Decompose session decrypt / support websockets

[IlyaSemenov]

As a developer, I need to authenticate users inside a websocket session. In nuxt (h3), defineWebSocketHandler provides the API which doesn't pass the originating H3Event, only raw URL and headers.

I assumed there would be a low-level function such as getUserSessionFromHeaders({ ... }) or getUserSessionFromCookie("....") but I didn't manage to find one. getUserSession seems to be simply calling h3.useSession and the whole machinery seems to expect the full blown H3Event even though in fact it only needs a string.

I believe the documentation should include a recommended recipe for websocket users / other non-h3event authentication needs.

In the meanwhile, I ended up with a quite awkward approach where I have a GET API handler that encrypts the result of requireUserSession, then call it on the client side and push the encrypted session to websocket, which then decrypts it (and also handles expiration to prevent replay attacks). This is a lot of redundant code and an extra HTTP request per connection, and definitely could be improved if there were a way to directly decode the raw nuxt-session cookie content.

[atinux]

Hey @IlyaSemenov

I believe this issue should be opened on H3 side actually on how to handle session with the websocket handler.

[aqz236]

1. Get the cookie from the peer's header.
2. Use the iron library to decrypt the nuxt-session in the cookie.

exp:

import iron from '@hapi/iron';

export default defineWebSocketHandler({
  async open(peer) {
    const cookie = peer.request?.headers?.get('cookie');
    // get nuxt-session from the cookie
    const nuxtSession = cookie?.match(/nuxt-session=(.*?)(?:;|$)/)?.[1] || '';
    console.log({ nuxtSession });
    // Decrypt tokens using Iron
    const unsealed = await iron.unseal(
      nuxtSession,
      process.env.NUXT_SESSION_PASSWORD,
      iron.defaults
    );
    console.log('Parsed session data:', unsealed);

  },

  async message(peer, message) {

  },


  close(peer) {

  },
});

[atinux]

From what I see in https://github.com/unjs/h3/blob/5599d61ae5b1e32d9bfa222ccb90bee475ce675e/src/utils/session.ts#L177-L194, you should be able to import unsealSession from h3 @aqz236

I did not test but this could work I guess:

import { unsealSession } from 'h3'

export default defineWebSocketHandler({
  async open(peer) {
    const cookie = peer.request?.headers?.get('cookie');
    // get nuxt-session from the cookie
    const nuxtSession = cookie?.match(/nuxt-session=(.*?)(?:;|$)/)?.[1] || '';
    // Decrypt tokens using Iron
    const unsealed = await unsealSession(
      {}, // _event not used
      { password: process.env.NUXT_SESSION_PASSWORD },
      nuxtSession
    );
    console.log('Parsed session data:', unsealed);
  },
});

[sandros94]

Just as an update:
with [email protected] release a shared context between hooks has been implemented (this means that unsealing the session can be done only during the upgrade and manually shared between the other hooks), while work on h3 has started in unjs/h3#960

[atinux]

https://x.com/_pi0_/status/1882036944781402339 ✨

https://github.com/unjs/h3/blob/97ccc4d8850a876e98836b2d093a6684f9b37f53/examples/ws-session.ts#L15-L29

[sandros94]

Although, what about runtime's session config (requiring event)? Is it really needed for getUserSession?

nuxt-auth-utils/src/runtime/server/utils/session.ts

Line 98 in 44b06c6

const runtimeConfig = useRuntimeConfig(event)

PS: I was experimenting for a PR to improve typing

[atinux]

Alright, with 0.5.9 you can now do:

// server/routes/ws.ts
export default defineWebSocketHandler({
  async upgrade(request) {
    // Make sure the user is authenticated before upgrading the WebSocket connection
    await requireUserSession(request)
  },
  async open(peer) {
    const { user } = await requireUserSession(peer)

    peer.send(`Hello, ${user.name}!`)
  },
  message(peer, message) {
    peer.send(`Echo: ${message}`)
  },
})

Make sure to have the latest h3 version!