Strengthen WebSocket authentication #198

New Issue

Closed

opened 2026-02-02 17:27:10 +00:00 by jason.woltje · 0 comments

jason.woltje commented 2026-02-02 17:27:10 +00:00

Owner

Copy Link

Problem

WebSocket authentication only checks for presence of userId/workspaceId in client.data but doesn't validate if these values are actually authenticated or if user has workspace access.

Location

apps/api/src/websocket/websocket.gateway.ts:94-100

const { userId, workspaceId } = authenticatedClient.data;

if (!userId || !workspaceId) {
  this.logger.warn(`Client ${authenticatedClient.id} without auth`);
  authenticatedClient.disconnect();
  return;
}
// ❌ Where is client.data populated?
// ❌ Is it validated?
// ❌ Does user have workspace access?

Issues

1. No validation of user authentication
2. No workspace access check
3. client.data could be set by anyone
4. No JWT verification
5. No audit log of connections

Acceptance Criteria

• Implement WsAuthGuard with JWT validation
• Verify user has workspace access
• Log all WebSocket connections
• Add connection rate limiting
• Add tests for auth failures
• Document WebSocket auth flow

Implementation

@UseGuards(WsAuthGuard)
@WebSocketGateway(/* ... */)
export class WebSocketGateway {
  async handleConnection(
    @ConnectedSocket() client: Socket
  ) {
    // Guard validates JWT and populates user data
    const { userId, workspaceId } = client.data;
    
    // Verify workspace access
    const hasAccess = await this.workspaceService.hasAccess(
      userId, 
      workspaceId
    );
    
    if (!hasAccess) {
      this.logger.warn(`User ${userId} no access to workspace ${workspaceId}`);
      client.disconnect();
      return;
    }
    
    this.logger.log(`User ${userId} connected to workspace ${workspaceId}`);
  }
}

// Guard implementation
@Injectable()
export class WsAuthGuard implements CanActivate {
  canActivate(context: ExecutionContext): boolean {
    const client = context.switchToWs().getClient<Socket>();
    const token = this.extractToken(client);
    
    if (!token) return false;
    
    const payload = this.jwtService.verify(token);
    client.data = payload;
    return true;
  }
}

Testing

• Test connection without token rejected
• Test expired token rejected
• Test user without workspace access rejected
• Test valid connection succeeds

References

M4.2-Infrastructure verification report (2026-02-02)

## Problem WebSocket authentication only checks for presence of userId/workspaceId in client.data but doesn't validate if these values are actually authenticated or if user has workspace access. ## Location apps/api/src/websocket/websocket.gateway.ts:94-100 ```typescript const { userId, workspaceId } = authenticatedClient.data; if (!userId || !workspaceId) { this.logger.warn(`Client ${authenticatedClient.id} without auth`); authenticatedClient.disconnect(); return; } // ❌ Where is client.data populated? // ❌ Is it validated? // ❌ Does user have workspace access? ``` ## Issues 1. No validation of user authentication 2. No workspace access check 3. client.data could be set by anyone 4. No JWT verification 5. No audit log of connections ## Acceptance Criteria - [ ] Implement WsAuthGuard with JWT validation - [ ] Verify user has workspace access - [ ] Log all WebSocket connections - [ ] Add connection rate limiting - [ ] Add tests for auth failures - [ ] Document WebSocket auth flow ## Implementation ```typescript @UseGuards(WsAuthGuard) @WebSocketGateway(/* ... */) export class WebSocketGateway { async handleConnection( @ConnectedSocket() client: Socket ) { // Guard validates JWT and populates user data const { userId, workspaceId } = client.data; // Verify workspace access const hasAccess = await this.workspaceService.hasAccess( userId, workspaceId ); if (!hasAccess) { this.logger.warn(`User ${userId} no access to workspace ${workspaceId}`); client.disconnect(); return; } this.logger.log(`User ${userId} connected to workspace ${workspaceId}`); } } // Guard implementation @Injectable() export class WsAuthGuard implements CanActivate { canActivate(context: ExecutionContext): boolean { const client = context.switchToWs().getClient<Socket>(); const token = this.extractToken(client); if (!token) return false; const payload = this.jwtService.verify(token); client.data = payload; return true; } } ``` ## Testing - [ ] Test connection without token rejected - [ ] Test expired token rejected - [ ] Test user without workspace access rejected - [ ] Test valid connection succeeds ## References M4.2-Infrastructure verification report (2026-02-02)

jason.woltje added this to the M4.2-Infrastructure (0.0.4) milestone 2026-02-02 17:27:10 +00:00

jason.woltje added the securityp2apiapi labels 2026-02-02 17:27:10 +00:00

jason.woltje closed this issue 2026-02-02 19:05:19 +00:00

jason.woltje referenced this issue from a commit 2026-02-02 19:14:42 +00:00

fix(#198): Strengthen WebSocket authentication

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

fix/ci-glibc-image

fix/dockerfile-npmrc

fix/matrix-native-binary

fix/kaniko-cache

fix/base-image-kaniko-v2

fix/base-image-kaniko

feat/custom-base-image

ci/pnpm-cache

fix/interceptor-tests

fix/kanban-tests

feat/wire-chat

feat/usage-widget

fix/security-hardening

fix/project-domain-v2

feat/kanban-add-task

fix/project-domain-attach

fix/logs-page-clean

fix/workspace-members

fix/ci-lint-632

fix/file-manager-tags

fix/csrf-debug-log

fix/controller-type-imports

fix/system-admin-env

fix/gateway-cors-trusted-origins

feat/project-detail-page

fix/fleet-provider-form-dto-v2

fix/ms22-audit

fix/orchestrator-widgets

fix/fleet-provider-form-dto

fix/csrf-bearer-bypass

fix/ms22-missing-authmodule-imports

fix/container-lifecycle-config-module

fix/swarm-compose-ms22-vars

chore/ms22-p1-complete

feat/ms22-p1h-settings-ui

feat/ms22-p1f-onboarding-ui

feat/ms22-p1i-chat-proxy

feat/ms22-p1k-idle-reaper

feat/ms22-p1j-docker

feat/ms22-p1e-onboarding-api

feat/ms22-p1g-settings-api

feat/ms22-p1d-container-mgr

feat/ms22-p1c-config-api

chore/ms22-prd-tracking

feat/ms22-p1a-schema

feat/ms22-p1b-crypto

chore/ms22-p1-tasks

docs/ms22-architecture

feat/ms22-openclaw-docker

feat/ms22-openclaw-gateway-module

chore/ms21-complete

chore/ms21-final-tasks-done

fix/ms21-ui-001-qa

test/ms21-ui-tests

chore/ms21-tasks-sync

chore/ms22-phase0-complete

feat/ms22-ingest-clean

feat/ms21-ui-users-members

feat/ms22-task-agent

chore/tasks-final

chore/tasks-update

feat/ms21-session-invalidation

feat/ms21-rbac-settings

feat/ms21-teams-page

feat/ms21-users-page

feat/ms19-terminal-persistence

v0.0.21

v0.20.0

v0.0.15

v0.0.2

Labels

Clear labels

ai

AI/LLM integration

api

Backend/API work

api

auth

Authentication

database

database

Database/schema work

devops

Docker/deployment

docs

Documentation

frontend

graph

knowledge-module

migration

Data migration

orchestrator

Orchestrator service (apps/orchestrator/)

p0

Critical priority

p1

High priority

p2

Medium priority

p3

Low priority

performance

Performance work

phase-1

phase-2

phase-3

phase-4

phase-5

plugin

MoltBot plugin work

search

security

Security-related

setup

Initial setup

testing

Testing/QA

web

Frontend work

No Label api api p2 security

Milestone

No items

No Milestone M4.2-Infrastructure (0.0.4)

Projects

Clear projects

No project

Assignees

Clear assignees

jason.woltje

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: mosaic/stack#198