Flask SocketIO通过发送令牌在连接事件上进行身份验证

Question

Currently after a user logs in, I return a token using JSON . Subsequently they must make a request to the index page and pass the token in the HTTP Authorisation header .

The index.html page contains the following:

var socket = io.connect('http://' + document.domain + ':' + location.port + namespace);

socket.on('connect', function() {          
          socket.emit('join', {room: 'venue_1'}); 
});  

If the user follows this process of events then connection to socket is only possible after they login . However, I am trying to prevent against the situation where someone may just create a html file containing the above code and not first go through the login step.

Server Code

@socketio.on('connect', namespace='/test')
def test_connect():

    # Can anything be done here to verify a user?

    emit('my response', {'data': 'Connected'})

Is there a way I can pass a token to the above connect event so that I can verify the user there. If the token ended up being invalid, I could maybe run a disconnect call.

Or does this need to occur when I do the following call?

socket.emit('join', {room: 'venue_1', token:'token1234'}); 

Thanks for your help.

Answer 1

The documentation for Flask-SocketIO includes a section on Authentication .

The solution is based on the availability of the HTTP context (user session and cookies) inside your SocketIO handlers. If you are using Flask-Login to manage the user session, then the current_user context variable is available in your socket handlers. For example:

@socketio.on('connect', namespace='/test')
def test_connect():
    if not current_user.is_authenticated()
        return  # do not respond or disconnect
    # user is authenticated
    emit('my response', {'data': 'Connected'})