-
Notifications
You must be signed in to change notification settings - Fork 10.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Docs: Explain global middlewars in main middleware docs #4609
Comments
Actually, Socket.IO middlewares are not really meant to be used for security middleware, because they are not executed during an HTTP request/response cycle. The io.engine.on("headers", (headers, request) => {
// ...
}); Reference: https://socket.io/docs/v4/server-api/#event-headers I think we are really missing a way to register Express middlewares, which should be implemented in the underlying engine, something like: io.engine.use(yourMiddleware); |
@darrachequesne the security middleware part was one example, but maybe not the best. The core of the issue created here is a docs issue. https://socket.io/how-to/register-a-global-middleware is explaining how to add a global middleware, but https://socket.io/docs/v4/middlewares/ is not. The "How to register a global middleware" page cannot even be found when searching on https://socket.io/docs/v4/. Maybe an idea would be to remove https://socket.io/how-to/register-a-global-middleware and put that information on https://socket.io/docs/v4/middlewares/ and then redirect any attempts to go to https://socket.io/how-to/register-a-global-middleware back to that page. (aside: Going to https://socket.io/search and searching for something, which I tried to search for "global middleware" yields no results so that seems like a bug, possibly in Docusaurus). |
This commit implements middlewares at the Engine.IO level, because Socket.IO middlewares are meant for namespace authorization and are not executed during a classic HTTP request/response cycle. A workaround was possible by using the allowRequest option and the "headers" event, but this feels way cleaner and works with upgrade requests too. Syntax: ```js engine.use((req, res, next) => { // do something next(); }); // with express-session import session from "express-session"; engine.use(session({ secret: "keyboard cat", resave: false, saveUninitialized: true, cookie: { secure: true } }); // with helmet import helmet from "helmet"; engine.use(helmet()); ``` Related: - #668 - #651 - socketio/socket.io#4609 - socketio/socket.io#3933 - a lot of other issues asking for compatibility with express-session
In 4.1.0 this was added: https://socket.io/blog/socket-io-4-1-0/#emit-an-event-when-a-namespace-is-created
It would be good to add it to be added to https://socket.io/docs/v4/middlewares/, as the examples there only shows how to add middleware to the main namespace.
But I would say one of the most important/common scenarios for middlewares is to add security middleware such as https://github.com/helmetjs/helmet. That should always be added to all namespaces, not just the main namespace.
Could https://socket.io/docs/v4/middlewares/ be updated to reflect this?
(https://socket.io/how-to/register-a-global-middleware mentions this so maybe a link is enough to that page?)
The text was updated successfully, but these errors were encountered: