Our choice is to send the authentication bearer token over the WebSocket itself, as it is the cleanest approach. To counteract the potential denial of service attack vector, we additionally include a "nod" token in the query parameters that we don't mind if it is leaked. The "nod" token is a JWT containing only the iat field and a proper signature.
[x] Implement server side
[x] Add anti-dos token issuance endpoint (to avoid more than one token in the client lib + short expiration)
We want authenticated and authorized WebSocket connections that work in the browser (ref. https://github.com/whatwg/websockets/issues/16).
The well-known workarounds include:
Each method has its own trade-offs.
Our choice is to send the authentication bearer token over the WebSocket itself, as it is the cleanest approach. To counteract the potential denial of service attack vector, we additionally include a "nod" token in the query parameters that we don't mind if it is leaked. The "nod" token is a JWT containing only the iat field and a proper signature.