JavaScript code substitution on client side

Question

I\'m now learning some new technologies (such as node.js, socket.io, redis etc.) and making some simple test applications to see how it can work.

My question is about se

Answer 1

Supposing your variables are protected in closures and that it's not trivial to change them by typing username='root' in the console, a user could simply replace the whole code.

Everything that happens client side is totally out of your control.

The good news is that they are solutions not involving a duplicate authentication. Supposing you already authenticate the user in your express application, you can get the session and the user from that.

See how I do it in my chat server :

var sessionSockets = new SessionSockets(io, sessionStore, cookieParser);
sessionSockets.on('connection', function (err, socket, session) {
    function die(err){
        console.log('ERR', err);
        socket.emit('error', err.toString());
        socket.disconnect();
    }
    if (! (session && session.passport && session.passport.user && session.room)) return die ('invalid session');
    var userId = session.passport.user;
    if (!userId) return die('no authenticated user in session');
    ... handling socket for authenticated user
});

Basically, it uses the session.socket.io module to propagate the session from the standard http requests (authenticated using passport) to the socket.io connection. And everything that isn't supposed to be provided by the user is taken from the session/db/server.