I have a Rails app and a NodeJS service on the same box. After the user logs into the app, and it pushes data to the browser with SockJS. However, the SockJS / web socket connection does not enforce authentication, so anyone with the URL can connect and receive data. This is very bad.
SockJS / web sockets does not have headers / cookies. So here is how I ended up authenticating the SockJS connection:
- Client logs into web app
- On connection, Node decrypts the token and gets the session id. It then checks if the session id is valid.
- After the session id is verified, Node registers callback for the on message event for this connection. Effectively ignoring any messages from clients that are not authenticated.
- Node sends a confirmation to the client, and the client can start sending messages