ergochat / ergo

A modern IRC server (daemon/ircd) written in Go.
https://ergo.chat/
MIT License
2.29k stars 181 forks source link

websocket authentication via SASL EXTERNAL and cookies #2185

Open slingamn opened 3 months ago

slingamn commented 3 months ago

Websockets cannot be authenticated via client certificates due to an implementation limitation of Chrome. However:

[02:51:34 PM] <gabedev-hostmast> random but has there been any discussion around SASL EXTERNAL with WebIRC? Would be nice considering on the server side, websockets usually expose server set cookies (and thus, SASL can be done implicitly at the transport protocol level). This would also yield an experience where users don't have to sign into the chat each time they reload the page
[02:51:35 PM] <gabedev-hostmast> (without storing credentials in localStorage or making an additional setup HTTP call, etc..)
[02:52:00 PM] <gabedev-hostmast> sorry, HTTP cookies, not server set (they're all server set :D)
[02:52:24 PM] <gabedev-hostmast> for auth (you hope)
[02:54:52 PM] <emersion> that's what i did for chat.sr.ht
[02:55:10 PM] <emersion> client sends AUTH EXTERNAL, server looks up cookie
[02:55:30 PM] <gabedev-hostmast> oh ok cool
[02:56:07 PM] <emersion> nothing to be done on the spec side of things AFAIK
slingamn commented 3 months ago

The cookie would be validated via auth-script or possibly the JWT implementation. The name would have to be configurable.