feat(api-server): add websocket authorization #3854

Open

cxntered wants to merge 2 commits from cxntered/feat/ws-authorization into master

pull from: cxntered/feat/ws-authorization

merge into: YTMD:master

YTMD:master

YTMD:renovate/electron-38.x

YTMD:renovate/zod-4.x

YTMD:renovate/hono-node-server-1.x

YTMD:renovate/vite-7.x

YTMD:renovate/discord-api-types-0.x

YTMD:snyk-fix-cc0d8c0a11cb136c85b52eac08f01ecd

YTMD:renovate/youtubei.js-15.x

YTMD:renovate/virtua-0.x

YTMD:renovate/npm-hono-vulnerability

YTMD:dependabot/npm_and_yarn/hono-4.9.7

YTMD:renovate/ffmpeg.wasm-main-0.x

YTMD:renovate/ffmpeg.wasm-core-mt-0.x

YTMD:snyk-fix-b03d669b0e10f74efab60edd2a874685

YTMD:refactor/music-together

YTMD:feat/webnowplaying-v1

YTMD:feat/chromecast

YTMD:legacy/http-api

Conversation 2 Commits 2 Files changed 2 +43 -4

cxntered commented 2025-09-09 12:38:10 +00:00 (Migrated from github.com)

Copy link

adds authorization for websocket connections with bearer tokens (retrieved from the /auth/:id endpoint) using the ?token query param.
if a client is unauthorized, it closes the connection with status code 1008 (policy violation) with the message "Unauthorized".
not sure if this was the best way to implement authorization, but i am open to suggestions :>

adds authorization for websocket connections with bearer tokens (retrieved from the `/auth/:id` endpoint) using the `?token` query param. if a client is unauthorized, it closes the connection with status code `1008` (policy violation) with the message "Unauthorized". not sure if this was the best way to implement authorization, but i am open to suggestions :>

cxntered commented 2025-09-09 12:41:40 +00:00 (Migrated from github.com)

Copy link

if security is a concern (we are passing in the token directly in the url after all), passing in the token through the Sec-WebSocket-Protocol header could be an alternative, but i don't know if that's a major concern

if security is a concern (we *are* passing in the token directly in the url after all), passing in the token through the `Sec-WebSocket-Protocol` header could be an alternative, but i don't know if that's a major concern

JellyBrick commented 2025-09-09 13:41:55 +00:00 (Migrated from github.com)

Copy link

@cxntered Your system appears to be affected by the color@5.0.1 vulnerability. We recommend checking your machine. See issue #3855 for details.

@cxntered Your system appears to be affected by the `color@5.0.1` vulnerability. We recommend checking your machine. See issue #3855 for details.

This pull request can be merged automatically.

You are not authorized to merge this pull request.

View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.

git fetch -u origin cxntered/feat/ws-authorization:cxntered/feat/ws-authorization

git switch cxntered/feat/ws-authorization

Merge

Merge the changes and update on Forgejo.

Warning: The "Autodetect manual merge" setting is not enabled for this repository, you will have to mark this pull request as manually merged afterwards.

git switch master

git merge --no-ff cxntered/feat/ws-authorization

git switch cxntered/feat/ws-authorization

git rebase master

git switch master

git merge --ff-only cxntered/feat/ws-authorization

git switch cxntered/feat/ws-authorization

git rebase master

git switch master

git merge --no-ff cxntered/feat/ws-authorization

git switch master

git merge --squash cxntered/feat/ws-authorization

git switch master

git merge --ff-only cxntered/feat/ws-authorization

git switch master

git merge cxntered/feat/ws-authorization

git push origin master

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels   

awaiting-reply

Awaiting reply

  

breaking changes

  

bug

Something isn't working

  

cannot-reproduce

Bug cannot be reproduced

  

dependencies

Pull requests that update a dependency file

  

documentation

  

duplicate

This issue or pull request already exists

  

electron-issue

It's an Electron or Electron related dependencies issue (not YTM-Desktop issue)

  

enhancement

New feature or request

  

fix-available

A fix to the issue is available in a new version

  

good first issue

Good for newcomers

  

help wanted

Extra attention is needed

  

invalid

This doesn't seem right

  

javascript

Pull requests that update javascript code

  

need more information

Need more information about the issue

  

need rebase

This plugin need rebase

  

official-youtube-music-issue

It's an YouTube's issue (not YTM-Desktop issue)

  

plugin request

An issue/discussion requesting for a new plugin or new functionality to an existing plugin.

  

question

Further information is requested

  

release

Release

  

security

  

stale

  

Status: blocked

There are something to do before this

  

typo

  

wontfix

This will not be worked on

  

ytmd-issue

An issue/discussion about ytm desktop, unrelated to th-ch/youtube-music

No labels

awaiting-reply

breaking changes

bug

cannot-reproduce

dependencies

documentation

duplicate

electron-issue

enhancement

fix-available

good first issue

help wanted

invalid

javascript

need more information

need rebase

official-youtube-music-issue

plugin request

question

release

security

stale

Status: blocked

typo

wontfix

ytmd-issue

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: YTMD/youtube-music#3854

No description provided.