@julian I understand re: the csrf token—as far as I can tell, the express.sid cookie is used for authorization after the user logs in. I'm able to log in and successfully use the read API.
In lieu of using the write API in the way that I wanted to, I assume that I should be able to use websockets as the web client does, but I'm having trouble working out exactly how to do so.
On my end, this is what looks to be occurring:
- client gets csrf token from /api/config
- client performs GET request to /socket.io/?EIO=3&transport=polling
- client is issued 'io' cookie (related to websocket?) and express.sid cookie—I assume this is a session cookie
- client sends POST request to /login with the csrf token in the header, username and password in the request body, all of the relevant cookies
- HTTP 200 response
- user is then logged in and subsequent requests sent with cookies work as expected; can access private pages, etc.
Regarding websocket connections:
- 'io' cookie is used as 'sid' in query string to open an initial websocket: /socket.io/?EIO=3&transport=websocket&sid=[io cookie here]
- client seems to send payload containing 2probe
- server responds with 3probe
- client sends 5
- server sends 42["checkSession",1], which appears to indicate that the 'io' cookie has changed
- a new websocket is then opened using this new io cookie as sid
However, using Python's websocket-client to test, I don't see where the new 'io' cookie is actually issued or how to open the subsequent websocket. Also, I seem to have overlooked an additional query parameter for /socket.io/, t, which, even though I seem to be able to establish the initial websocket without it, appears to be completely random and to change at each stage.
Is there a library I should be using to negotiate this handshake?
Thanks for your responses and your time, everyone.