WebSocket Auth #91

mfornos · 2024-06-17T14:57:57Z

We want authenticated and authorized WebSocket connections that work in the browser (ref. whatwg/websockets#16).

The well-known workarounds include:

Sending the auth token in query parameters
Sending it in an HTTP cookie
Using the Sec-WebSocket-Protocol hack
Sending it over the WebSocket itself

Each method has its own trade-offs.

Our choice is to send the authentication bearer token over the WebSocket itself, as it is the cleanest approach. To counteract the potential denial of service attack vector, we additionally include a "nod" token in the query parameters that we don't mind if it is leaked. The "nod" token is a JWT containing only the iat field and a proper signature.

Implement server side
Add anti-dos token issuance endpoint (to avoid more than one token in the client lib + short expiration)
Limit max requests x time period x IP address
Add "nod" support in the client library

mfornos added feature analysis Task that needs research and investigation labels Jun 17, 2024

mfornos added this to the M2 - Runtime Baseline and XCM Program milestone Jun 17, 2024

mfornos changed the title ~~WebSocket Authentitcation~~ WebSocket Authentication Jun 17, 2024

mfornos changed the title ~~WebSocket Authentication~~ WebSocket Auth Jun 17, 2024

mfornos added a commit that referenced this issue Jun 17, 2024

add rate limit #91

df68e6e

XY-Wang closed this as completed Jun 27, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

WebSocket Auth #91

WebSocket Auth #91

mfornos commented Jun 17, 2024 •

edited by XY-Wang

Loading

WebSocket Auth #91

WebSocket Auth #91

Comments

mfornos commented Jun 17, 2024 • edited by XY-Wang Loading

mfornos commented Jun 17, 2024 •

edited by XY-Wang

Loading