Securing websocket / SockJS connection

I have a Rails app and a NodeJS service on the same box. After the user logs into the app, and it pushes data to the browser with SockJS. However, the SockJS / web socket connection does not enforce authentication, so anyone with the URL can connect and receive data. This is very bad.

SockJS / web sockets does not have headers / cookies. So here is how I ended up authenticating the SockJS connection:

  1. Client logs into web app
  2. JavaScript sends request for a token. The token is the session id encrypted with a shared secret between the Rails app and NodeJS. The session information / token is stored somewhere accessible by both Rails and Node.
  3. When JavaScript opens the SockJS connection, the token is included as a query parameter
  4. On connection, Node decrypts the token and gets the session id. It then checks if the session id is valid.
  5. After the session id is verified, Node registers callback for the on message event for this connection. Effectively ignoring any messages from clients that are not authenticated.
  6. Node sends a confirmation to the client, and the client can start sending messages



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s