Authorization and handshake errors

[bigal488]

Using socket.io 0.8.4 from NPM, I'm struggling to get global authorisation working, so it can be handled on the client side. Using modified code from the Wiki, I'm checking for the existence of an Express session cookie and 'unauthorizing' the client if it doesn't exist.

io.configure(function (){
  io.set('authorization', function (handshakeData, callback) {
      if(!handshakeData.headers.cookie){
        callback('No session cookie', false); //This generates a 500 error in the browser
      }else{
          var cookies = parseCookie(handshakeData.headers.cookie);
          var sessionID = cookies['connect.sid'];
          if (!sessionID) {
             callback('No session', false); //This generates a 500 error in the browser
          } else {
            handshakeData.sessionID = sessionID;
            callback(null, true)
          }
    }
  });

my app requires a session cookie (from connect), so if the session cookie isn't present (because, perhaps, it has expired), I want to flag the io.authorization as failed.
The problem seems to be that calling callback(error, false) returns a 500 error to the browser, so it can't be handled client side. Surely this is incorrect as this can't easily be handled by the client?
The example on the Wiki shows using the socket.on('error') event to handle this but that doesn't get triggered.
..or is the example on the Wiki out of date?

I also see that even though authorisation is 'failed', I still see a debug - authorised message in the debug log - which is why I think this might be a bug.
Also the Wiki states that there are 3 possible response codes for a handshake: 401 Unauthorized, 503 Service Unavailable, or 200 OK.
This appears to be incorrect as both 500 and 403 responses are possible.

[thomasfr]

If you pass null, false to the callback, you will get a 403.
But the error object you get on the client side only shows "handshake unauthorized", so maybe it would be a good addition to add a complete error object with response codes to the client side.
Or even better a seperate event for each of the possible authorization failures: "not authorized", "service unavailable" and for the 200 "OK" we already have the connect event.

What do you think?

[demian85]

+1
I don't know how to show the client why he was unable to connect!

[deakster]

This is still the case in 0.9.6. It's not possible to tell the client why the handshake failed (server full? incorrect user/pass? invalid session?).

The only thing the client ever receives is "handshake error".

[martinj]

+1
Would be nice to be able to pass at least something back to the client.

[zheileman]

Any chance for this handshake custom error propagating to the client? Thanks.

[1stvamp]

👍 for this

[charliebecker]

+1 for this

[seqq]

one more +1

[abrkn]

+1

[macrauder]

+1 for this

[2fours]

+1 for me too please

[asgoth]

+1

[hongkongkiwi]

+1

[ghellere]

+1

[magicalhobo]

The documentation appears to be wrong on this, but I've found that it is possible to have custom error messages. You just need to assign them ids so the parser can serialize them efficiently.

Server

var socketio = require('socket.io');
socketio.parser.reasons['no session'] = 1000;

Client

io.parser.reasons[1000] = 'no session';
var connection = io.connect();
connection.on('error', errorHandler);

[jmevel]

+1
I have the same problem, I totally don't understand this bug. We tested many time the same code on 4 PCs, this bug appears on 2.
Last night I had this problem, I solved it by entering in nav bar error that chrome send me "http://localhost:8080/socket.io/1/?t=1371060436955".
After a sample message "handshake error", the second time message was "ZQdSXpQUYqGUVkreFybT:60:60:websocket,htmlfile,xhr-polling,jsonp-polling" and in console: " handshake authorized ZQdSXpQUYqGUVkreFybT" solved it for the night. But today, no way to fix it, nothing has change in my code.

I want to kill myself

[jmevel]

Ok guys it's been 2 years since this bug has been noted. I found the solution (for my case).

In my client side I had var "socket = io.connect('http://localhost:8080');" and it's works only if you put localhost:8080 in your browser. I changed it by "var socket = io.connect('http://127.0.0.1:8080');" and now it works with localhost:8080 and 127.0.0.1:8080 in your browser.

It's clearly a bug, why socket.io should accept address mapping just in one way? localhost is localhost and is the same as 127.0.0.1

I hope I'll help some people, because it took us many days to find it.

[voidcontext]

+1 for provide more detailed (handshake) errors for js client.

[CaptainNic]

koenigsbier's comment was the most helpful. having "http://localhost:8000" was producing handshake errors when I ran off my VPS. However, when using "http://127.0.0.1:8000" or my "IPAddress:8000" there is no handshake issue.

I would like to see this fixed or at least noted in some documentation.