Socket.IO Authentication with keys

Asked Dec 26 '16 at 21:43

Active Dec 26 '16 at 21:51

Viewed 704 times

I have an socket.IO server. But everyone can use it at the moment. How can I prevent that? I want to use the server (as an api) with my own IOS app and nothing else. What is the best way to do this?

I was thinking about this:

Connect with the socket.io server and set status (in the user array) to auth false;
Sent a message as that user with an token, when the token is correct set status auth to true;

So I have an token at my server for example 123. And sent an token with my app wich is also 123. I check 123 == 123 and let the user in. But when I need to change the tokens if someone leaks it I have a big problem. Because it is static at the app.

Note that my users don't have an account or something like that. It is just the app and the server.

What is the best approach for this? At an early (php) project have made something with an secret and public key. Wich is solid in my ideas. Is something also possible?

edited Dec 26 '16 at 21:51

asked Dec 26 '16 at 21:43

da1lbi3

4,369
6
31
65

I use my socket.io as an api. But someone who wants to use the server for himself can easily create an account and get an api 'key'. Is that not an security issue? – da1lbi3 Dec 26 '16 at 21:48
@jfriend00 There is no webpage:). Im using the socket.io server as an api for my IOS app. – da1lbi3 Dec 26 '16 at 21:49
Are you interested in a solution involving authentication with passport? If so I have an implementation that I use for this. – morsecodist Dec 27 '16 at 00:37
Yeah, i'm interested. – da1lbi3 Dec 27 '16 at 10:23
Check out my answer [here](http://stackoverflow.com/a/41192922/7224142). – morsecodist Dec 27 '16 at 17:15

Socket.IO Authentication with keys

0 Answers0