Add session-scope authorization key in Websockets

[juacas]

Introduce a session password for WebSocket connections, enhancing security by requiring a password to enter a Kuet session. Update relevant classes and functions to handle the new password parameter. Add configuration options for the password in the admin settings.

In summary:

• Both Websocket server (in command line) and Moodle (in settings) must use the same session password.
• For each Kuet session, a derived key is generated consisting of hashing the session ID and the secret password (salted hash).
• This key is known to all clients in that session. The derived key is not a strong secret because it appears in the user interface, but it only works for that session.
• All messages between students and teachers must carry that key.
• Any external client that wants to use the Websocket server will not be able to generate those keys, and the websocket server will close the connection with an “Unauthorized” message.

I think this is an important step forward for KUET.

[Copilot]

Pull Request Overview

This pull request adds session-scope authorization for WebSocket connections in the Kuet module to enhance security. The implementation requires both the WebSocket server and Moodle to share a session password. For each Kuet session, a derived key is generated by hashing the session ID with the secret password, which clients must provide to connect.

Key Changes:

• Added session password configuration in admin settings
• Implemented authorization checking in the WebSocket server
• Updated all WebSocket message exchanges to include the password parameter
• Modified view classes to pass password to templates and JavaScript

Reviewed Changes

Copilot reviewed 14 out of 44 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
unimoodleservercli.php	Added session key property, authorization checking, and password validation for ping/diag commands
settings.php	Added WebSocket password configuration field with max length validation
lang/en/kuet.php	Added language strings for password setting and description
lib.php	Added function to calculate WebSocket password from session ID and secret key; updated server startup command
session.php	Updated view instantiation to pass session parameters
classes/output/views/teacher_session_view.php	Added constructor parameters and password generation in template export
classes/output/views/student_session_view.php	Added constructor parameters and password generation in template export
classes/output/views/test_report.php	Added password to template data for SSL testing
templates/*.mustache	Added data-passwd attributes to canvas elements for JavaScript access
amd/src/testssl.js	Added password parameter for ping authentication in SSL testing
amd/src/teachersockets.js	Added passwd variable and included it in all WebSocket messages
amd/src/studentsockets.js	Added passwd variable and included it in all WebSocket messages
amd/build/.min.js	Minified builds and source maps (auto-generated)

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Inconsistent code formatting: there is an extra space after json_encode(. The opening parenthesis should not have a space before the opening bracket for consistency with the rest of the codebase.