In your example, you set the user on the socket object in the postAuthenticate function.
Do you see an issue if we set the user on the socket in the authenticate method right before the callback only if the password received (data.password) matches with user.password?
In your example, it finds the user in database twice.

Thanks.

Ok, I've read the code, it should work.
Maybe we can add a third parameter at the callback on success, like: callback(null, true, user).
This third parameter would be sent to postAuthenticate. What do you think? Easy for me to PR.

There's not much of a downside in doing that I guess, the main difference is that postAuthenticate runs after the connection with the client has been "whitelisted" and the authenticated event is fired.

Maybe we can add a third parameter at the callback on success, like: callback(null, true, user).
This third parameter would be send to postAuthenticate. What do you think? Easy for me to PR.

I'm not sure that would be necessary. If you want to save data already available during authenticate, you can just add it already as you suggested in your first comment. The third user parameter you talk about is specific to a use case, you won't necessarily always be authenticating to a user in a database.