Ability to do custom auth on primus connection about primus HOT 9 CLOSED

Hooking in authorization would be more challenging then initially thought. The only framework that provides decent authorization is socket.io. It has a special function that we can leverage for that. All other frameworks have no additional hooks for this. I've added a special authorization hook in Engine.IO but it got rejected. So the only decent way to do validation would be to validate every single incoming request or figure out each handshake URL pattern and only run a validator against that.

from primus.

@3rd-Eden Hmm ok, I get what you mean. There would essentially need to be a custom hook for each transformer for the way it connects. Doing this cleanly will be interesting ;). I'll get myself more versed with the code and see if I can be of any assistance.

from primus.

What about validating the actual http request that gets the primus.js file, there could be a middleware (hook) that can do the authorization/authentication beforehand?

from primus.

@cayasso I'm assuming that not everybody will serving the primus.js from the server but upload it a content delivery network etc.

from primus.

Interesting. I'm currently working on simple implementation that upon a connection event sends a request to a web server for authentication and then emits an authenticated event to the client. I would rather rely on the open event instead after a successful hook though :) is it possible to keep a websocket on a pending state while this hook is being processed?

from primus.

@ruimarinho I guess can just halt the response when a upgrade event comes in so it's not passed in to the real-time systems.

from primus.

Would that be something to consider? I don't have enough experience with websockets to know if that is an appropriate solution or not. In theory, it looks more correct than accepting the connection and then closing it in response to a failed authentication request.

from primus.

For those who are interested, i've started a basic-auth branch which introduces a authorize function that will be called on every incoming request.

Feel free to follow the progress here; https://github.com/3rd-Eden/primus/compare/basic-auth it currently completely kills the client when the request is unauthorized.

from primus.

Fixed in master

from primus.