Passing token on websocket connection not as query param

francesco.pessina · September 29, 2021, 8:57am

Hello everyone
We are experiencing a weird problem with Phoenix Websockets.

We are exposing an authenticated channel. The authentication is made getting the token from the token parameter given during the connection, and then if the token is valid the connection is established.

The problem is that the token is passed as query param in the url of the connection (for example …/socket/websocket?token=…).
For us this is a problem because in some cases we have very long token (2500 chars) which generates a url which have a length greater than the one accepted by our load balancer.

So my question is: is there an alternative way to pass a token along a websocket connection (maybe through a header on into the request body)?

bartblast · September 29, 2021, 9:41am

You don’t control how the token is generated?

francesco.pessina · September 29, 2021, 10:05am

Not really. The token is generated by Keycloak and the data contained in it is used by also other applications against the user authenticates with the token.

dodo · September 29, 2021, 10:43am

You cannot set additional headers unfortunately.

You could allow anyone to connect, but then require the first message to be the auth token, and deny every other message if the user is not authenticated.

the-mikedavis · September 29, 2021, 1:40pm

So you can pass the token as a header by configuring the websocket like so

# lib/my_app_web/endpoint.ex

socket("/socket", MyAppWeb.UserSocket,
  websocket: [connect_info: [:x_headers]],
  longpoll: false
)

And then passing some {"x-auth-token", auth_token} in the client and handling the token in the connect/3 callback

# lib/my_app_web/channels/user_socket.ex

def connect(_params, socket, %{x_headers: x_headers}) do
  with {:ok, proposed_token} <-
         Enum.find_value(x_headers, :error, fn {k, v} -> k == "x-auth-token" && {:ok, v} end),
       :ok <- MyTokenAuthenticator.authenticate_token(proposed_token) do
    {:ok, socket}
  else
    _ ->
      :error
  end
end

But this won’t work if you’re connecting to the socket in a browser because the WebSocket API in browsers does not allow setting custom headers. If you’re connecting from browsers, I think the only option is to allow all connections:

# lib/my_app_web/channels/user_socket.ex

def connect(_params, socket, _connect_info) do
  {:ok, socket}
end

And instead check the token in the c:Phoenix.Channel.join/3 callback. In fact that documentation has an example of this:

def join("room:lobby", payload, socket) do
  if authorized?(payload) do
    {:ok, socket}
  else
    {:error, %{reason: "unauthorized"}}
  end
end

And that payload in join/3 is encoded in a websocket frame, so it shouldn’t trip up your load balancer.

rogerweb · November 27, 2023, 2:04pm

If you allow anyone to connect, you probably want to disconnect non-authenticated users after a certain timeout, otherwise your server will be vulnerable from a security perspective.

It looks Phoenix.Socket is not a long-running process, so sending a message to it using
Process.send_after/3 is not an option.

Any ideas on how to implement it?

rogerweb · December 1, 2023, 5:06pm

I’ve got it: How to access http headers in Phoenix socket? - #36 by rogerweb