wspack
Events (payload.e)
Handshake
- hello
- auth
- renegotiate
- auth-failed
TODO:
- On handshake initiate, client needs to verify that the server is indeed the server, if the server should be known to the client.
Security
-
Encryption is only available when auth is enabled (using keys).
-
Encryption does only encrypt payload.data content.
-
Encryption handshake:
- Server -> Client (not encrypted): This is your pub key, use it as salt to authorize.
- Client -> Server (not encrypted): My authKey is "authKey + pubKey + timestamp" and my timestamp is "timestamp".
- Server -> Client (IF VALID) (encrypted): OK. Use this pubKey from now on.
If having problems with handshake, it might be a latency problem if your latency is fluctuating. Server validates authKey by checking the timestamp first.
Server side the pubKey is stored on the websocket client (session).