Send auth_token for authentication to ActionCable

Question

module ApplicationCable
  class Connection < ActionCable::Connection::Base
    identified_by :current_user

    def connect
      #puts params[:auth_token]
      self         


        

Answer 1

As I already stated in a comment the accepted answer is not a good idea, simply because the convention is that the URL should not contain such sensitive data. You can find more information here: https://tools.ietf.org/html/rfc6750#section-5.3 (though this is specifically about OAuth).

There is however another approach: Use HTTP basic auth via the ws url. I found that most websocket clients allow you to implicitly set the headers by prepending the url with http basic auth like this: wss://user:pass@yourdomain.com/cable.

This will add the Authorization header with a value of Basic .... In my case I was using devise with devise-jwt and simply implemented a strategy which inherited from the one provided in the gem which pulls the jwt out of the Authorization header. So I set the url like this: wss://TOKEN@host.com/cable which sets the header to this (pseudo): Basic base64("token:") and parse that in the strategy.