Add auth to websockets
forki opened this issue · 3 comments
It looks like the websockets don't use authentication. I think they should send JSON web token on first message so that server knows it's ok
Yes I was thinking about this too.
My problem ist that I have not figured out a good workflow of doing this. Should the JWT be checked in every message or just when the handshake is made? I dont want a websocket to be created at all when there is no valid JWT.
I think each subpage (e.g. conference/dummy) needs to be responsible for its own websocket connection (will be initiated in init function of submodule). The connection (i.e. the handshake) should only be succesfull when the JWT is valid. Therefore the JWT needs to be created earlier.
So I am thinking of the following workflow:
- Open the page
- no websockets will be created
- Login Form will be shown
- Login Form sends normal request to server
- JWT will be created
- Access to submodules is allowed
- JWT is checked during/before handshake (?)
- JWT is checked with every message (?)
What do you think?
- JWT is checked during/before handshake (?)
- JWT is checked with every message (?)
I changed it to use the jwt in query parameter of the websocket url