Authorization and ID generation
311 views
Skip to first unread message
Martin Thomson
Mar 22, 2012, 6:47:12 PM3/22/12
to sock...@googlegroups.com
I like the authorization mechanism (https://github.com/LearnBoost/socket.io/wiki/Authorizing). However, it is not possible to associate the authorization handshake with the socket that results. This makes it hard for me to - for example - limit the number of sockets a particular user can have open. I could add some communication over the socket once it's established, but that adds latency and complexity that I really don't want.
The reason that this is difficult is that the socket ID that is ultimately assigned has no relationship with the original handshake. What I really want to do is have a way to override the ID generator with my own so that I have control over the ID. And so I can pass information produced by the authorization method through. Here's what I have:
When the handshake is authorized, the handshake output is passed to the ID generator:
Furthermore, allow the using code to overwrite the id generation code.
Other concerns that I've discovered:
The reason that this is difficult is that the socket ID that is ultimately assigned has no relationship with the original handshake. What I really want to do is have a way to override the ID generator with my own so that I have control over the ID. And so I can pass information produced by the authorization method through. Here's what I have:
When the handshake is authorized, the handshake output is passed to the ID generator:
this.authorize(handshakeData, function (err, authorized, newData) {
if (err) return error(err);
if (authorized) {
- var id = self.generateId()
+ var id = self.generateId(newData || handshakeData)
if (err) return error(err);
if (authorized) {
- var id = self.generateId()
+ var id = self.generateId(newData || handshakeData)
Furthermore, allow the using code to overwrite the id generation code.
Manager.prototype.generateId = function (data) {
+ if (this.get('id generator')) {
+ return this.get('id generator').call(this, data);
+ }
return Math.abs(Math.random() * Math.random() * Date.now() | 0).toString()
+ Math.abs(Math.random() * Math.random() * Date.now() | 0).toString();
};
+ if (this.get('id generator')) {
+ return this.get('id generator').call(this, data);
+ }
return Math.abs(Math.random() * Math.random() * Date.now() | 0).toString()
+ Math.abs(Math.random() * Math.random() * Date.now() | 0).toString();
};
Other concerns that I've discovered:
- The default generateId isn't secure. That is, it's guessable, which allows other clients to end-run the authorization in the handshake. A more secure ID generation method would include a secure random number generator with sufficient entropy. That's another reason that I want to hook into this.
- I think that there is a bug with the authorization method whereby the handshake method authorization is expected to callback with a third 'newData' method, but the authorize method provides no means to pass this information back. Modifying the Manager.authorize to pass this information on would be necessary.
Now, I can't test this right now because I can't run tests on windows. But that's another problem altogether.
Regards,
Martin
Reply all
Reply to author
Forward
0 new messages