Jason Woltje
210b3d2e8f
fix(#198): Strengthen WebSocket authentication
Implemented comprehensive authentication for WebSocket connections to prevent
unauthorized access:
Security Improvements:
- Token validation: All connections require valid authentication tokens
- Session verification: Tokens verified against BetterAuth session store
- Workspace authorization: Users can only join workspaces they have access to
- Connection timeout: 5-second timeout prevents resource exhaustion
- Multiple token sources: Supports auth.token, query.token, and Authorization header
Implementation:
- Enhanced WebSocketGateway.handleConnection() with authentication flow
- Added extractTokenFromHandshake() for flexible token extraction
- Integrated AuthService for session validation
- Added PrismaService for workspace membership verification
- Proper error handling and client disconnection on auth failures
Testing:
- TDD approach: wrote tests first (RED phase)
- 33 tests passing with 85.95% coverage (exceeds 85% requirement)
- Comprehensive test coverage for all authentication scenarios
Files Changed:
- apps/api/src/websocket/websocket.gateway.ts (authentication logic)
- apps/api/src/websocket/websocket.gateway.spec.ts (comprehensive tests)
- apps/api/src/websocket/websocket.module.ts (dependency injection)
- docs/scratchpads/198-strengthen-websocket-auth.md (documentation)
Fixes #198
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-02-02 13:04:34 -06:00
..
2026-02-02 13:04:34 -06:00
2026-02-01 20:52:43 -06:00
2026-02-02 13:00:48 -06:00
2026-02-02 12:05:33 -06:00