Tutorial: 006 - Authentication


When you create a web application that uses websockets and that requires user authentication, the websockets part is not secured by default, a user can craft websocket requests to communicate with the server without being authenticated. Since Eureca.io uses websockets, you'll need to secure it in such scenarios.

Euraca.io provide a convenient way to integrate your RPC system to any existing authentication module.

Setting up authentication

in the server side

You define a custom authentication function in the server side, this function takes an authorization token, process it, then accept it or reject it.

in the client side

You call authenticate function with your auth token, and listen for "authResponse" event.
if the authentication fails, the client cannot call the server functions, here again, it's up to you to decide what to do when

It's up to you to write the eureca authentication logic, and the way you generate the token.

authentication scenario example

In a typical scenario, you'll be using Eureca.io inside a web application that have its own authentication logic.
Your application have an authentication form using a login/password, a social connect button, ...etc
When a user enters valid credentials, the server will keep track of it using a client session having a unique session ID.
a cookie is usually used to save this session ID in the client side to keep the session valid.

in such case, you can use this session ID to generate a unique hash and share it with the client when he enters valid credentials.

the client then creates Eureca.io client, and call authenticate() function passing the shared hash as an authentication token.

in the server side, the authentication logic will be to grab the client sessionID from the client request, recalculate the hash and compare it to the one provided by the client. if they match the client is authorized to call server side functions.


Server code

The following server code implements an authentication function.
For the sake of simplicity, we suppose that the client request have a sessionID field containing the client sessionID.

//The server logic generate a client hash and share it with the corresponding client when he enters valid credentials

//Eureca.io initializaton 
var eurecaServer = new Eureca.Server({
    authenticate: function (authToken, next) {

        //Note. the "this" object of authenticate function provided access to a special eureca context 
        //this.request gives access to client request

        var genHash = myHashingFunction(this.request.sessionID)
        console.log('Called Auth with token=', authToken);

        if (genHash === authToken) next();
        else next('Auth failed');

Client code

The following client code calls authenticate() function passing a generated authToken
We also suppose that the application server sends a sessionID hash to the client upon authentication, and that this hash is called clientHash.

var client = new Eureca.Client();

client.ready(function (serverProxy) {
    //this will be called when the authentication succeeds
client.on('connect', () => {
    //we make sure to be connected to eureca server before trying to authenticate
    //the auth token we send here is a clientHash received from the server upon webform authentication


ExpressJS / Passport authentication example

The following link is an example showing how to integrate eureca.io to an expressjs application that uses passport authentication : https://github.com/Ezelia/eureca.io-examples/tree/master/004-passport-express-authentication