[headless] change websocket authentication from basic auth to token message

briar-headless/README.md

@@ -161,21 +161,18 @@ The Briar peer uses a websocket to notify a connected API client about new event
 
 `WS /v1/ws`
 
-The websocket request must use basic auth,
+Immediately after making the connection,
-with the authentication token as the username and a blank password.
+you must send the authentication token as a message to the websocket.
+If you fail to do this, you will not receive messages on that socket.
 
-You can test connecting to the websocket with curl:
+In JavaScript, it would look like this:
 
-    $ curl --no-buffer \
+```javascript
-           --header "Connection: Upgrade" \
+var token = "DZbfoUie8sjap7CSDR9y6cgJCojV+xUITTIFbgtAgqk=";
-           --header "Upgrade: websocket" \
+var socket = new WebSocket("ws://localhost:7000/v1/ws");
-           --header "Sec-WebSocket-Key: SGVsbG8sIHdvcmxkIQ==" \
+socket.onopen = function(event) { socket.send(token); };
-           --header "Sec-WebSocket-Version: 13" \
+socket.onmessage = function(event) { console.log(event.data); }
-           --user "DZbfoUie8sjap7CSDR9y6cgJCojV+xUITTIFbgtAgqk="
+```
-           http://127.0.0.1:7000/v1/ws
-
-The headers are only required when testing with curl.
-Your websocket client will most likely add these headers automatically.
 
 ### Receiving new private messages
 

briar-headless/src/main/java/org/briarproject/briar/headless/Router.kt

@@ -9,7 +9,6 @@ import io.javalin.JavalinEvent.SERVER_START_FAILED
 import io.javalin.JavalinEvent.SERVER_STOPPED
 import io.javalin.NotFoundResponse
 import io.javalin.apibuilder.ApiBuilder.*
-import io.javalin.core.util.ContextUtil
 import io.javalin.core.util.Header.AUTHORIZATION
 import org.briarproject.bramble.api.contact.ContactId
 import org.briarproject.briar.headless.blogs.BlogController
@@ -20,6 +19,7 @@ import org.briarproject.briar.headless.messaging.MessagingController
 import java.lang.Runtime.getRuntime
 import java.lang.System.exit
 import java.util.concurrent.atomic.AtomicBoolean
+import java.util.logging.Level
 import java.util.logging.Logger.getLogger
 import javax.annotation.concurrent.Immutable
 import javax.inject.Inject
@@ -85,13 +85,16 @@ constructor(
             }
         }
         app.ws("/v1/ws") { ws ->
-            ws.onConnect { session ->
+            if (logger.isLoggable(Level.INFO)) ws.onConnect { session ->
-                val authHeader = session.header(AUTHORIZATION)
+                logger.info("Received websocket connection from ${session.remoteAddress}")
-                val token = ContextUtil.getBasicAuthCredentials(authHeader)?.username
+                logger.info("Waiting for authentication")
-                if (authToken == token) {
+            }
-                    logger.info("Adding websocket session with ${session.remoteAddress}")
+            ws.onMessage { session, msg ->
+                if (msg == authToken && !webSocketController.sessions.contains(session)) {
+                    logger.info("Authenticated websocket session with ${session.remoteAddress}")
                     webSocketController.sessions.add(session)
                 } else {
+                    logger.info("Invalid message received: $msg")
                     logger.info("Closing websocket connection with ${session.remoteAddress}")
                     session.close(1008, "Invalid Authentication Token")
                 }