[feature]: authenticate websocket securely

Allows WebSockets to be authenticated by passing the access token
through the Sec-WebSocket-Protocol header, rather than a loggable query
parameter.

This makes GoToSocial compatible with WebSocket comsumers who expect
Mastodon's behavior after https://github.com/mastodon/mastodon/pull/10818.

1 files changed, 7 insertions, 3 deletions

diff --git a/internal/api/client/streaming/stream.go b/internal/api/client/streaming/stream.go
index 7e2922acf..625cf5d75 100644
--- a/internal/api/client/streaming/stream.go
+++ b/internal/api/client/streaming/stream.go
@@ -128,9 +128,13 @@ func (m *Module) StreamGETHandler(c *gin.Context) {
 
 	accessToken := c.Query(AccessTokenQueryKey)
 	if accessToken == "" {
-		err := fmt.Errorf("no access token provided under query key %s", AccessTokenQueryKey)
-		api.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGet)
-		return
+		protocols := websocket.Subprotocols(c.Request)
+		if len(protocols) <= 0 {
+			err := fmt.Errorf("no access token provided under query key %s or as Sec-WebSocket-Protocol", AccessTokenQueryKey)
+			api.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGet)
+			return
+		}
+		accessToken = protocols[0]
 	}
 
 	account, errWithCode := m.processor.AuthorizeStreamingRequest(c.Request.Context(), accessToken)