SSE authentication #57
Description
The current SSE endpoint implementation (/stream) lacks user authentication.
Instead of authentication by user, a filter by message is used. And that's fine, but it's message-by-message authentication. The request is not authenticated/authorized.
Current implementation flaws:
The client can connect with the wrong credentials. It just doesn't get any events. Why? No one knows, the client is just in a "connected" state.
A connection can be opened by an anonymous client. A bad agent can open millions of sse endpoint connections. This causes free ports to run out. Valid clients cannot connect.
Proposed solution:
Add feature to an upstream express-bff package: ability to set onConnect callback. Check authentication in this callback. Close connection for unauthenticated/unauthorized users.