WebRTC security options with XSockets

Question

If I follow the example outlined on this page "http://xsockets.net/docs/installing-xsocketsnet" and install the controller as a self hosted application on a different server from the web server hosting the website that would communicate with the XSocket controller, how can I make sure that only authenticated users from my website can access the XSocket controller.

I am new to XSockets architecture and this is puzzling me. It seems like I would need to pass some login credentials to the Controller when this line of code is called peerBroker = new XSockets.WebSocket("ws://127.0.0.1:4502/CustomBroker"); in JavaScript. I have not found any documentation outlining how to get this information securely to the Controller. As a background, the website side is running MVC5.

The main point of confusion is that the broker is on a different server as the mvc5 application that will access the broker. I am trying to make sure that the broker only allows users currently logged into the system access to the broker.

Answer 1

To share the auth ticket between servers is actually not that hard.

1. See to it that you have the same machine key in both configs.

   //Machine key in web
   <machineKey compatibilityMode="Framework45" validationKey="validation-key-here" decryptionKey="decryption-key-here" validation="SHA1" decryption="AES" />
   
   //Machine key in app-server
   <machineKey compatibilityMode="Framework45" validationKey="same-as-on-webserver" decryptionKey="same-as-on-webserver" validation="SHA1" decryption="AES" />
   
   //Do note that compabilityMode will be different between 4.5 and other .NET versions see [MSDN][1]
   

2. When you login with forms-auth you will get a cookie like

   .ASPXAUTH=DFE811295BABA98CFE94040...
   

3. To get that cookie in XSockets.NET just do like this

   public class MyController : XSocketController
   {
       public MyController()
       {            
           this.OnOpen += MyController_OnClientConnect;
       }
   
       void MyController_OnClientConnect(object sender, XSockets.Core.Common.Socket.Event.Arguments.OnClientConnectArgs e)
       {
           var ticket = GetFormsAuthenticationTicket();
           //Validate ticket & maybe extract user info as shown below...
           //If not valid just call this.Close();
       }
   }
   

4. It is not nessesary, but as you see you can pass along custom client information. I do so by using a custom pricncipal

   public class CustomPrincipal
   {
       public Guid Id { get; set; }
       public string Email { get; set; }
       public string[] Roles { get; set; }
   }
   

5. In that case you can extract user info from the ticket with

   var userinfo = this.JsonSerializer.DeserializeFromString<CustomPrincipal>(ticket.UserData);
   

Note: Read http://xsockets.net/docs/security where you will see that you can also use the Authorize attribute and also use the OnAuthorization method (override)

EDIT: To be able to access the cookies on the xsockets server you will have to connect to the same origin as the cookie was set on. For example: If you connect to localhost (web) you will have to use ws://localhost:port to be able to access to the cookie.