauthorizing' the client if it doesn't exist.

io.configure(function (){
  io.set('authorization', function (handshakeData, callback) {
      if(!handshakeData.headers.cookie){
        callback('No session cookie', false); //This generates a 500 error in the browser
      }else{
          var cookies = parseCookie(handshakeData.headers.cookie);
          var sessionID = cookies['connect.sid'];
          if (!sessionID) {
             callback('No session', false); //This generates a 500 error in the browser
          } else {
            handshakeData.sessionID = sessionID;
            callback(null, true)
          }
    }
  });

my app requires a session cookie (from connect), so if the session cookie isn't present (because, perhaps, it has expired), I want to flag the io.authorization as failed.
The problem seems to be that calling callback(error, false) returns a 500 error to the browser, so it can't be handled client side. Surely this is incorrect as this can't easily be handled by the client?
The example on the Wiki shows using the socket.on('error') event to handle this but that doesn't get triggered.
..or is the example on the Wiki out of date?

I also see that even though authorisation is 'failed', I still see a debug - authorised message in the debug log - which is why I think this might be a bug.
Also the Wiki states that there are 3 possible response codes for a handshake: 401 Unauthorized, 503 Service Unavailable, or 200 OK.
This appears to be incorrect as both 500 and 403 responses are possible.

Activity

thomasfr

thomasfr commented on Oct 22, 2011

@thomasfr

If you pass null, false to the callback, you will get a 403.
But the error object you get on the client side only shows "handshake unauthorized", so maybe it would be a good addition to add a complete error object with response codes to the client side.
Or even better a seperate event for each of the possible authorization failures: "not authorized", "service unavailable" and for the 200 "OK" we already have the connect event.

What do you think?

demian85

demian85 commented on Dec 15, 2011

@demian85

+1
I don't know how to show the client why he was unable to connect!

deakster

deakster commented on Apr 26, 2012

@deakster

This is still the case in 0.9.6. It's not possible to tell the client why the handshake failed (server full? incorrect user/pass? invalid session?).

The only thing the client ever receives is "handshake error".

martinj

martinj commented on Jun 11, 2012

@martinj

+1
Would be nice to be able to pass at least something back to the client.

zheileman

zheileman commented on Aug 14, 2012

@zheileman

Any chance for this handshake custom error propagating to the client? Thanks.

1stvamp

1stvamp commented on Aug 16, 2012

@1stvamp

👍 for this

charliebecker

charliebecker commented on Sep 19, 2012

@charliebecker

+1 for this

seqq

seqq commented on Nov 26, 2012

@seqq

one more +1

abrkn

abrkn commented on Dec 5, 2012

@abrkn

+1

macrauder

macrauder commented on Dec 12, 2012

@macrauder

+1 for this

2fours

2fours commented on Feb 26, 2013

@2fours

+1 for me too please

asgoth

asgoth commented on Mar 14, 2013

@asgoth

+1

hongkongkiwi

hongkongkiwi commented on Apr 5, 2013

@hongkongkiwi

+1

ghellere

ghellere commented on Apr 8, 2013

@ghellere

+1

magicalhobo

magicalhobo commented on Apr 26, 2013

@magicalhobo

The documentation appears to be wrong on this, but I've found that it is possible to have custom error messages. You just need to assign them ids so the parser can serialize them efficiently.

Server

var socketio = require('socket.io');
socketio.parser.reasons['no session'] = 1000;

Client

io.parser.reasons[1000] = 'no session';
var connection = io.connect();
connection.on('error', errorHandler);

11 remaining items

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Development

      No branches or pull requests

        Participants

        @1stvamp@martinj@deakster@thomasfr@magicalhobo

        Issue actions

          Authorization and handshake errors · Issue #545 · socketio/socket.io