Authorization and handshake errors #545
Description
Using socket.io 0.8.4 from NPM, I'm struggling to get global authorisation working, so it can be handled on the client side. Using modified code from the Wiki, I'm checking for the existence of an Express session cookie and 'unauthorizing' the client if it doesn't exist.
io.configure(function (){
io.set('authorization', function (handshakeData, callback) {
if(!handshakeData.headers.cookie){
callback('No session cookie', false); //This generates a 500 error in the browser
}else{
var cookies = parseCookie(handshakeData.headers.cookie);
var sessionID = cookies['connect.sid'];
if (!sessionID) {
callback('No session', false); //This generates a 500 error in the browser
} else {
handshakeData.sessionID = sessionID;
callback(null, true)
}
}
});my app requires a session cookie (from connect), so if the session cookie isn't present (because, perhaps, it has expired), I want to flag the io.authorization as failed.
The problem seems to be that calling callback(error, false) returns a 500 error to the browser, so it can't be handled client side. Surely this is incorrect as this can't easily be handled by the client?
The example on the Wiki shows using the socket.on('error') event to handle this but that doesn't get triggered.
..or is the example on the Wiki out of date?
I also see that even though authorisation is 'failed', I still see a debug - authorised message in the debug log - which is why I think this might be a bug.
Also the Wiki states that there are 3 possible response codes for a handshake: 401 Unauthorized, 503 Service Unavailable, or 200 OK.
This appears to be incorrect as both 500 and 403 responses are possible.