Middleware and authorization
Feature overview
SocketCluster allows you to perform access control from the server side using middleware functions. Middleware functions in SocketCluster v15+ work by iterating over asyncIterable streams; the advantage of this approach is that performing async operations directly inside a middleware loop will not disrupt the order of messages (e.g. if async operations for some messages take longer than others). This means that it's possible to guarantee that actions and messages will always be processed by your receivers/procedures in the same order that they were sent by the client socket.
API overview
In SocketCluster v15, unlike previous versions, you can only register a single function using the agServer.setMiddleware(...)
method.
Another major difference from previous versions is that each middleware line in v15+ can support multiple types of actions. In order to make decisions about which specific actions should be allowed to pass and which should be blocked, it's important to check the action.type
property first.
Register middleware functions
SocketCluster v15 supports 4 different middleware lines which allow you to block, delay or preprocess specific actions. Middleware functions in v15+ work differently from those in previous versions. In v15+, a middleware function can handle multiple different types of actions (represented by an AGAction
instance which has a type
property).
This is how to setup a middleware (this example shows the MIDDLEWARE_INBOUND
line handling TRANSMIT
and INVOKE
actions):
agServer.setMiddleware(agServer.MIDDLEWARE_INBOUND, async (middlewareStream) => {
for await (let action of middlewareStream) {
if (action.type === action.TRANSMIT) {
if (!action.data) {
let error = new Error(
'Transmit action must have a data object'
);
error.name = 'InvalidActionError';
action.block(error);
continue;
}
} else if (action.type === action.INVOKE) {
if (!action.data) {
let error = new Error(
'Invoke action must have a data object'
);
error.name = 'InvalidActionError';
action.block(error);
continue;
}
}
action.allow();
}
});
!! In SocketCluster v15+, you can only have one middleware function for each middleware line.
The following middleware lines are supported:
Middleware type | Description |
---|---|
agServer.MIDDLEWARE_HANDSHAKE | The for-await-of loop for this middleware line iterates whenever a socket handshake occurs. The action.type property can be either AGAction.HANDSHAKE_WS or AGAction.HANDSHAKE_SC . |
agServer.MIDDLEWARE_INBOUND_RAW | The for-await-of loop iterates whenever an inbound message (I.e. from client -> server) is received by the server. This includes all raw messages and operations; including those which are not recognized by SocketCluster. The action.type property will always be AGAction.MESSAGE . |
agServer.MIDDLEWARE_INBOUND | The for-await-of loop iterates whenever an inbound operation (I.e. a recognized operation from client -> server) occurs. The action.type property can be AGAction.TRANSMIT , AGAction.INVOKE , AGAction.SUBSCRIBE , AGAction.PUBLISH_IN or AGAction.AUTHENTICATE . |
agServer.MIDDLEWARE_OUTBOUND | The for-await-of loop iterates whenever an outbound operation (I.e. server -> client) occurs. The action.type property will always be AGAction.PUBLISH_OUT . |
Each action
object (AGAction
) which is streamed through the middleware has different properties depending on its type
property. These are the properties supported by different action types:
Action type | Available properties |
---|---|
AGAction.HANDSHAKE_WS | type , request |
AGAction.HANDSHAKE_SC | type , request , socket |
AGAction.MESSAGE | type , socket , data |
AGAction.TRANSMIT | type , socket , receiver , data |
AGAction.INVOKE | type , socket , procedure , data |
AGAction.SUBSCRIBE | type , socket , channel , data |
AGAction.PUBLISH_IN | type , socket , channel , data |
AGAction.PUBLISH_OUT | type , socket , channel , data |
AGAction.AUTHENTICATE | type , socket , signedAuthToken , authToken |
^ In all of the above cases, type
is a string, channel
is a string, request
is a Node.js http.IncomingMessage object, socket
is an AGServerSocket
object, receiver
is a string, procedure
is a string, signedAuthToken
is a string (or null), authToken
is an object (or null) and data
can be of any type (depending on what is provided by the client).
!! Middlewares are applied on a per-socket basis. So delaying an action in a middleware will only create back pressure for a single socket and not affect other concurrent sockets.