Allow upgrade hook to return custom response

[JCtapuk]

Describe the feature

Here you also need to add an authentication check during the upgrade handshake, for example, only authorized users can enter the socket in order to then save the client user information
Examle event:

const onAuth = defineEventHandler(event => {
  // valid token or more check
  event.context.user = {} // save user
})

export default defineWebSocketHandler({
  upgrade(req) {
    return false // failed connect example JWT.verify(req.headers['Token'])
    return {headers:{}} success connect
  }
  // or new method auth (before the upgrade event)
  auth(event) {
    const {token} = getQuery(event)
    if (!token) {
      throw createError('Not authorized')
    }
    
    return true // or {headers: {}}
  }
})

This is just an example since in this code there is no way to refuse clients who have passed

// Upgrade
    async upgrade(req) {
      const [res1, res2] = await Promise.all([
        opts.hooks?.upgrade?.(req),
        await resolveHook(req, "upgrade").then((h) => h?.(req)),
      ]);
      const headers = new Headers(res1?.headers);
      if (res2?.headers) {
        for (const [key, value] of new Headers(res2?.headers)) {
          headers.append(key, value);
        }
      }
      return { headers };
    },

Additional information

• Would you be willing to help implement this feature?

[pi0]

Maybe by allows to throw an error we can support this?

[JCtapuk]

Maybe by allows to throw an error we can support this?

Yes. It's possible, but we can't change the Response like that.

[pi0]

We might expose a new createError({ status, body }) util to support status controllng or maybe simply something like this:

export default defineWebSocketHandler({
  async upgrade(req) {
    const authenticated = await authenticate(req);
    if (!authenticated) {
      return {
        error: { status: 401, statusMessage: 'Unauthorized' }
      };
    }
    return {
      headers
    }
  }
})

The thrown error could also be attached with those keys BTW (example createError util in h3). So we can make it compatible with 3rd party errors to control code.

[JCtapuk]

@pi0 good sound

[frenzzy]

Authentication is not complete without accessing the session information for a peer.

Is there a way to, for example, bind the authenticated userId to a peer object?

Or is it supposed to be handled manually via peer.headers.cookie when necessary?
For instance, through the H3 getSession helper, which currently expects an H3Event as the first argument.

[ml1nk]

Is there any progress on this one?

I also want to authenticate on upgrade, because doing it later on is somewhat tricky.

[pi0]

Added in #55. It will be possible in next release to use return new Response() inside upgrade hook in order to fail upgrade with an auth error.