What's threat if WebSocket connection only checks authentication in the `Open` event

Question

(I had checked the similar topics this/this/this/this, but I couldn't find the exact scenario or example)

Let's say I have a websocket server (MITM and XSS attacks are not in scope) where inside 'open' event, I check if user has authorization/permissions, and if not, I close the connection. Otherwise, server proceeds to normal connection (subscribe & executing commands from client-side).

const srv = new WebSocket.Server('wss://example.com');
srv.on('connection', WSS => {
    if ( ! checkAuth(userToken) ) { // let's assume the logic is working already
        WSS.close();
    }
    else {
        WSS.on('message', message => {
            // ****** why should I check for authentication here ?? ****** 
            console.log ("executing your command:" + message);
        });
        
        WSS.on('close', function close() {
            console.log ("closed");
        });
    }
    
});

My question is, what are scenarios, where it's needed to check authentication inside further events, as connection is being closed immediately, if user is not authorized.

Answer 1

Checking for authentication over received WebSocket messages is recommended for the following scenarios:

1. Poor/missing authentication at the handshake - For instance, if your authentication is based on a cookie and no anti-CSRF control is in place, your application may be prone to a cross-site WebSocket hijacking attack.
   In this case, you can introduce authentication for the first message.

2. WebSocket session management - As WebSocket sessions are long-lived, you may wish to re-authenticate the client. For instance, if your application exposes sensitive capabilities you wish to protect against unauthorized access. In general, it is also good for being eligible for session extension.
   e.g., a scenario where the browser is located in a public library and the user forgot to log out.

In any case, checking for authentication over each message might not be the best idea as it creates an overhead in terms of message sizing & performance.