Alternative Authentication for Websockets

[davecgh]

Currently, the websocket interface requires HTTP auth headers to be sent. While this is a good thing, unfortunately some use cases such as javascript-based websockets from browsers do not have the ability to send headers.

Given the above, the code should be changed to allow an alternate authentication method using an authenticate JSON-RPC method as follows:

Method	authenticate
Parameters	1. username (string, required) 2. passphrase (string, required)
Description	Authenticate the connection against the username and password configured for the RPC server. Invoking any other method before authenticating with this command will close the connection. NOTE: This is only required if HTTP authentication is not being used.
Returns	Success: Nothing Failure: Nothing (websocket disconnected)

The specific details of how the interaction with HTTP auth headers should be as follows:

• When HTTP auth headers are present they are checked for validity
  • If credentials are invalid, disconnect
  • If credentials are valid, set an authenticated flag that marks the connection as authenticated
• When no HTTP auth headers are present, allow the connection to proceed, but require the first command sent from the caller to be "authenticate" with valid credentials
• If credentials are invalid, disconnect
• If credentials are valid, set an authenticated flag that marks the connection as authenticated
• Disconnect if any other commands other than the new authenticate are received and the authenticated flag is not set
• Disconnect if the new authenticate command is received and the connection is already authenticated