Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Not possible to reject Socket on authorization/authentication

See original GitHub issue

Hello Fellows,

we have a problem about rejecting the socket in case of authorization/authentication validation is failed. Our approach checks the cookie-header in the socket.handshake.headers object in order to validate the session. If the session is not valid, we invoke the next function including an error object to reject the connection. But this does not work. The next function including the Error object will be invoked, but the websocket connection will be still established.

Here is the code:

io.use(function (socket, next){
  if(socket.handshake.headers.cookie){
    socket.cookie = cookie.parse(socket.handshake.headers.cookie);
    sessionID = cookieParser.signedCookie(socket.cookie['connect.sid'],signKey);
    store.get(sessionID,function(err,session){
      if(err){

        next(new Error("Error"));
      }
      else if( typeof session === "undefined"){

        next(new Error("invalid session"));
      }
      else if( session.hasOwnProperty("username")){

         return next();
      }
      next(new Error("invalid session"));
    });

  }
});

Even though there is no valid session, the Google Developer tools displays that a WebSocket connection is successfully established. bildschirmfoto 2014-08-15 um 11 55 46

The developer tools also shows us the error message denoting us that the next function with the error object was invoked. Even though this error message is shown, the websocket connection is still established.

bildschirmfoto 2014-08-15 um 11 56 56

Issue Analytics

State:
Created 9 years ago
Comments:8

Top GitHub Comments

2reactions

peteruithovencommented, Aug 20, 2014

With a small tweak the socket.disconnect could receive a custom reason… Current implementation:

Socket.prototype.disconnect = function(close){
  if (!this.connected) return this;
  if (close) {
    this.client.disconnect();
  } else {
    this.packet({ type: parser.DISCONNECT });
    this.onclose('server namespace disconnect');
  }
  return this;
};

Small tweak:

Socket.prototype.disconnect = function(close,reason){
  if (!this.connected) return this;
  if (close) {
    this.client.disconnect();
  } else {
    this.packet({ type: parser.DISCONNECT });
    this.onclose(reason || 'server namespace disconnect');
  }
  return this;
};

0reactions

svmncommented, Apr 6, 2020

Any updates on this? For me, it seems insecure that an unauthorized client remains connected to the server.