TechQA.

Websocket handshake, JWT understanding security

2.8k views Asked by At

Hi I'm trying to understand how this handshake works and JWT. So I have something as web page where the some user can go and login itself. Then I create an JWT, so when I do request to the server I use this token to verify the user. I would like to create and websoket connection and use this token as well. so I did the server like this

var server = app.listen(3000, function(){
    console.log('Server listening on', 3000);
});
require('./websockets').connect(server);

In that file websockets.js I have

var _  = require('lodash')
var ws = require('ws')
var url = require('url')
var jwt = require('jwt-simple')
var config = require('./config')
var clients = [];

exports.connect = function(server){

    var wss = new ws.Server({server:server});
        wss.on('connection', function(ws){

            var location = url.parse(ws.upgradeReq.url, true);
            var token = location.query.token;

            console.log( ws.upgradeReq.headers );

            console.log( 'New connection.' );
            try {
                var user = jwt.decode( token, config.secret );
            }catch (err) {
                ws.close()
            }

            clients[token] = ws

            ws.on('message', function(data, flags) {

                console.log( ws.upgradeReq.headers );

                console.log( data )
            });

            ws.on('close', function(){
                _.remove(clients, token)
                if( user ){
                    console.log('User disconnect:' + user.username);
                }else{
                    console.log( 'Authentication failed.' );
                }
            })

    })

}

So the problem is that, If I login in the broswer and I copy that token which is in the headers. I can connect to the server with different terminal using wscat. So I was trying to understand how that handshake works and can this help me to prevetn this.

So my idea was to get this form the header MTMtMTQ0Mjk1OTI3NjY1NA==

 connection: 'Upgrade',
  upgrade: 'websocket',
  host: 'localhost:3000',
  'sec-websocket-version': '13',
  'sec-websocket-key': 'MTMtMTQ0Mjk1OTI3NjY1NA==',
  'sec-websocket-extensions': 'permessage-deflate; client_max_window_bits'

add it against the client and in each call form the client to check if that value is the same, but not sure if that the right way. I can't understand it very well so if some one can explain that woudl be great, or what I can use to prevent this hijacking if I don't have ssl connection.

node.js security websocket jwt handshaking
Original Q&A
0

There are 0 answers

Related Questions in NODE.JS

Related Questions in SECURITY

Related Questions in WEBSOCKET

Related Questions in JWT

Related Questions in HANDSHAKING

Popular Questions

Trending Questions