Implementing WebSockets authentication in Express.js

17 Sep 2023

WebSockets have become a popular choice for real-time communication in web applications. However, when using WebSockets, it’s essential to implement proper authentication to ensure only authorized users can access sensitive data or perform certain actions.

In this blog post, we will explore how to implement WebSockets authentication in an Express.js application. We will use the ws library for WebSocket handling and jsonwebtoken for token-based authentication.

Prerequisites

Before getting started, make sure you have the following installed on your system:

Node.js and npm
Express.js
ws library (npm install ws)
jsonwebtoken library (npm install jsonwebtoken)

Step 1: Setting up the Express.js server

First, let’s set up a secure Express.js server that will handle the WebSocket connections and authentication.

const express = require('express');
const WebSocket = require('ws');

const app = express();
const secureServer = app.listen(3000);

const wss = new WebSocket.Server({ server: secureServer });

// Express.js routes and middleware can be defined here

Step 2: Implementing WebSocket authentication middleware

We will create a WebSocket middleware function that will handle the authentication logic before establishing a WebSocket connection.

const jwt = require('jsonwebtoken');

function authenticateWebSocket(token) {
  try {
    // Verify and decode the JWT token
    const decoded = jwt.verify(token, 'secret-key');
    // Add the decoded user information to the WebSocket object
    return decoded;
  } catch (err) {
    // Token verification failed
    return null;
  }
}

wss.on('connection', (ws, req) => {
  const token = req.url.slice(1); // Remove the leading '/' from the URL

  if (!token) {
    // Token is missing, close the connection
    ws.close();
  } else {
    // Authenticate the WebSocket connection
    const user = authenticateWebSocket(token);
    if (!user) {
      // Authentication failed, close the connection
      ws.close();
    } else {
      // Authentication successful, proceed with the WebSocket connection
      // You can access the user object here
    }
  }
});

Step 3: Sending authenticated WebSocket requests

To send authenticated WebSocket requests, the client needs to include the authentication token in the URL when establishing the connection. For example:

const token = '...'; // Your JWT token
const socket = new WebSocket(`ws://localhost:3000/${token}`);

socket.addEventListener('open', () => {
  // Connection established, send/receive messages here
});

socket.addEventListener('close', () => {
  // Connection closed
});

Conclusion

Implementing WebSockets authentication in Express.js is crucial for securing real-time communication in your web application. By using JWT tokens and proper middleware, you can ensure only authenticated users can access the WebSocket connection.

Remember to generate and sign your JWT tokens securely, and always validate the authenticity of the token on the server-side.

#WebSockets #ExpressJS