From eafe47f9511199b210b7c74d75adb12ce0827cd7 Mon Sep 17 00:00:00 2001
From: Terin Stock <terinjokes@gmail.com>
Date: Wed, 1 Feb 2023 13:07:23 +0100
Subject: [feature]: authenticate websocket securely

Allows WebSockets to be authenticated by passing the access token
through the Sec-WebSocket-Protocol header, rather than a loggable query
parameter.

This makes GoToSocial compatible with WebSocket comsumers who expect
Mastodon's behavior after https://github.com/mastodon/mastodon/pull/10818.
---
 internal/api/client/streaming/stream.go | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

(limited to 'internal/api/client')

diff --git a/internal/api/client/streaming/stream.go b/internal/api/client/streaming/stream.go
index 7e2922acf..625cf5d75 100644
--- a/internal/api/client/streaming/stream.go
+++ b/internal/api/client/streaming/stream.go
@@ -128,9 +128,13 @@ func (m *Module) StreamGETHandler(c *gin.Context) {
 
 	accessToken := c.Query(AccessTokenQueryKey)
 	if accessToken == "" {
-		err := fmt.Errorf("no access token provided under query key %s", AccessTokenQueryKey)
-		api.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGet)
-		return
+		protocols := websocket.Subprotocols(c.Request)
+		if len(protocols) <= 0 {
+			err := fmt.Errorf("no access token provided under query key %s or as Sec-WebSocket-Protocol", AccessTokenQueryKey)
+			api.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGet)
+			return
+		}
+		accessToken = protocols[0]
 	}
 
 	account, errWithCode := m.processor.AuthorizeStreamingRequest(c.Request.Context(), accessToken)
-- 
cgit v1.2.3