The client opens a websocket to the coordination server, and then starts to log on.
The server sends a logon challenge with a random seed, to punt replay attacks. (This is sealed by the server key, so the client also mutually verifies the server)
The server verifies the logon response by seeing if its sealed by the node key, it then checks expiry.
The logon response contains the session public key, endpoints (as acquired by STUN), and requested home relay.
In either case if the logon response gets accepted or rejected, the server echoes the public session key in the sealed reply, so replay attacks (from the server side) are also punted.
When rejected, the client requires the user to re-authenticate itself with the coordination server (which revives the node key).
When accepted, the server replies with the currently known and open sessions, to pre-populate the client's netmap. It then starts distributing the new session to other clients.
Clients receive session updates over their open websockets with the coordination server.
When the websocket disconnects, the server waits 5 minutes before it times out the session. When the server receives a new logon from the client within that time, the session is just updated with new endpoints (and session key, if need be), and not stopped.
Any non-expired node key can always request to fetch current relay information. A client can use this to bootstrap STUN-gotten public endpoints before it logs on.
Authentication just revives or validates a node key, it does not log on the client.
The logon process is something like this:
Clients receive session updates over their open websockets with the coordination server.
When the websocket disconnects, the server waits 5 minutes before it times out the session. When the server receives a new logon from the client within that time, the session is just updated with new endpoints (and session key, if need be), and not stopped.
Any non-expired node key can always request to fetch current relay information. A client can use this to bootstrap STUN-gotten public endpoints before it logs on.
Authentication just revives or validates a node key, it does not log on the client.