Passing token on websocket connection not as query param

Hello everyone :slight_smile:
We are experiencing a weird problem with Phoenix Websockets.

We are exposing an authenticated channel. The authentication is made getting the token from the token parameter given during the connection, and then if the token is valid the connection is established.

The problem is that the token is passed as query param in the url of the connection (for example …/socket/websocket?token=…).
For us this is a problem because in some cases we have very long token (2500 chars) which generates a url which have a length greater than the one accepted by our load balancer.

So my question is: is there an alternative way to pass a token along a websocket connection (maybe through a header on into the request body)?

You don’t control how the token is generated?

Not really. The token is generated by Keycloak and the data contained in it is used by also other applications against the user authenticates with the token.

You cannot set additional headers unfortunately.

You could allow anyone to connect, but then require the first message to be the auth token, and deny every other message if the user is not authenticated.

So you can pass the token as a header by configuring the websocket like so

# lib/my_app_web/endpoint.ex

socket("/socket", MyAppWeb.UserSocket,
  websocket: [connect_info: [:x_headers]],
  longpoll: false
)

And then passing some {"x-auth-token", auth_token} in the client and handling the token in the connect/3 callback

# lib/my_app_web/channels/user_socket.ex

def connect(_params, socket, %{x_headers: x_headers}) do
  with {:ok, proposed_token} <-
         Enum.find_value(x_headers, :error, fn {k, v} -> k == "x-auth-token" && {:ok, v} end),
       :ok <- MyTokenAuthenticator.authenticate_token(proposed_token) do
    {:ok, socket}
  else
    _ ->
      :error
  end
end

But this won’t work if you’re connecting to the socket in a browser because the WebSocket API in browsers does not allow setting custom headers. If you’re connecting from browsers, I think the only option is to allow all connections:

# lib/my_app_web/channels/user_socket.ex

def connect(_params, socket, _connect_info) do
  {:ok, socket}
end

And instead check the token in the c:Phoenix.Channel.join/3 callback. In fact that documentation has an example of this:

def join("room:lobby", payload, socket) do
  if authorized?(payload) do
    {:ok, socket}
  else
    {:error, %{reason: "unauthorized"}}
  end
end

And that payload in join/3 is encoded in a websocket frame, so it shouldn’t trip up your load balancer.

1 Like