Auth0 with Socket.IO forcing authentication

Question

I need to protect services exported by Feathers database adapter, with token authentication. We did this for REST with:

var authenticate = jwt({
  secret: new Buffer(process.env.AUTH0_CLIENT_SECRET, 'base64'),
  audience: process.env.AUTH0_CLIENT_ID
});

To prevent un-authenticated clients from accessing REST services, we do:

app.use('/api', authenticate);

Access to websockets should be locked down, as well. I found some examples. The below should theoretically enable authentication for socket.io.

app.configure(feathers.socketio(function(io) {
  io.on('connection', socketioJwt.authorize({
    secret: new Buffer(process.env.AUTH0_CLIENT_SECRET, 'base64'),
    audience: process.env.AUTH0_CLIENT_ID,
    timeout: 5000 // 5 seconds to send the authentication message
  })).on('authenticated', function(socket) {
//    console.log('token: ' + socket.decoded_token.name);
    socket.emit('news', { hello: 'world' });
    socket.on('my other event', function (data) {
      console.log(data);
    });
  });
}));

This is not happening, however. The client socket.io requests do not have the token, yet the server has no problem take care of them.

Where do I start looking?

Answer 1

The best way to force authentication is to use feathers-hooks. We also have a guide on how you can do authentication and authorization.

Our docs are a little confusing at the moment so it's easy to miss, but we'll be fixing that soon!

Answer 2

I might have found the problem. When I use the below snippet [before io.on()] to lock socket.io down, it seems to work.

io.use(socketioJwt.authorize({
  secret: new Buffer(process.env.AUTH0_CLIENT_SECRET, 'base64'),
  audience: process.env.AUTH0_CLIENT_ID,
  handshake: true
}));

Now, I need to figure how to make the client and server play nicely.