feat(plugins): plugin-to-gateway WebSocket auth mechanism #94

New Issue

jason.woltje · 2026-03-13T17:08:57Z

jason.woltje commented

2026-03-13 17:08:57 +00:00

Context

PR #85 added validateSocketSession to ChatGateway.handleConnection — all WebSocket connections now require a valid session cookie.

PR #93 (@mosaic/telegram-plugin) connects to the /chat gateway WebSocket without auth headers. Once PR #85 merges, the plugin will be disconnected immediately.

Needed

A mechanism for internal channel plugins to authenticate against the gateway WebSocket. Options:

Service API key — gateway accepts X-Plugin-Token header (env-configured shared secret), bypasses Better Auth session check for plugin connections
Trusted localhost bypass — allow connections from 127.0.0.1 without session validation (simpler but less secure in container environments)
Bot service account — plugins authenticate using a real Better Auth session (service account user)

Recommendation

Option 1 (service API key) — add PLUGIN_API_KEY env var, check in handleConnection before calling validateSocketSession.

Affected

apps/gateway/src/chat/chat.gateway.ts
plugins/telegram/src/index.ts
plugins/discord/src/index.ts (if applicable)

## Context PR #85 added `validateSocketSession` to `ChatGateway.handleConnection` — all WebSocket connections now require a valid session cookie. PR #93 (`@mosaic/telegram-plugin`) connects to the `/chat` gateway WebSocket without auth headers. Once PR #85 merges, the plugin will be disconnected immediately. ## Needed A mechanism for internal channel plugins to authenticate against the gateway WebSocket. Options: 1. **Service API key** — gateway accepts `X-Plugin-Token` header (env-configured shared secret), bypasses Better Auth session check for plugin connections 2. **Trusted localhost bypass** — allow connections from 127.0.0.1 without session validation (simpler but less secure in container environments) 3. **Bot service account** — plugins authenticate using a real Better Auth session (service account user) ## Recommendation Option 1 (service API key) — add `PLUGIN_API_KEY` env var, check in `handleConnection` before calling `validateSocketSession`. ## Affected - `apps/gateway/src/chat/chat.gateway.ts` - `plugins/telegram/src/index.ts` - `plugins/discord/src/index.ts` (if applicable)

Sign in to join this conversation.

Branches Tags

main

release/mosaic-v0.0.29

fix/installer-idempotent-creds

feat/framework-superpowers-enforcement

feat/install-ux-intent

feat/install-ux-polish

docs/iuv-m01-complete

fix/build-vitest-allowdefault

fix/bootstrap-hotfix

docs/install-ux-v2-scaffold

release/mosaic-v0.0.25

docs/iuh-mission-complete

feat/unified-first-run

docs/iuh-m02-complete

feat/wizard-remediation

feat/mosaic-macp-cli

fix/gateway-token-recovery-review

feat/mosaic-auth-cli

feat/mosaic-forge-cli-v2

feat/mosaic-storage-cli

feat/mosaic-memory-cli

feat/gateway-token-recovery

feat/mosaic-forge-cli

feat/mosaic-config-command

feat/mosaic-queue-cli

feat/mosaic-brain-cli

feat/mosaic-help-alphabetize

docs/gateway-token-recovery-plan

chore/bump-mosaic-0.0.21

fix/populate-known-packages-list

fix/publish-loud-errors

fix/gitea-org-rename

fix/gateway-install-ux

fix/rename-mosaic-scope-391

fix/db-memory-queue-publish-drift

fix/updater-wrapper-gitea-387

fix/config-package-version-drift

fix/updater-mosaic-package-382

fix/merge-cli-into-mosaic

fix/metapackage-cli-dep

chore/bump-cli-mosaic-0.0.16

fix/gateway-deprecation-warnings

fix/gateway-install-prefix-eacces

chore/gateway-default-port-14242

fix/gateway-scoped-registry

fix/gateway-install-registry

chore/bump-0.0.11

feat/gateway-local-tier

feat/task-1775219952-fix-add-build-tools-to-ci-install-step-for-better-sqlite3

fix/pnpm-build-scripts

fix/storage-sqlite-ci

feat/storage-abstraction

fix/idempotent-init

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: mosaicstack/stack#94