Authentication for wss about iron-session HOT 4 CLOSED

Here's how I did it! First off, thanks so much to @vvo for making a low level library so that we can parse the cookie data.

import ironStore from "iron-store";

...

 onConnect: async (cnxnParams, webSocket, cnxnContext) => {
      // name of the cookie you used for ironSession
      let { userAuth } = cookie.parse(
        webSocket.upgradeReq.headers.cookie || ""
      );
      const store = await ironStore({
        // same password from your ironSession
        password: process.env.SECRET_COOKIE_PASSWORD as string,
        sealed: userAuth,
      });
      // get the data the same way you are used to
      const user = store.get("user");

      return {
        user,
      };
    },

Essentially, i send cookies with the websocket upgrade request. When the websocket starts a connection, I can parse out the cookie and manually initialize it.

from iron-session.

Here's how I did it! First off, thanks so much to @vvo for making a low level library so that we can parse the cookie data.

import ironStore from "iron-store";

...

 onConnect: async (cnxnParams, webSocket, cnxnContext) => {
      // name of the cookie you used for ironSession
      let { userAuth } = cookie.parse(
        webSocket.upgradeReq.headers.cookie || ""
      );
      const store = await ironStore({
        // same password from your ironSession
        password: process.env.SECRET_COOKIE_PASSWORD as string,
        sealed: userAuth,
      });
      // get the data the same way you are used to
      const user = store.get("user");

      return {
        user,
      };
    },

Essentially, i send cookies with the websocket upgrade request. When the websocket starts a connection, I can parse out the cookie and manually initialize it.

I'm getting an error when I try it with iron-store. I have checked if the cookie is there and indeed thats the case. But somehow my store is throwing an error.

Error: Bad hmac value at Object.exports.unseal (/workspace/api/node_modules/@hapi/iron/lib/index.js:311:15)

I am using the same password like in the ironSession and passing the cookie value as sealed.
Has someone experienced the same and may know a solution for this?

EDIT: I have just found the unsealData(seal, options) function in the new rewrite which has resolved the session with the underlying data.

import { unsealData } from 'iron-session';

...

 onConnect: async (cnxnParams, webSocket, cnxnContext) => {
      // name of the cookie you used for ironSession
      let { userAuth } = cookie.parse(
        webSocket.upgradeReq.headers.cookie || ""
      );
      // first pass the sealed cookie and the options you have provided to your `ironSession`
      const unsealed = await unsealData(userAuth, {
        // same password from your ironSession
        password: process.env.SECRET_COOKIE_PASSWORD as string,
        // you can take a look on the IronSessionOptions interface for more (cookieOptions, ttl, cookieName)
      });
      // unselead is an object and data can be accessed like that
      const user = unsealed.user;

      return {
        user,
      };
    },

from iron-session.

I did not reply but truth to be told: I have no idea how to handle cookie auth in a websocket.

Maybe those pages can help: https://coletiv.com/blog/using-websockets-with-cookie-based-authentication/.

from iron-session.

@zackify Would you be so kind and add a small section to the README on how to authenticate other parts of your application using iron-store? Thanks! Actually, any token generated by next-iron-session can be decoded with https://github.com/hapijs/iron (and its ports: https://github.com/hapijs/iron/issues?q=label%3Aport+is%3Aclosed+sort%3Aupdated-desc)

from iron-session.