Websocket Authentication

What is the best way going to go about doing this? I have https/wss setup so the communication is at least encrypted while in-transit but I'd like to add authentication now. I've done some reading and googling around and I'm a bit confused on the best way to accomplish authentication on a websocket.

I found the following:

But I'm not sure it's the best way to go.

I've never actually got that far though I'm certainly interested in any viable approaches.

Using Socket.IO, I know that you can use middleware in a similar way to ExpressJS - except that it is only called when a new connection is made and so it isn't suitable for ongoing validation of connections. There is no realistic way, for example, of using the middleware to time out an authentication session like there is with Express middleware (which is called on every request).

That means that you need to build something into each client-server exchange of information manually.

To start I'm just looking for authentication on the new connection. Trying to setup two instances of Node-RED in a client-server type model.

I don't think that Node-RED's websocket nodes use Socket.IO so I'm not sure you can do anything with them. However, I might be wrong. I'm afraid you may need to check through the source code.

Perhaps Dave can chip in tomorrow.

I think have a solution. I setup nginx as a reverse proxy and enabled basic authentication over TLS. My WebSocket node is able to make a connection like this:
Not ideal, but it will work for now.


I'd always recommend doing security via a proxy actually. It will nearly always be more secure and easier to manage.

You might want to change your server IPTABLES firewall to ensure that it only accepts traffic to NGINX and blocks direct access to Node-RED.

1 Like

That looks like a good solution! Could you share the nginx configuration?
I'd like to use something like that and I'm not sure where to start.

Just to note that I've scored this with 1 star on Flows and raised 2 critical issues on GitHub.

There is an issue from 2017 that has no response.

It hasn't been updated in years and so the dependencies are MASSIVELY out of date.

It also looks as though this does not provide meaningful security as the token is only checked at socket connection and doesn't provide the token thereafter (because websockets don't support custom headers once the connection has been made). I'm not a code security expert though by any means so please correct me if I'm wrong.

My current recommendation is not to use this node.

I've also given 1 starts to two other related nodes,

  • node-red-contrib-websocket which is a duplicate
  • node-red-contrib-websocket-gabo which appears to be a fork, also not updated recently

I wouldn't recommend any of them I'm afraid.