Support Authentication with Both client_id and client_key for Enhanced Security

Currently, we use only the client_key for authenticating clients during messaging. This approach requires client_key to be globally unique, which introduces the risk of brute-force discovery.

Proposed Enhancement:

Introduce authentication using both client_id and client_key. This provides several benefits:

• Eliminates the need for a globally unique client_key.
• Reduces the risk of brute-force attacks, since both values must match.
• Simplifies lookup: the system can directly validate that the provided client_id and client_key pair exists without needing to look up the client_id from the client_key.

Implementation Suggestions:

• HTTP Protocol: Use Basic Authentication or a Base64-encoded string of client_id:client_key in the HTTP headers.

• WebSocket Protocol: Support credentials via query parameters:

  ws://localhost/ws?auth=<client_id>|<client_key>
  

  or a Base64-encoded form:

  ws://localhost/ws?auth=<base64(client_id:client_key)>