node.js 保护 Socket.io
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/14600472/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Securing Socket.io
提问by Golo Roden
I am using a Node.js based https server that authenticates using HTTP Basic (which is fine as the data are sent over the SSL encrypted connection).
我正在使用基于 Node.js 的 https 服务器,该服务器使用 HTTP Basic 进行身份验证(这很好,因为数据是通过 SSL 加密连接发送的)。
Now I want to provide a Socket.io connection which should be
现在我想提供一个 Socket.io 连接,它应该是
- encrypted and
- for authenticated users only.
- 加密和
- 仅适用于经过身份验证的用户。
The question is how to do this. I already found out that I need to specify { secure: true }in the client JavaScript code when connecting to the socket, but how do I force on the server-side that socket connections can only be run over SSL, and that it works only for authenticated users?
问题是如何做到这一点。我已经发现{ secure: true }连接到套接字时需要在客户端 JavaScript 代码中指定,但是如何在服务器端强制套接字连接只能通过 SSL 运行,并且它仅适用于经过身份验证的用户?
I guess that the SSL thing is the easy part, as the Socket.io server is bound to the https server only, so it should run using SSL only, and there should be no possibility to run it over an (additionally) running http server, right?
我想 SSL 的事情是简单的部分,因为 Socket.io 服务器只绑定到 https 服务器,所以它应该只使用 SSL 运行,并且应该不可能在(另外)运行的 http 服务器上运行它, 对?
Regarding the other thing I have not the slightest idea of how to ensure that socket connections can only be established once the user successfully authenticated using HTTP Basic.
关于另一件事,我对如何确保只有在用户使用 HTTP Basic 成功通过身份验证后才能建立套接字连接一无所知。
Any ideas?
有任何想法吗?
采纳答案by Golo Roden
Although the answer by Linus is basically right, I now solved it in a more easy way using the session.socket.io- which basically does the same thing, but with way less custom-code to write.
尽管 Linus 的答案基本上是正确的,但我现在使用session.socket.io以更简单的方式解决了它——它基本上做同样的事情,但编写的自定义代码更少。
回答by Linus Gustav Larsson Thiel
Edit:Of course OP is right in their other answer; what's more, with socket.io >1.0 you might use socket.io-express-session.
编辑:当然 OP 在他们的其他答案中是正确的;更重要的是,如果 socket.io >1.0,你可能会使用socket.io-express-session。
Original answer:
原答案:
Socket.io supports authorization via the io.set('authorization', callback)mechanism. See the relevant documentation: Authorizing. Here's a simple example (this authenticates using a cookie-based session, and a connect/express session store -- if you need something else, you just implement another 'authorization' handler):
Socket.io 通过io.set('authorization', callback)机制支持授权。请参阅相关文档:授权。这是一个简单的示例(使用基于 cookie 的会话和连接/快速会话存储进行身份验证——如果您需要其他东西,您只需实现另一个“授权”处理程序):
var utils = require('connect').utils;
// Set up a session store of some kind
var sessionId = 'some id';
var sessionStore = new MemoryStore();
// Make express app use the session store
app.use(express.session({store: sessionStore, key: sessionId});
io.configure(function () {
io.set('authorization', function (handshakeData, callback) {
var cookie = utils.parseCookie(handshakeData.headers.cookie);
if(!(sessionId in cookie)) {
return callback(null, false);
}
sessionStore.get(cookie[sessionId], function (err, session) {
if(err) {
return callback(err);
}
if(!('user' in session)) {
return callback(null, false);
}
// This is an authenticated user!
// Store the session on handshakeData, it will be available in connection handler
handshakeData.session = session;
callback(null, true);
});
});
});
回答by Danielle
Setting the socket to be secured is done by:
- setting the secure flag - as you wrote ({secure: true})
- OR by using https protocol when creating the server (instead of http) - which will set the secure flag to be true automatically
Good lib that simplify the authentication process is: https://github.com/auth0/socketio-jwt
设置要保护的套接字是通过以下方式完成的:
- 设置安全标志 - 如您所写({secure: true})
- 或者在创建服务器时使用 https 协议(而不是 http) - 这将自动将安全标志设置为 true
简化认证过程的好库是:https: //github.com/auth0/socketio-jwt
