stack/docs/scratchpads at 210b3d2e8f9749afe2aa97941dbb30856975f9f1 - stack - Mosaic Gitea

mosaic/stack

Files

History

Jason Woltje 210b3d2e8f fix(#198 ): Strengthen WebSocket authentication

Implemented comprehensive authentication for WebSocket connections to prevent
unauthorized access:

Security Improvements:
- Token validation: All connections require valid authentication tokens
- Session verification: Tokens verified against BetterAuth session store
- Workspace authorization: Users can only join workspaces they have access to
- Connection timeout: 5-second timeout prevents resource exhaustion
- Multiple token sources: Supports auth.token, query.token, and Authorization header

Implementation:
- Enhanced WebSocketGateway.handleConnection() with authentication flow
- Added extractTokenFromHandshake() for flexible token extraction
- Integrated AuthService for session validation
- Added PrismaService for workspace membership verification
- Proper error handling and client disconnection on auth failures

Testing:
- TDD approach: wrote tests first (RED phase)
- 33 tests passing with 85.95% coverage (exceeds 85% requirement)
- Comprehensive test coverage for all authentication scenarios

Files Changed:
- apps/api/src/websocket/websocket.gateway.ts (authentication logic)
- apps/api/src/websocket/websocket.gateway.spec.ts (comprehensive tests)
- apps/api/src/websocket/websocket.module.ts (dependency injection)
- docs/scratchpads/198-strengthen-websocket-auth.md (documentation)

Fixes #198

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

2026-02-02 13:04:34 -06:00

..

1-project-scaffold.md

feat(#1 ): Set up monorepo scaffold with pnpm workspaces + TurboRepo

2026-01-28 13:31:33 -06:00

2-postgresql-pgvector-schema.md

feat(#2 ): Implement PostgreSQL 17 + pgvector database schema

2026-01-28 16:06:34 -06:00

3-prisma-orm-setup.md

feat(#3 ): Add comprehensive tests and improve Prisma seed script

2026-01-28 16:24:25 -06:00

4-authentik-oidc-final-status.md

feat(#4 ): Implement Authentik OIDC authentication with BetterAuth

2026-01-28 17:26:34 -06:00

4-authentik-oidc.md

feat(#4 ): Implement Authentik OIDC authentication with BetterAuth

2026-01-28 17:26:34 -06:00

5-crud-apis.md

feat(#5 ): Implement CRUD APIs for tasks, events, and projects

2026-01-28 18:43:12 -06:00

6-basic-web-ui.md

feat(#37-41): Add domains, ideas, relationships, agents, widgets schema

2026-01-29 12:29:21 -06:00

7-8-type-safety-fixes.md

feat(#37-41): Add domains, ideas, relationships, agents, widgets schema

2026-01-29 12:29:21 -06:00

7-activity-logging.md

feat(#37-41): Add domains, ideas, relationships, agents, widgets schema

2026-01-29 12:29:21 -06:00

8-docker-compose.md

feat(#37-41): Add domains, ideas, relationships, agents, widgets schema

2026-01-29 12:29:21 -06:00

36-traefik-integration.md

feat(#37-41): Add domains, ideas, relationships, agents, widgets schema

2026-01-29 12:29:21 -06:00

122-llm-provider-interface.md

feat(#122 ): create LLM provider interface

2026-01-31 11:38:38 -06:00

123-ollama-provider.md

feat(#123 ): port Ollama LLM provider

2026-01-31 12:10:43 -06:00

126-llm-manager-service.md

feat(#126 ): create LLM Manager Service

2026-01-31 12:22:14 -06:00

128-llm-provider-schema.md

feat(#128 ): add LlmProviderInstance Prisma schema

2026-01-31 11:57:40 -06:00

143-validate-50-percent-rule.md

test(#143 ): Validate 50% rule prevents context exhaustion

2026-02-01 17:56:04 -06:00

149-test-rejection-loop.md

fix(#180 ): Update pnpm to 10.27.0 in Dockerfiles

2026-02-01 20:52:43 -06:00

150-orchestration-loop.md

docs(#150 ): Add scratchpad for orchestration loop implementation

2026-02-01 20:22:07 -06:00

155-context-monitor.md

fix(#180 ): Update pnpm to 10.27.0 in Dockerfiles

2026-02-01 20:52:43 -06:00

157-webhook-receiver.md

fix(#180 ): Update pnpm to 10.27.0 in Dockerfiles

2026-02-01 20:52:43 -06:00

158-issue-parser.md

fix(#180 ): Update pnpm to 10.27.0 in Dockerfiles

2026-02-01 20:52:43 -06:00

163-bullmq-dependencies.md

feat(#163 ): Add BullMQ dependencies

2026-02-01 20:56:45 -06:00

164-database-schema-jobs.md

feat(#167 ): Implement Runner jobs CRUD and queue submission

2026-02-01 21:09:03 -06:00

165-bullmq-module-setup.md

feat(#165 ): Implement BullMQ module setup

2026-02-01 21:01:25 -06:00

166-stitcher-module.md

feat(#167 ): Implement Runner jobs CRUD and queue submission

2026-02-01 21:09:03 -06:00

167-runner-jobs-crud.md

feat(#168 ): Implement job steps tracking

2026-02-01 21:16:23 -06:00

168-job-steps-tracking.md

feat(#168 ): Implement job steps tracking

2026-02-01 21:16:23 -06:00

169-job-events-audit.md

feat(#168 ): Implement job steps tracking

2026-02-01 21:16:23 -06:00

170-discord-bridge.md

feat(#170 ): Implement mosaic-bridge module for Discord

2026-02-01 21:26:40 -06:00

171-command-parser.md

feat(#171 ): Implement chat command parsing

2026-02-01 21:32:53 -06:00

172-herald-status.md

feat(#172 ): Implement Herald status updates

2026-02-01 21:42:44 -06:00

173-websocket-gateway.md

feat(#173 ): Implement WebSocket gateway for job events

2026-02-01 21:22:41 -06:00

174-sse-endpoint.md

docs(#162 ): Finalize M4.2-Infrastructure token tracking report

2026-02-02 08:18:55 -06:00

175-e2e-harness.md

feat(#175 ): Implement E2E test harness

2026-02-01 21:44:04 -06:00

176-coordinator-integration.md

feat(#176 ): Integrate M4.2 infrastructure with M4.1 coordinator

2026-02-01 21:54:34 -06:00

179-security-nodejs-deps.md

fix(#179 ): Update vulnerable Node.js dependencies

2026-02-01 20:54:25 -06:00

180-security-pnpm-dockerfiles.md

feat(#167 ): Implement Runner jobs CRUD and queue submission

2026-02-01 21:09:03 -06:00

181-security-go-stdlib-postgres.md

fix(#181 ): Update Alpine packages to patch Go stdlib vulnerabilities in postgres image

2026-02-01 20:54:57 -06:00

182-fix-prisma-enum-tests.md

fix(#182 ): fix Prisma enum import in job-steps tests

2026-02-02 11:41:11 -06:00

183-remove-hardcoded-workspace-id.md

fix(#183 ): remove hardcoded workspace ID from Discord service

2026-02-02 11:41:38 -06:00

184-add-coordinator-auth.md

fix(#184 ): add authentication to coordinator integration endpoints

2026-02-02 11:52:41 -06:00

185-fix-herald-error-handling.md

fix(#185 ): fix silent error swallowing in Herald broadcasting

2026-02-02 11:47:11 -06:00

186-add-dto-validation.md

fix(#196 ): fix race condition in job status updates

2026-02-02 12:51:17 -06:00

187-implement-sse-error-recovery.md

fix(#187 ): implement server-side SSE error recovery

2026-02-02 12:41:12 -06:00

188-sanitize-discord-logs.md

fix(#188 ): sanitize Discord error logs to prevent secret exposure

2026-02-02 12:24:29 -06:00

189-add-job-events-index.md

fix(#189 ): add composite database index for job_events table

2026-02-02 12:30:19 -06:00

190-fix-mermaid-xss.md

fix(#190 ): fix XSS vulnerability in Mermaid rendering

2026-02-02 12:03:36 -06:00

192-fix-cors-configuration.md

fix(#192 ): fix CORS configuration for cookie-based authentication

2026-02-02 12:13:17 -06:00

196-fix-job-status-race-condition.md

fix(#196 ): fix race condition in job status updates

2026-02-02 12:51:17 -06:00

197-add-explicit-return-types.md

docs(#197 ): update scratchpad with completion status

2026-02-02 12:55:17 -06:00

198-strengthen-websocket-auth.md

fix(#198 ): Strengthen WebSocket authentication

2026-02-02 13:04:34 -06:00

security-fixes-activity-api.md

feat(#37-41): Add domains, ideas, relationships, agents, widgets schema

2026-01-29 12:29:21 -06:00