Socket.io JWT decoder

Authenticate socket.io incoming connections with JWTs. This is useful if you are build a single page application and you are not using cookies as explained in this blog post: Cookies vs Tokens. Getting auth right with Angular.JS.

• Socket.io JWT decoder just works for Socket.IO >= 1.0. *

Installation

npm install socketio-jwt-decoder

Example usage

The previous approach uses a second roundtrip to send the jwt, there is a way you can authenticate on the handshake by sending the JWT as a query string, the caveat is that intermediary HTTP servers can log the url.

var io            = require("socket.io")(server);
var socketioJwt   = require("socketio-jwt-decoder");
 
 
io.use(socketioJwt.authorize({
  secret: 'your secret or public key',
  otherOption: someValue // you can pass other arguments to jsonwebtoken
}));
 
 
io.on('connection', function (socket) {
 
  if (socket.decoded_token) { // authentication successful
    console.log('hello!', socket.handshake.decoded_token.name);
  }
 
})

For more validation options see auth0/jsonwebtoken.

Client side:

Append the jwt token using query string:

var socket = io.connect('http://localhost:9000', {
  'query': 'token=' + your_jwt
});

Handling token expiration

Server side:

When you sign the token with an expiration time:

var token = jwt.sign(user_profile, jwt_secret, {expiresInMinutes: 60});

Your client-side code should handle it as below.

Client side:

socket.on("error", function(error) {
  if (error.type == "UnauthorizedError" || error.code == "invalid_token") {
    // redirect user to login page perhaps?
    console.log("User's token has expired");
  }
});

Contribute

You are always welcome to open an issue or provide a pull-request!

Also check out the unit tests:

npm test

License

Licensed under the MIT-License. 2015 Juan Jesús García López