Websocket using passthru auth, allow embedding a sessionID in the Header on all messages from client

[quintilation]

We would like to use NKeys to authenticate a PC making a WebSocket connection to NATS.

However, we also want to perform secondary authentication of individual users using Ory Kratos. Kratos returns a session cookie which is stored (HTTP_ONLY) in the user's browser.

Our idea is that the NATS server could cache the Kratos session cookie associated with a particular WebSocket connection, and then insert this session cookie as a NATS message header token=value pair in every NATS message received on that particular WebSocket connection and forwarded to other NATS subscribers. In this way, our back-end services would be able to identify the original WebSocket user making a particular request.

As background, we are currently implementing our own custom authentication solution, embedding the NATS server in our executable and using the CustomClientAuthentication option in the core NATS server. This allows us to verify each client's NKey against our own external database at connect time, and also enforce the nonce signature challenge on every connection.

The question is whether there is a straightforward way to add this capability to the NATS server.
If this would require changes to the server code (and I believe it would), is this something that the
NATS team feel might accept as a pull-request, Or is our use-case too obscure?

Alternatively, we could write a separate WebSocket to NATS translator. This might be simpler to write, but it would mean we have more code to maintain and another Docker container to deploy.
On the other hand, allowing WebSocket connection direct from a browser into the NATS server doesn’t feel terribly secure: so inserting a translator that can act as a firewall might be a better approach.