Feature request: Support query string authentication on API WebSocket endpoint

[fiatjaf]

Currently the Eclair API expects an Authorization header for all its requests, including the WebSocket endpoint at /ws.

While integrating support for Eclair on https://github.com/fiatjaf/kwh/ I found out that, although Chrome/ium will automatically take the credentials from an URL like ws://user:pass@localhost:1234/ws and make an Authorization header with them, the same is not true for Firefox.

There's no way to specify custom headers on the browser WebSocket provider.

To support build of apps that run in the browser and interact with the Eclair API, the WebSocket endpoint could support the password in the querystring, like ws://localhost:1234/ws?password=foobar.

[araspitzu]

Not ACK, eclair's API aren't meant to be called directly from a browser (in fact we don't support pre-flight operations) and using the credentials in the websocket url seems to be widely supported, with the exception of firefox.

[fiatjaf]

Why does it have to be an intention behind the API? Can't it be made as open as possible and users decide what to do with it?

Saying it "isn't meant to be called from a browser" includes browser extensions? These are not webpages, but custom installed apps that don't need preflight operations at all.

[araspitzu]

The API is for anyone who wants to develop an application using eclair's functionality, typically you'd write a middleware application that act as a proxy for the eclair API (instead of calling them directly from the application). Bearing this in mind we still want to support as many use cases as possible, as far as they don't affect the security.

[t-bast]

There has been some work to support websocket BOLT 8 connections (lightning/bolts#1068). I'd rather use this with lightning/blips#28 instead of exposing the websocket endpoint to the internet.