Context
I am building a MMO game in HTML5 with canvas. I use NodeJS on server & JS from scratch on client. I also use socket.io to manage realtime. The game is persistent & each player keep their equipment / skills etc, even after logout. To do that, the player need to register with email and password then login. The client is a browser but could be other device like phone in future. I use HTTPS to encrypt communication.
Problem
In this context, I decide to use a token based authentication system. I look to JWT from Auth0 and found : https://jwt.io/introduction/
I noticed : They are talking about the JWS implementation of JWT and not about JWE. After looking at https://github.com/auth0/node-jsonwebtoken I saw that it was the same thing, JWS and no JWE. I suppose that JWT module developed by Auth0 doesn't provide a JWE implementation of JWT but only a JWS implementation.
- Am I right or did I miss something? In my particular case (game scenario), I don't know if it's mandatory to encrypt with JWE (I don't think sensitive data will be passed in the token), do you think JWS enough?
In the side of this research, I checked for Passport (http://www.passportjs.org/docs/). I read the documentation but I didn't find information about how they perform authentication when we remove session (http://www.passportjs.org/docs/downloads/html/#disable-sessions).
I tried to implement it with session: false but no token was returned.
- I supposed I need to implement it by myself, but in this case what's the goal of passport for a token based authentication?
Then last question about socket.io
- If I implement a JWS token based authentication to signed my request & HTTPS to encrypt the communication, how can I secure the bidirectional communication? It looks like two different channel of communication, is it easy to implement that with socket.io?
