Allow Server.observe with authenticated peer

[ScottErholm]

If peer linking is authenticated, there is no mechanism to propagate the authentication to the receiver. This means there is no way for the receiving link to complete a peer.subscribe, which results in a failure for Server.observe.

Suggest communicating the authorization in the response header at the checkServerReq request handler.

[AdamMagaluk]

Do you have a simple example you can provide? How are you doing authentication during the peering?

[ScottErholm]

Any HTTP authentication scheme could be used, but for simplicity I'll just consider Basic.

Things start out normally, with the initiating peer supplying a username/password to authenticate with the receiver. But then later the receiver must authenticate back to the initiator, which is a little backwards.

It seems there are two ways to handle this: 1. Configure the receiving server with the necessary information to authenticate with any and every initiating peer which may or may not make a link, or 2. After the initiating peer has successfully authenticated with the receiver, it then passes credentials to the receiver so that the receiver can later subscribe.

The 2nd option makes more sense to me, and the credentials can be passed to the receiver as the last step of the peer connection in checkServerReq.

Most of the actual work can be done in extensions using onPeerRequest, onPeerResponse, onPeerConnect, and onEventWebsocketConnect. It's really nice that all these hooks are already in place.

Maybe there is a better way to securely subscribe that I'm not seeing. I did want to run it by people here before making a pull request.