Feathers / Socket.io authentication

Question

I have a working Feathers application that has lots of service authentication hooks, but very few socket.io filters.

It's unclear to me whether access to the socket.io endpoint requires users to be authenticated and how service hooks affect them.

So first, are socket.io connections only allowed for authenticated users? If not, is there a way I can implement this restriction?

Second, I suppose data emitted through socket.io would be the hook.result from service methods after all post-hooks have executed. So hooks.remove('password') would prevent password fields from leaking via socket.io. Is this assumption correct?

Third, I suppose events are sent to all connected users. That's why I need to specify filters that restrict which events are sent to which users. Is there a way to do such filtering at pre-hook level in order to avoid duplicating HTTP access control code at the socket.io level?

Answer 1

Feathers service hooks are transport agnostic. The authentication hooks will work no matter if accessed via REST HTTP or websockets. If possible authentication should be handled through the client but can also be done through sockets directly.

During authentication the user object will be attached to the socket. This is what is available in the connection (connection.user) in a filter.

The remove hook is a somewhat special case though because it does not run for internal access so it makes sense to additionally create a filter that also sanitizes your data (always removes the fields). Some work for providing hooks and filters has been done in feathers-hooks-common and the next version will have a more unified way of handling hooks and filters at the same time.