access control layer on events for socket.io?

[vincesempre]

Hello everyone!

I would like to ask for suggestions/considerations about using a sort of access control layer with socket.io. I'm wondering if there are correct patterns, if it's an anti-pattern or if my idea will do.

A little bit of context
I'm building an application which allows two different types of client to communicate to each other. The two types of client play two different role, let's say Role1 and Role2.
Role1 and Role2 authenticate themselves on the server with a JWT, which they have obtained previously, sent in the auth option when they connect.

Role2's clients may represent anonymous clients. They can, with a special random code, retrieve from the server a special JWT which allow them to authenticate on the socket.io server.

Role2 must not play the Role1 part, so I need a way to control what a role2 client can do.

my idea
My current idea is to introduce an access control layer on events. Basically:

• the JWT contains a list of events the client is allowed to emit
• on server side there is a socket-level middleware which checks if the received event is allowed by the list contained in the JWT. If so the event is handled by the listener, otherwise it is discarded.

I would like to know if my approach is valid or if there are better approach.

Thanks in advance! 😄

[darrachequesne]

Hi! There are a few possible solutions:

• registering handlers depending on the role

io.on("connection", (socket) => {
  if (socket.role === "role1") {
    socket.on("action1", () => { /* ... */ }
  }
  if (socket.role === "role2") {
    socket.on("action2", () => { /* ... */ }
  }
});

Pros: no additional check in the event handler
Cons: the role must be static (no update during the session)

• using a socket middleware

io.on("connection", (socket) => {
  socket.use(([event], next) => {
    if (isAuthorized(socket, event)) {
      next();
    }
    // skip the packet (or call socket.disconnect(), depending on your use case)
  });
});

Documentation: https://socket.io/docs/v4/server-socket-instance/#Socket-middlewares

Pros:

• no additional check in the event handler
• the role can be dynamic

Cons: none?

• using namespaces

io.on("connection", (socket) => {
  // event handlers for role2 
});

io.of("/authorized-zone", (socket) => {
  // event handlers for role1
});

Documentation: https://socket.io/docs/v4/namespaces/

Pros:

• no additional check in the event handler
• the role can be dynamic

Cons:

• it may be a bit harder to wrap one's mind around the namespace abstraction

[vincesempre]

Thanks for your answer. I implemented the socket middleware and everything is working fine!

(I have unintentionally removed the flag of selected answer.. I'm sorry, I selected it again)