Skip to content

feat: Message Authentication#163

Merged
hanspagel merged 15 commits intomainfrom
feat/authentication
Aug 19, 2021
Merged

feat: Message Authentication#163
hanspagel merged 15 commits intomainfrom
feat/authentication

Conversation

@tommoor
Copy link
Contributor

@tommoor tommoor commented Aug 18, 2021
edited
Loading

This PR adds token based authentication over the websocket, this replaces the current solution of using query parameters which can easily end up in logs and "bakes in" the concept of authentication and authorization more clearly.

Docs are updated, but the main interface differences are as so:

  • HocuspocusProvider gains a token option to pass an auth/access token to the server (or any other string-based authentication you might have).
  • Server gains an optional "onAuthenticate" hook, this acts much like onConnect before, but instead of accessing the query parameters object it is passed the token from the client. If the hook is not provided then no authentication is required.

Of note:

  • Sync messages can be sent down the socket before authentication is completed, they will be queued on the server.
  • Messages can also arrive in any order, so that's nice for resiliency – with this solution the authentication message doesn't even have to be first.
  • If auth fails the provider will disconnect and not retry automatically, it's upto the implementation to decide how to deal with this situation.

closes #109
closes yjs/y-websocket#67

tommoor
tommoor commented Aug 18, 2021
View reviewed changes
@tommoor tommoor mentioned this pull request Aug 19, 2021
Merged
37 tasks
hanspagel
hanspagel reviewed Aug 19, 2021
View reviewed changes
hanspagel
hanspagel reviewed Aug 19, 2021
View reviewed changes
@hanspagel
Copy link
Contributor

hanspagel commented Aug 19, 2021
edited
Loading

Amazing PR! I’ve added some happy path tests, and left some comments. ✌️

Oh, and I had to research it, but Drafts are a premium feature for private repositories.

@tommoor tommoor changed the title wip: Authentication feat: Message Authentication Aug 19, 2021
@tommoor tommoor requested a review from hanspagel August 19, 2021 17:31
hanspagel
hanspagel approved these changes Aug 19, 2021
View reviewed changes
Copy link
Contributor

@hanspagel hanspagel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the update!

@hanspagel hanspagel merged commit a1e68d5 into main Aug 19, 2021
@hanspagel
Copy link
Contributor

hanspagel commented Aug 19, 2021

Released as @hocuspocus/[email protected] 🎉

Thanks for your work on this, this was really a superb contribution!

@hanspagel hanspagel deleted the feat/authentication branch October 5, 2021 20:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@hanspagel hanspagel hanspagel approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Use WebSocket messages as an alternative for authentication Improved connection error handling in the client

2 participants

@tommoor @hanspagel