Consider an app where users always connect to a socket on login.
If we pass username/password directly to the
connect/2 callback (instead of providing a token) we would save the initial HTTP login request to get that token.
Is there anything inherently wrong with doing this?
Nothing; however it will be slower because verifying a password via argon2 is much slower than verifying a token. This is because the password has to be protected rigorously, and a token only need to be tamper proof.
Yes but you would need to verify the password in both scenarios, whether you log in via socket or a regular http controller. In the scenario where on login you’re immediately connecting to the socket, isn’t it actually faster to skip the first request and auth directly on socket connect?
I have no idea of what your application is looking like; many people use a cookie to leave the user logged in for a while. Also socket sometimes disconnects, like when the computer goes to sleep.