我决定采用以下协议:
1.客户端登录站点并接收身份验证令牌(JSON Web 令牌)
GET /auth
{
user: 'maggie',
pwd: 'secret'
}
// response
{ token: '4ad42f...' }
2.经过身份验证的客户端请求 websocket 连接票证
GET /ws_ticket
Authorization: Bearer 4ad42f...
// response: single-use ticket (will only pass validation once)
{ ticket: 'd76a55...', expires: 1475406042 }
3.客户端打开 websocket,在查询参数中发送票证
var socket = new WebSocket('wss://example.com/channel/?ticket=d76a55...');
4.然后,Websocket 服务器 (PHP) 在接受握手之前验证票证
/**
* Receives the URL used to connect to websocket. Return true to admit user,
* false to reject the connection
*/
function acceptConnection($url){
$params = parse_str(parse_url($url, PHP_URL_QUERY));
return validateTicket($params['ticket']);
}
/** Returns true if ticket is valid, never-used, and not expired. */
function validateTicket($ticket){/*...*/}