[Security] WebSocket clients can see all events from all sub-wallets

[tdiesler]

Anyone who knows the value of the X-API-Key can register a listener that can see all events from all sub-wallets. Hence, any sub-wallet can see all events from all sub-wallets. The current implementation works like this ...

1. No X-API-Key => Connection success & Settings events (i.e. events that are not published by any particular sub-wallet)
2. X-API-Key + No Bearer Authorization => Connection success & All events from all sub-wallets
3. X-API-Key + Invalid Bearer Authorization => 401
4. X-API-Key + Bearer Authorization => Connection success & All events from all sub-wallets

Expected Behaviour

1. No X-API-Key => 401
2. X-API-Key + No Bearer Authorization => 401
3. X-API-Key + Invalid Bearer Authorization => 401
4. X-API-Key + Bearer Authorization => Settings event & Events from the sub-wallet that owns this WS connection

In the case of credential revocation we have a notify option. Currently, Acme publishes the ISSUER CREDENTIAL_REVOKED event which Alice can see. With the above "Expected Behaviour" Alice would no longer see that.

[MajdT51]

I think it would be useful to have a simple way to get All events from all sub-Wallets. I currently have a large number of sub-wallets to manage and I can't open a WebSocket connection to all of them.

@shaangill025

• do you agree with tdiesler about the Expected Behaviour?
• do you think it is useful to have an extra way to get all events without opening a WS connection to each wallet?

thanks :)