Close the socket when authentication expires

[dominykas]

When a websocket requires authentication, and the server uses some sort of token based authentication, the credentials usually have a limited lifetime. The nes clients are free to overrideReconnectionAuth() and provide new credentials for the case when the websocket drops, however if the websocket does not drop - it still assumes the old credentials on the server side. This means that the websocket is open to send/receive information even though the client may no longer have valid credentials, which could be a security issue in some contexts.

Proposal

• Registration options should accept an auth.expiresAt callback.
• When the authentication endpoint accepts valid credentials, it should const expiresAt = await auth.expiresAt(request.auth);. After the client authenticates, the server should const expiresAt = await auth.expiresAt(credentials, artifacts);.
• The websocket should be closed on the server side at expiresAt time. undefined means never expire.
• When the client calls overrideReconnectionAuth() reauthenticate(), it should also make a request to the authentication endpoint, so that the server can update the expiresAt time and extend the websocket lifetime.

[hueniverse]

@dominykas This is mostly done now. Need to update the API doc. Requires hapi v17.8.1 which is reflected in the plugin requirements.

[lock[bot]]

This thread has been automatically locked due to inactivity. Please open a new issue for related bugs or questions following the new issue template instructions.