Currently, solid-ws accepts all sub <url> requests without any authorization check. This means anyone can subscribe to notifications for any resource, even private ones they don't have read access to.

This can leak information - a subscriber learns when a resource changes, even if they can't read it.

Proposed solution

Add an optional authorize callback that servers can use to check permissions:

const solidWs = SolidWs(server, app, {
  authorize: (iri, req, callback) => {
    // Check if user has read access to iri
    // callback(null, true) to allow
    // callback(null, false) to deny
  }
})

If authorization fails, send err <url> forbidden instead of ack.

This keeps solid-ws flexible (default allows all, as today) while letting servers like NSS integrate their ACL checking.

Happy to submit a PR for this if it sounds reasonable!

Related: nodeSolidServer/node-solid-server#1334