NodeJS and Socket.IO user authentication - node.js

I was wondering what are the best practices for socket.IO authentication.
Alice emits event 'message' with parameters including Bobs unique identifier etc. Bob receives the message while listening to socket.on('message') event.
How do I prevent unauthenticated users from ever connecting to the server using Socket.IO and how do I emit event to only specific user?
Thank you very much in advance for all suggestions and answers.
Peter

Socket.IO allows you to set up authentication for new sessions. You could do this with cookies or using JSON web tokens for example. The authentication mechanism did change from 0.9 to 1.0, so just be aware of that when googling.
As far as encryption goes, as long as you're using https you should be fine. Trying to implement your own encryption scheme instead of using https is more risky and more work anyway.

Related

Socket.io authentication with JWT

Recently I started learning socket.io at work and I got the general concept of emitting events and listening to events. Currently I'm building a simple chat app with Node.js, Express and Socket.io and I want to add authentication to my app, so that on page refresh, the data is saved and the connection is retained.
I read a lot about token-based authentication vs cookie based authentication and I understood that in most cases it's better to use token based authentication strategy.
I found a lot of npm packages regarding this topic that help authenticate requests but I can't find one simple way of implementation for simple authentication.
My question is: What is the best/correct way of implementing authentication with sockets?
If you guys could help me with this issue, I'd really appreciate it.
When the client connects to the server, make it a requirement to send an 'authentication' event to the server with the token, if the user doesn't send this event within 5 seconds then disconnect them, if the token is invalid then disconnect them, only allow them to stay connected if they have a valid access token.
Also ensure they send this token up each time they make a request to the server & validate it, not 100% necessary because they wouldn't have been able to connect in the first place without a valid token but it wouldn't hurt.

Node js Cross-domain session

Here I will describe the requirement for my project.
Basically I want to build a chat application which I can embed to different websites for example , site build using wordpress, magento, drupal, custom frameworks ... etc . What I actually need is to embed JavaScript for handling socket chat using (socket.io) on some of the website(wordpress, magento, drupal ....), so what I finally have is a set of javascript code (client side), and a server running in nodejs (with socket.io)
The problem I faced is to manage session for registered users after login. Since my code is embedded on different websites and the node server resides on other server , On each page refresh I faced difficult to validate user session session. Could you please help me how I can manage session in a best way for this application.
If you feel difficulty to understand my need , I can explain in detail with examples
Thanking You
If I understand your problem, you just need to handle user sessions? More specifically on the client side?
Based on the information you give, I will just assume you either return a unique string representing the session on the server to the client. The format of this can either be a cookie, a normal string/token, etc.
For cookies, you shouldn't have much problems, since the browser deals with this. Although you might need to set it up correctly on the server.
For tokens/strings that needs to be returned to the server for each request requiring authentication, you should store it in the session-storage/local storage of the browser, depending on your need. Then you should embed it in every requests back to the server and authenticate it.

Cross Domain communication security from APP to PHP server

I have written an app with Phonegap which can be used by multible users. The app itself have to communicate with the same server.
So there are many users connection to the same server, however there is a problem, the security between the clients and the server, is atm "plain text".
I believe its called Cross-Origin Resource Sharing (CORS).
I am not sure how to make the connection between all those clients and the server secure.
What i want to achieve is
Make the data encrypted, so that no one can easily sniff the data.
My idea so far is
Use ex. sha1/md5 or a selfwritten encryption algoritm, with some SALT added and maybe an extra key. Implement that encryption algoritm on both the clients and the server, and encrypt/decrypt on the fly.
I have already added a PHP line to get it to work, but that dosent make it secure:
header('Access-Control-Allow-Origin: *');
I would like some advise on my thoughts, would my idea work, or is something else required?
thanks in advance.
Don't reinvent the wheel :) Simply use HTTPS to encrypt all your HTTP data.

Architecture of a secure client-server phonegap app

I am thinking about the architecture of a phonegap game app which, as lots of ditributed game app, will act as a client of a server. It will need username-password authentification. I plan to use AJAX to communicate with my server. However, I have a couple of questions concerning security. Here they are:
How can I make sure the request is made from my game and not by anyone else ? For example, how to avoid that somebody can send a POST request to the script on the server called by my game ?
How can I secure data transfer ? Is data transfer using a https (SSL) url sufficient ?
What is the best idea to implement user authentication ? Generate a token to use in communication ? Something else ?
Thank you !
1) How can I make sure the request is made from my game and not by anyone else ? For example, how to avoid that somebody can send a POST
request to the script on the server called by my game ?
Unfortunately, you can't. Because you have no control over the client code once it leaves your hands, there is no way to ensure that no one else is making requests using the login credentials of your users (assuming there are some). You can ensure that certain users are accessing your server by requiring them to authenticate. As long as they don't compromise their credentials then you can be sure. If authentication is not an option, see this question for some ideas about making it harder (but not impossible) for someone to imitate your client.
2) How can I secure data transfer ? Is data transfer using a https (SSL) url sufficient ?
Yes. Use HTTPS/SSL/TLS. This provides both confidentiality and integrity through encryption.
3) What is the best idea to implement user authentication ? Generate a token to use in communication ? Something else ?
A token is a good choice. See this question for some information about token implementation. This is for a RESTful service but basic approach is the same.

Password hashing when registering a user

I know there are similar questions but I couldn't find something that answered my question.
When a new user registers (client - server) is there a common way of protecting these details when they are sent?
At the moment I am just concatenating the username-password-timestamp then sending as Base64 to the server over https.
The common and best way is https. Https already establishes a secure channel between the client and the server. You don't need anything more.
Please excuse me for the short answer. However if you really want the long answer then take a look at:
How to send password securely via HTTP using Javascript in absence of HTTPS?

Resources