socket.io icon indicating copy to clipboard operation
socket.io copied to clipboard

Published 20 hours ago verified publisher icon socketio

Docs: Explain global middlewars in main middleware docs

Open thernstig opened this issue 2 years ago • 2 comments

In 4.1.0 this was added: https://socket.io/blog/socket-io-4-1-0/#emit-an-event-when-a-namespace-is-created

It would be good to add it to be added to https://socket.io/docs/v4/middlewares/, as the examples there only shows how to add middleware to the main namespace.

But I would say one of the most important/common scenarios for middlewares is to add security middleware such as https://github.com/helmetjs/helmet. That should always be added to all namespaces, not just the main namespace.

Could https://socket.io/docs/v4/middlewares/ be updated to reflect this?

(https://socket.io/how-to/register-a-global-middleware mentions this so maybe a link is enough to that page?)

thernstig avatar Jan 24 '23 12:01 thernstig

But I would say one of the most important/common scenarios for middlewares is to add security middleware

Actually, Socket.IO middlewares are not really meant to be used for security middleware, because they are not executed during an HTTP request/response cycle.

The headers event could be used for that purpose, but is not compatible with Express middlewares:

io.engine.on("headers", (headers, request) => {
  // ...
});

Reference: https://socket.io/docs/v4/server-api/#event-headers

I think we are really missing a way to register Express middlewares, which should be implemented in the underlying engine, something like:

io.engine.use(yourMiddleware);

darrachequesne avatar Jan 25 '23 07:01 darrachequesne

@darrachequesne the security middleware part was one example, but maybe not the best.

The core of the issue created here is a docs issue.

https://socket.io/how-to/register-a-global-middleware is explaining how to add a global middleware, but https://socket.io/docs/v4/middlewares/ is not.

The "How to register a global middleware" page cannot even be found when searching on https://socket.io/docs/v4/.

Maybe an idea would be to remove https://socket.io/how-to/register-a-global-middleware and put that information on https://socket.io/docs/v4/middlewares/ and then redirect any attempts to go to https://socket.io/how-to/register-a-global-middleware back to that page.

(aside: Going to https://socket.io/search and searching for something, which I tried to search for "global middleware" yields no results so that seems like a bug, possibly in Docusaurus).

thernstig avatar Jan 25 '23 14:01 thernstig