WebSocket middleware

[Luke Hutchison]

I'm trying to add authenticated web sockets to the web app framework that I'm building on top of Webbit. I found that in the Server<C>.onOpen() method, I can call webSocketConnection.httpRequest().cookie("session") to read the "session-in-client" cookie to determine if the user is logged in. For security though, I would like to force the user to re-log-in every month or so (i.e. the cookie will expire in the browser, and the auth token in the cookie will expire in the server after a month). I need the ability to close all web sockets for a given user when the user's login session expires, or when the user manually logs out. I therefore need a way of registering new web socket connections in a HashMultimap (mapping from usernames to sets of connections owned by that user), and I need the ability to manually close all connections for a given user. I also need to be able to intercept all calls from the client to the server and from the server to the client to check if the connection's expiry date has passed, so that the message can be rejected and the connection closed.

My questions:

-- I think there is no concept of middleware for websockets yet in Webbit, but that the above functionality should be added as middleware? (Currently I have an abstract class that implements Server, and all authenticated web sockets have to extend this class, but it's hacky, because subclasses have to remember to call super() etc. to get authentication.)

-- Should I simply call webSocketConnection.close() from the Server<C>.onOpen() method if I want to reject the connection because the user is not logged in?  I assume that there is one separate WebSocketConnection per new client, so calling close() won't affect other users, even though only one Server object is created per route?

On an orthogonal topic: currently onOpen is defined for Server<C> as:

public void onOpen(WebSocketConnection connection, C client)

It looks like there is one WebSocketConnection created per socket connection, and also one client proxy object of type C. Perhaps then WebSocketConnection should actually be parameterized as WebSocketConnection<C>, and have a .getClient() method that returns the corresponding proxy of type C? That way, onOpen could just take one parameter, connection. Since connection and client are always passed as a matching pair, it might make sense to group them by embedding the client as a field of the connection.