0.11.1 • Published 3 months ago
@robertsvendsen/wspack v0.11.1
wspack
Events (payload.e)
Handshake
- hello
- auth
- renegotiate
auth-failed
TODO:
On handshake initiate, client needs to verify that the server is indeed the server, if the server should be known to the client.
Security
- Encryption is only available when auth is enabled (using keys).
- Encryption does only encrypt payload.data content.
Encryption handshake:
- Server -> Client (not encrypted): This is your pub key, use it as salt to authorize.
- Client -> Server (not encrypted): My authKey is "authKey + pubKey + timestamp" and my timestamp is "timestamp".
- Server -> Client (IF VALID) (encrypted): OK. Use this pubKey from now on.
If having problems with handshake, it might be a latency problem if your latency is fluctuating. Server validates authKey by checking the timestamp first.
Server side the pubKey is stored on the websocket client (session).