<p>I am building a chat app as a learning experience. I have the app built using websockets. I want to learn to use JWT for authentication. Is there a good resource to learn how to do that with websockets in go. I've been looking around and I've had trouble finding good instructions. Thank you!</p>
<hr/>**评论:**<br/><br/>: <pre><p>[deleted]</p></pre>Ayman250: <pre><p>Is the web-socket secure. Is it possible for an existing websocket connection to be hijacked after it's been authenticated?</p></pre>: <pre><p>[deleted]</p></pre>Ayman250: <pre><p>Wow thank! This makes the whole thing much easier than!</p></pre>francoispqt: <pre><p>You can also set a cookie if you want to maintain the auth.</p></pre>sablefoxx: <pre><p>This leaves the connection potentially vulnerable to <a href="https://www.christian-schneider.net/CrossSiteWebSocketHijacking.html" rel="nofollow">cross-site connections</a>, it is imperative if you're authenticating using cookies to also validate the<code>origin</code> HTTP header, it's better to send the authentication data over the <code>wss://</code> connection and validate the <code>origin</code> HTTP header.</p></pre>tmornini: <pre><p>This is the right answer!</p></pre>dbud: <pre><p>Simplest thing is to just require that the first message on the socket is the JWT. Once we validate it, we enter the message loop like normal.
If that first message isn't a valid JWT, close the websocket.</p></pre>lacion: <pre><p>i do exactly that with this test project.</p>
<p><a href="https://github.com/lacion/iothub/blob/master/main.go" rel="nofollow">https://github.com/lacion/iothub/blob/master/main.go</a></p></pre>
