使用Passport与Node-Express和MongoDB进行套接字IO身份验证的案例

Question

This is my setup -

Three different servers running three different node js application on three different EC2 servers.

Server 1 - running main application.

Server 2 - running admin application.

Server 3 - running service Provider application.

Each server is using same MongoDB database because they have to share collections.

So I have -

Server 4 - Database server - running Mongo DB.

In database there are three collections representing three types of users -

1] Main user 2] Admin user 3] Service Provider

Each type of user logs into his own nodejs application by connecting to respective server using different client applications.

For example Admin User connects to Server 2 and logs in the admin Application.

For login passport is used, and sessions are stored in Mongo db, using connect-mongo . All the sessions of all types of user are stored in same sessions collection in Mongo DB.

The Problem -

Now I want to implement a notification system using socket.io. Each type of user has a notification Sub-Document array in its model. Something like this -

Main User schema

              {
                 ....

                 notifications : [{ text : String , date : Date}]

              }

Admin User schema

              {
                 ....

                 notifications : [{ text : String , date : Date}]

              }

Service Provider schema

              {
                 ....

                 notifications : [{ text : String , date : Date}]

              }

If a main user books the service of particular service provider, first the service booking info would be stored then a notification would be put in the service providers notifications array. Now if the service provider is online the notification should be pushed to the service provider client application.

For this I am trying to use Socket.io.

My Approach

Setup of a new server for push notifications-

Server 5 - Notification server.

This server runs a socket.io server. When ever any type of user logs in to respective node js application using respective client application, he also connects to this notification server after successful login.

Now when a MainUser books a service of particular service provider, the main server application would put a notification into that particular service providers notification array in his document. After that it would send a request to the notification server to emit a notification on channel specified by ID of service provider so that if the service provider is online he receives the notification on his client application instantly.

But how do I make sure that the users who connects to my socket io server is legitimate. If any user can connect to socket IO server and listen to channel of other user if somehow he gets the ID of other user and get all notification of other user.What I want is the notification server should look at the sessions collection in Mongo DB database and check if the connected user is authenticated and has the proper user id.

Answer 1

From your post I'm assuming you are using express, express-session and socket.io

You can add a middleware to you socket.io that links your express session to your socket.io socket.

The expressSessionMiddleware here is an instance of the "express-session" middleware, which should be configured identically to the session middleware in the main application.

socketio = require "socket.io"
io       = socketio()

io.use (socket, next) ->
    expressSessionMiddleware socket.handshake, {}, next

You will then have access to the session on socket.handshake.session

An example module that does this can be found here: https://github.com/xpepermint/socket.io-express-session