The authenticators request hash algorithm produced different hashes than
on the client, because client-side hash-request don't include the query
parameters of a URL.
This causes authentication issues when sending any requests with query
parameters. This commit ensures we ignore them on the server as well.
As it turns out, a websocket request doesn't contain some of the
hashable properties in order to be validated. Because of that, we'll
still use tokens here until we find a better way to do it.
Instead, we want to hash a header to sign a request with a client nonce,
http method and URL. This is a first step towards protecting the backend
against eavesdropping.
Please note that this will still be susceptible to replay attacks.
Pascal Precht
Andre Medeiros
Iuri Matias
Anthony Laibe
Jonathan Rainville