Built-in authentication #5
Description
Summary
StreamKit has RBAC (via [permissions]) but no built-in authentication. It currently relies on an external service in front (e.g. proxy server) to set the role via HTTP header.
Goals
- Support API keys + JWT for non-browser clients via token auth (e.g.
Authorization: Bearer <token>). - Support cookie-based auth for browser UI (safest default), with CSRF/Origin defenses.
- Enforce auth consistently across HTTP, WebSocket and MoQ gateway / WebTransport (align with moq-dev/moq connection/auth expectations)
Open Questions
- JWT verification: OIDC/JWKS support or start with a shared secret (HS256)?
- JWT role mapping: should role come from a claim (which one?), or a server-side mapping from sub/email → role?
- API key storage: support plaintext keys in config/env initially (with warnings), or require hashed-at-rest from day one?