Apparently, it is impossible to attach custom HTTP headers to WebSocket request the same way that we do for XHR.

Instead of using headers, we have decided to follow a pattern similar to the one outlined by this article. We already use a "token" system similar to their "ticket" concept, so we should just need to modify the API server slightly to handle a special "auth" event.

An example "auth" event might look like this:

{ "action": "auth", args: [ token, namespace, ip ] }

Or with named parameters:

{ "action": "auth", args: { "token": token, "namespace": namespace, "source": ip } }

This ticket is complete when:

• The CLI uses this new authentication method to perform console interactions:
  • The server accepts all WebSocket connections without auth, but only allows on command
  • The server handles a special "auth" event, that allows user to actually fully use the WebSocket