Currently the LLAPI seems to just blindly accept any connection request.
We need to get rid of the NetworkTransport.Connect method and instead have a NetworkTransport.ConnectRequest(int hostId, string address, int port, byte data, int size, int exeptionConnectionId, out byte error)
With the ConnectRequest method, we can pass in bytes in case we want to send some data over such as a password of some sort.
(See ConnectRequest byte data issue at bottom)
The server can then get a callback or you can even just add a ConnectRequest enum value in NetworkEventType so the user can poll for connect requests and decide if they want to ignore/refuse/accept.
We would need these 3 methods
NetworkTransport.AcceptConnectionRequest(int connectionID) - which accepts a connection request (maybe even the ability to send a byte array as well).
NetworkTransport.RefuseConnectionRequest(int connectionID) - which refuses a connection request and attempts to notify the connection it was refused (maybe even the ability to send a byte array as well).
NetworkTransport.IgnoreConnectionRequest(int connectionID) - which silently ignores a connection request, meaning it sends nothing over which leaves the connection not even knowing if we even exist (this is an important one, in my eyes at least).
If the connection is accepted, everything will run as it does now.
The issue is talked about in greater detail in this thread https://forum.unity3d.com/threads/is-there-a-built-in-authentication-system-in-unet.343217/
-ConnectRequest byte data issue-
An issue with introducing the ability to send byte data in a connect request is that there will most likely be a queue in the backend that stores these bytes, and if these bytes are stored as messages, then we run into the issue of a single connection being able to spam many messages in a single connection request which will fill up the queue and prevent any other legit connection requests.
Even if we just store the whole byte array as a single message, as well as overwrite any current connection request messages from the same ip address, we may still run into issues with malicious users, not to mention ip spoofing.
It may not be possible to completely fix the issue, but there should at least be the ability to set the connection requests max queue size, as well as the ability to set a max byte data size per ConnectionRequest.