Docs: Explain global middlewars in main middleware docs #4609
Comments
Actually, Socket.IO middlewares are not really meant to be used for security middleware, because they are not executed during an HTTP request/response cycle. The io.engine.on("headers", (headers, request) => {
// ...
});Reference: https://socket.io/docs/v4/server-api/#event-headers I think we are really missing a way to register Express middlewares, which should be implemented in the underlying engine, something like: io.engine.use(yourMiddleware); |
darrachequesne
added
question
|
@darrachequesne the security middleware part was one example, but maybe not the best. The core of the issue created here is a docs issue. https://socket.io/how-to/register-a-global-middleware is explaining how to add a global middleware, but https://socket.io/docs/v4/middlewares/ is not. The "How to register a global middleware" page cannot even be found when searching on https://socket.io/docs/v4/. Maybe an idea would be to remove https://socket.io/how-to/register-a-global-middleware and put that information on https://socket.io/docs/v4/middlewares/ and then redirect any attempts to go to https://socket.io/how-to/register-a-global-middleware back to that page. (aside: Going to https://socket.io/search and searching for something, which I tried to search for "global middleware" yields no results so that seems like a bug, possibly in Docusaurus). |
This commit implements middlewares at the Engine.IO level, because
Socket.IO middlewares are meant for namespace authorization and are not
executed during a classic HTTP request/response cycle.
A workaround was possible by using the allowRequest option and the
"headers" event, but this feels way cleaner and works with upgrade
requests too.
Syntax:
```js
engine.use((req, res, next) => {
// do something
next();
});
// with express-session
import session from "express-session";
engine.use(session({
secret: "keyboard cat",
resave: false,
saveUninitialized: true,
cookie: { secure: true }
});
// with helmet
import helmet from "helmet";
engine.use(helmet());
```
Related:
- #668
- #651
- socketio/socket.io#4609
- socketio/socket.io#3933
- a lot of other issues asking for compatibility with express-session
darrachequesne
added
documentation
In 4.1.0 this was added: https://socket.io/blog/socket-io-4-1-0/#emit-an-event-when-a-namespace-is-created
It would be good to add it to be added to https://socket.io/docs/v4/middlewares/, as the examples there only shows how to add middleware to the main namespace.
But I would say one of the most important/common scenarios for middlewares is to add security middleware such as https://github.com/helmetjs/helmet. That should always be added to all namespaces, not just the main namespace.
Could https://socket.io/docs/v4/middlewares/ be updated to reflect this?
(https://socket.io/how-to/register-a-global-middleware mentions this so maybe a link is enough to that page?)
The text was updated successfully, but these errors were encountered: