15

I'm setting up a Node.js server to communicate with WebSockets to my web app. I was planning on using JSON Web Tokens to limit access to only users who have already authenticated with our webapp. While researching, I am having trouble finding a WebSocket package for Node.js that supports client-side setting of the Authorization header and using that on the initial connection call?

I regularly see recommendations to pass the token via query param, which could be less secure than passing the token via the Authorization header. Am I missing something? Are there any good, well-maintained WebSocket libraries that allow setting the Authorization header client-side so that I can prevent unwanted connections to the server?

Thelonias
  • 2,918
  • 3
  • 29
  • 63
  • 1
    I'm trying to work out the same thing. As far as I can tell the browser takes care of all headers and doesn't offer a way to change them. I'm trying to add a token to the querystring on the connection URL, but I struggling to get that information at the server end (node.js with the ws library). I don't think a query param is any less secure. How are you doing it? – Rog Aug 01 '15 at 16:21
  • I worked that bit out. With a ?jwt=blah querystring... var token = url.parse(ws.upgradeReq.url, true).query.jwt; – Rog Aug 01 '15 at 17:15
  • but that would expose the jwt right? – Saravanabalagi Ramachandran Feb 25 '17 at 11:21

1 Answers1

15

Browser-based WebSocket API does not make it possible to specify HTTP headers. On the other hand, the query param approach works and is not that bad (when used over HTTPS), so it's often used instead.

Although there are WebSocket implementations for Node.js that make it possible to specify HTTP headers, this only works when running the client in Node.js. It doesn't work when running in a browser.

Einaros' ws is one such example. Passing a JWT token via Authorization header is simple when running in Node.js:

var WebSocket = require("ws");

' does not work in browsers
var token = "Replace_this_with_your_JWT_token";
var options = {
    headers: {
        "Authorization" : "JWT " + token
    }
};

var ws = new WebSocket("wss://example.com/path", options);
...

But when used from Browserify, requiring ws simply returns the ordinary browser-based WebSocket API that is unable of passing custom headers. And unless web browsers add support for passing headers, passing via the query param is the way to go.

Community
  • 1
  • 1
Lukas Pokorny
  • 1,449
  • 12
  • 12