This is not SST specific, just general "help". I feel like I ask this question every few months, but what are folks doing for websocket auth? I know the SST docs show how to wire up an authorizer but I am curious what folks are putting in there. Seeing that someone decided websocket connections from the browser didn't needs headers 🤦‍♂️ Are folks just risking the query string with a token? Hacking around with basic auth? or just letting anyone pop on the line and applying auth at the topic listen / message send level?

If you want to get technical you should actually be validating the token with every message

alright lemme back off, as i am not actually sending messages from the clients 🙂 so more about keeping someone from slamming my dynamoDB with connecitonIDs

Reason being is you can keep a websocket open and use expired tokens otherwise

but yes i agree, every send needs verification. for sure

Ah ok

yeah that's been my go to also.. connection then auth message... just annoying haha

Our approach really had anyone able to make a connection and nothing happens (have to have a Lambda, but it is a no-op). Then we have a "subscribe" message which includes what the client wants to subscribe to and the JWT. Token is validated, expiration time is taken from the token, and only then is the connection tracked in DynamoDB along with TTL on the token expiration and what data is subscribed to for that connection. Client must resubscribe whenever refreshing their JWT.