This PR makes two changes to improve security/conform this codebase to the Node.js version it is replacing (and thus closes #20). Specifically, these changes implement the fixes added in tootsuite/mastodon#10818
First, it checks OAuth scopes and ensures that the client is authorized to read the data it is requesting. This prevents apps that have write-only access (like a Twitter cross-posting bot) from reading user data via the streaming API.
Second, it adds the ability for WebSocket clients to pass the access token via the sec-websocket-protocol header rather than in the query string.
This PR makes two changes to improve security/conform this codebase to the Node.js version it is replacing (and thus closes #20). Specifically, these changes implement the fixes added in tootsuite/mastodon#10818
First, it checks OAuth scopes and ensures that the client is authorized to read the data it is requesting. This prevents apps that have write-only access (like a Twitter cross-posting bot) from reading user data via the streaming API.
Second, it adds the ability for WebSocket clients to pass the access token via the
sec-websocket-protocolheader rather than in the query string.