Change WebSocket auth

[Brayan-724]

Due to the WebSocket API in the browsers doesn't allow to add custom headers in the request, the JWT cannot be got from Authorization and should change.

Browsers allow to send custom info from a specific header Sec-WebSocket-Protocol that contains arbitrary data, and we can use it to send de jwt, this is not a very hacky thing because browser doesn't allow other way. ref: kubernetes

So the implementation should change to the following:

• Extract Sec-WebSocket-Protocol
• Split (limit: 5 *[1]) parameters by , (comma)
• Split (limit: 1) key-value parameters by = (equal)
• Get auth key

*[1] If we don't use limit it can be used as exploit, we don't expect more than 5 params, but it can be change if needed

All the parameters can be collected to Vec<(String, String)> instead of HashMap.

[Brayan-724]

@quijadajose sorry, i didn't assignee to @gg0074x but he is doing it

[stifskere]

As per https://stackoverflow.com/questions/4361173/http-headers-in-websockets-client-api

5. Smuggle access tokens inside Sec-WebSocket-Protocol

Since the only header a browser will let you control is Sec-WebSocket-Protocol, you can abuse it to emulate any other header. Interestingly (or rather comically), this is what Kubernetes is doing. In short, you append whatever you need for authentication as an extra supported subprotocol inside Sec-WebSocket-Protocol:

const ws = new WebSocket("ws://example.com/path", ["realProtocol", "yourAccessTokenOrSimilar"]);

Then, on the server, you add some sort of middleware that transforms the request back to its saner form before passing it further into the system. Terrible, yes, but so far the best solution. No tokens in the URL, no custom authentication save for the little middleware, no extra state on the server needed. Do not forget to include the real subprotocol, as various tools will reject a connection without one.

There are ways to send headers from the JavaScript Web Socket client, in the Stack Overflow post I sent there are a few more alternatives, if Kubernetes is doing it, I believe it is possible.

[Brayan-724]

Fixed by #13