Do not transmit the auth token in the URI

[dappelt]

The auth token should not be passed to the server in the URL like this: https://github.com/interledgerjs/ilp-plugin-payment-channel-framework/blob/bs-clp/src/model/rpc.js#L178-L183

Instead, send the auth token as the first message once the WebSocket connection is open.

[michielbdejong]

The current setup protocol uses URLs like wss://example.com/api-path/NAME/TOKEN, where example.com/api-path uniquely identifies the server-side peer as well as the protocol version, and NAME uniquely identifies the client-side peer, in the context of the server-side peer. The server-side peer is authenticated by its TLS certificate, and the client-side peer by TOKEN.

The relationship between server and client is silently created, the first time a client connects to a server, which means the first time, TOKEN can be anything, but next times, it has to match what was given the first time.

Is there anything in that behavior you would also like to change? I can imagine an ilp-kit instance may want to whitelist who is allowed to connect to it, instead of creating relationships silently and on the fly? Or maybe the relationship will be pending until the admin confirms it in the UI?

So if TOKEN moves to a message, then the WebSocket URL becomes wss://example.com/api-path/NAME, correct? Or would you want to move both NAME to the first message as well?

[dappelt]

Or would you want to move both NAME to the first message as well?

If the value of NAME is confidential, then we should move it also to the first message. Otherwise, it is not strictly necessary.

[michielbdejong]

ok, I'll draft a list of changes that we want to make, not only to CLP itself, but also to the protocols on top of it, and include this one.