Hey @ferranbt,
Welcome to the libp2p community!
There are several solutions I can think of, depending on the security tradeoff you want:
-
If you don’t mind libp2p protocols running before the connection is authenticated (e.g. libp2p identify, pubsub, DHT, etc.), you can implement a custom protocol that subscribes to
PeerConnectednessChanged
events on the eventbus, initiates the challenge by opening a stream, and kills the connection if the challenge fails.- All other application-specific protocols would wait until this protocol has authenticated the peer.
- You would need to implement a “session manager” component, that the authentication protocol reports to, and that other protocols gate on to know when they are authorised to service a peer.
- You could send custom events on the eventbus to signal the state changes.
-
If you don’t mind the handshake running and the peer ID of the responder being revealed to the other party, prior to your app-specific authentication, you could use a ConnectionGater and implement a hook for
InterceptUpgraded
.- The problem is that you get a
network.Conn
and not amux.MuxedConn
, so I’m not sure how the other peer would accept the stream. - Note that these are raw streams, not managed by the libp2p host. I haven’t seen anybody using libp2p in this manner, so not sure if it would work.
- The problem is that you get a
-
The earliest point at which you can challenge the peer is by implementing a custom secure channel and injecting it into the Host: test-plans/main.go at master · libp2p/test-plans · GitHub
-
You could use private networks if a PSK arrangement would work for you.
If none of these work for you, you could open an issue in go-libp2p and propose a feature.
Hope that guides you a little!
Raúl.