akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 5 Packages Projects Releases Wiki Activity

feat: switch WebSocket auth from query params to HttpOnly cookies for security

Browse Source 
Co-authored-by: Wikid82 <176516789+Wikid82@users.noreply.github.com>
This commit is contained in:
copilot-swe-agent[bot]
2025-12-17 12:54:35 +00:00
parent a01bcb8d4a
commit e1474e42aa
3 changed files with 42 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
backend/internal/api/middleware/auth.go
View File

@@ -13,14 +13,17 @@ func AuthMiddleware(authService *services.AuthService) gin.HandlerFunc {
authHeader := c.GetHeader("Authorization")
if authHeader == "" {
// Try cookie first for browser flows
// Try cookie first for browser flows (including WebSocket upgrades)
if cookie, err := c.Cookie("auth_token"); err == nil && cookie != "" {
authHeader = "Bearer " + cookie
}
}
// DEPRECATED: Query parameter authentication for WebSocket connections
// This fallback exists only for backward compatibility and will be removed in a future version.
// Query parameters are logged in access logs and should not be used for sensitive data.
// Use HttpOnly cookies instead, which are automatically sent by browsers and not logged.
if authHeader == "" {
// Try query param (token passthrough)
if token := c.Query("token"); token != "" {
authHeader = "Bearer " + token
}