Authenticate socket.io incoming connections with JWTs.







📜 About

Authenticate socket.io incoming connections with JWTs.

Compatible with socket.io >= 3.0.0 .

This repository was originally forked from auth0-socketio-jwt & it is not intended to take any credit but to improve the code from now on.

💾 Install

Note: It is a package that is recommended to use/install on both the client and server sides.

npm install --save @thream/socketio-jwt

⚙️ Usage

Server side

import { Server } from 'socket.io' import { authorize } from '@thream/socketio-jwt' const io = new Server( 9000 ) io.use( authorize({ secret: 'your secret or public key' }) ) io.on( 'connection' , async (socket) => { console .log(socket.decodedToken) const clients = await io.sockets.allSockets() if (clients != null ) { for ( const clientId of clients) { const client = io.sockets.sockets.get(clientId) client?.emit( 'messages' , { message: 'Success!' }) console .log(client?.decodedToken) } } })

Server side with jwks-rsa (example)

import jwksClient from 'jwks-rsa' import { Server } from 'socket.io' import { authorize } from '@thream/socketio-jwt' const client = jwksClient({ jwksUri: 'https://sandrino.auth0.com/.well-known/jwks.json' }) const io = new Server( 9000 ) io.use( authorize({ secret: async (decodedToken) => { const key = await client.getSigningKeyAsync(decodedToken.header.kid) return key.getPublicKey() } }) ) io.on( 'connection' , async (socket) => { console .log(socket.decodedToken) })

Server side with onAuthentication (example)

import { Server } from 'socket.io' import { authorize } from '@thream/socketio-jwt' const io = new Server( 9000 ) io.use( authorize({ secret: 'your secret or public key' , onAuthentication: async (decodedToken) => { } }) ) io.on( 'connection' , async (socket) => { console .log(socket.decodedToken) console .log(socket.user) })

authorize options

secret is a string containing the secret for HMAC algorithms, or a function that should fetch the secret or public key as shown in the example with jwks-rsa .

is a string containing the secret for HMAC algorithms, or a function that should fetch the secret or public key as shown in the example with . algorithms (default: HS256 )

(default: ) onAuthentication is a function that will be called with the decodedToken as a parameter after the token is authenticated. Return a value to add to the user property in the socket object.

Client side

import { io } from 'socket.io-client' import { isUnauthorizedError } from '@thream/socketio-jwt' const socket = io( 'http://localhost:9000' , { auth: { token: `Bearer ${yourJWT} ` } }) socket.on( 'connect_error' , ( error ) => { if (isUnauthorizedError(error)) { console .log( 'User token has expired' ) } }) socket.on( 'messages' , ( data ) => { console .log(data) })

💡 Contributing

Anyone can help to improve the project, submit a Feature Request, a bug report or even correct a simple spelling mistake.

The steps to contribute can be found in the CONTRIBUTING.md file.

📄 License

MIT