Decompose session decrypt / support websockets

[IlyaSemenov]

As a developer, I need to authenticate users inside a websocket session. In nuxt (h3), defineWebSocketHandler provides the API which doesn't pass the originating H3Event, only raw URL and headers.

I assumed there would be a low-level function such as getUserSessionFromHeaders({ ... }) or getUserSessionFromCookie("....") but I didn't manage to find one. getUserSession seems to be simply calling h3.useSession and the whole machinery seems to expect the full blown H3Event even though in fact it only needs a string.

I believe the documentation should include a recommended recipe for websocket users / other non-h3event authentication needs.

In the meanwhile, I ended up with a quite awkward approach where I have a GET API handler that encrypts the result of requireUserSession, then call it on the client side and push the encrypted session to websocket, which then decrypts it (and also handles expiration to prevent replay attacks). This is a lot of redundant code and an extra HTTP request per connection, and definitely could be improved if there were a way to directly decode the raw nuxt-session cookie content.

[atinux]

Hey @IlyaSemenov

I believe this issue should be opened on H3 side actually on how to handle session with the websocket handler.

[aqz236]

1. Get the cookie from the peer's header.
2. Use the iron library to decrypt the nuxt-session in the cookie.

exp:

import iron from '@hapi/iron';

export default defineWebSocketHandler({
  async open(peer) {
    const cookie = peer.request?.headers?.get('cookie');
    // get nuxt-session from the cookie
    const nuxtSession = cookie?.match(/nuxt-session=(.*?)(?:;|$)/)?.[1] || '';
    console.log({ nuxtSession });
    // Decrypt tokens using Iron
    const unsealed = await iron.unseal(
      nuxtSession,
      process.env.NUXT_SESSION_PASSWORD,
      iron.defaults
    );
    console.log('Parsed session data:', unsealed);

  },

  async message(peer, message) {

  },


  close(peer) {

  },
});

[atinux]

From what I see in https://github.com/unjs/h3/blob/5599d61ae5b1e32d9bfa222ccb90bee475ce675e/src/utils/session.ts#L177-L194, you should be able to import unsealSession from h3 @aqz236

I did not test but this could work I guess:

import { unsealSession } from 'h3'

export default defineWebSocketHandler({
  async open(peer) {
    const cookie = peer.request?.headers?.get('cookie');
    // get nuxt-session from the cookie
    const nuxtSession = cookie?.match(/nuxt-session=(.*?)(?:;|$)/)?.[1] || '';
    // Decrypt tokens using Iron
    const unsealed = await unsealSession(
      {}, // _event not used
      { password: process.env.NUXT_SESSION_PASSWORD },
      nuxtSession
    );
    console.log('Parsed session data:', unsealed);
  },
});

[sandros94]

Just as an update:
with crossws@0.3.2 release a shared context between hooks has been implemented (this means that unsealing the session can be done only during the upgrade and manually shared between the other hooks), while work on h3 has started in h3js/h3#960

[atinux]

https://x.com/_pi0_/status/1882036944781402339 ✨

https://github.com/unjs/h3/blob/97ccc4d8850a876e98836b2d093a6684f9b37f53/examples/ws-session.ts#L15-L29

[sandros94]

Although, what about runtime's session config (requiring event)? Is it really needed for getUserSession?

nuxt-auth-utils/src/runtime/server/utils/session.ts

Line 98 in 44b06c6

const runtimeConfig = useRuntimeConfig(event)

PS: I was experimenting for a PR to improve typing

[atinux]

Alright, with 0.5.9 you can now do:

// server/routes/ws.ts
export default defineWebSocketHandler({
  async upgrade(request) {
    // Make sure the user is authenticated before upgrading the WebSocket connection
    await requireUserSession(request)
  },
  async open(peer) {
    const { user } = await requireUserSession(peer)

    peer.send(`Hello, ${user.name}!`)
  },
  message(peer, message) {
    peer.send(`Echo: ${message}`)
  },
})

Make sure to have the latest h3 version!

[mavyworx]

I'm doing the above:

export default defineWebSocketHandler({
  async upgrade(request) {
    await requireUserSession(request);
  },

which works when there is a valid session, but when I delete the session cookie and retry the websocket connection (to simulate an unauthenticated request), the server throw this error:

ERROR  [nitro] [unhandledRejection] Cannot initialize a new session. Make sure using useSession(event) in main handler.
    at getSession (node_modules/h3/dist/index.mjs:1374:13)

On Nuxt 3.15.4 and next-auth-utils 0.5.16.

I don't really understand what the message is telling me.

Any suggestions?

[tommie]

It seems the session support in h3 1.5.2 was reverted in 1.5.3 (it looks like they forked!)

The request.context is undefined in upgrade(). And it's a readonly property/getter.
I ended up having to use a hack like

  async upgrade(request) {
    if (!request.context) {
      const reqw = Object.create(request);
      Object.defineProperty(reqw, "context", {
        value: {},
        writable: false,
      });
      request = reqw;
    }

    const userRecord = await requireUserSession(request as any);

    return {
      context: {
        ...request.context,
        userRecord,
      },
    }
  },

h3 really should expose upgrade() with an H3Event. This is absurd.