Check the authenticity of incoming connection in the websocket 🔐

[rhohma]

Hello,

I'm working on beyondcode/laravel-websockets and using a Pysher (python websocket https://github.com/deepbrook/Pysher) to connect to my laravel websocket server.

I've been looking for a solution to increase websocket security input/entry with something other than 'appKey' for several weeks.
Has anyone managed to implement anything other than this simple security with a easily accessible 'appKey'?

I thought about limiting entries by domain (websocket.php -> allowed_origins). But it doesn't suit me because my python connection will be outside the server's network.

I am currently working on the custom handler.
The only possibility I've imagined is to modify the onOpen function so that the user who instantiates a connection to the websocket provides me with a token.
I could ask to make an HTTP call on my API server with a bearer token, then send this token to the websocket connection onOpen, then check if the device opening the socket is an authorized user.

Am I off the mark? or the basic concept of the websocket is to allow anyone to open a socket connection?
If someone gets the websocket url they can flood the server and instantiate as many connections as they want? It's still amazing

Thanks,

[fredsal]

Maybe give you ideas
laravel/echo#340