jmelancongen
commented
4 months ago Updated to only add the Authorization header requirement, without removing the register command as discussed during F2F review
Closed jmelancongen closed 1 month ago
jmelancongen
commented
4 months ago Updated to only add the Authorization header requirement, without removing the register command as discussed during F2F review
Currently, the signaling protocol specifies initial authentication as a mandatory register message when opening the websocket. This forces a signaling server to accept unauthenticated websockets and leave them open for some time to receive the actual authentication information which open us to some DoS/resource exhaustion attacks.
Since we have a precedent in the Uplink specification of authenticating a WebSocket connection via the header or query parameter (to accomodate browser websockets, which can't provide headers). This ensures we use a common way of authenticating these kind of cloud connections in both specs, and allow us to validate that the request is legitimate before accepting any websocket session.