From 3878e94f1c66404a47910aa38df1da4ac4c022f2 Mon Sep 17 00:00:00 2001
From: super1207 <pengyao1210@gmail.com>
Date: Fri, 12 Dec 2025 23:22:27 +0800
Subject: [PATCH 1/2] fix: enhance WebSocket access token validation method

---
 src/milky/network/http.ts | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/src/milky/network/http.ts b/src/milky/network/http.ts
index e07a811a9..2d62d3851 100644
--- a/src/milky/network/http.ts
+++ b/src/milky/network/http.ts
@@ -89,7 +89,15 @@ class MilkyHttpHandler {
       // Check access token for WebSocket connection
       if (this.config.accessToken) {
         const url = new URL(req.url!, `http://${req.headers.host}`)
-        const inputToken = url.searchParams.get('access_token')
+
+        let inputToken = ''
+        const authHeader = req.headers['authorization']
+        if (authHeader) {
+          inputToken = authHeader.split('Bearer ').pop()!
+          this.ctx.logger.info('receive ws header token', inputToken)
+        } else {
+          inputToken = url.searchParams.get('access_token') ?? ''
+        }
 
         if (!inputToken || inputToken !== this.config.accessToken) {
           this.ctx.logger.warn('MilkyHttp', `${req.socket.remoteAddress} -> /event (Credentials invalid)`)

From 372af7225c6bcf6e8b2970c90fd0bfd52c594b5b Mon Sep 17 00:00:00 2001
From: linyuchen <lin.yu.chen@hotmail.com>
Date: Sat, 13 Dec 2025 00:36:32 +0800
Subject: [PATCH 2/2] Update src/milky/network/http.ts

Co-authored-by: sourcery-ai[bot] <58596630+sourcery-ai[bot]@users.noreply.github.com>
---
 src/milky/network/http.ts | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/milky/network/http.ts b/src/milky/network/http.ts
index 2d62d3851..872a5ab0f 100644
--- a/src/milky/network/http.ts
+++ b/src/milky/network/http.ts
@@ -92,8 +92,8 @@ class MilkyHttpHandler {
 
         let inputToken = ''
         const authHeader = req.headers['authorization']
-        if (authHeader) {
-          inputToken = authHeader.split('Bearer ').pop()!
+        if (authHeader?.toLowerCase().startsWith('bearer ')) {
+          inputToken = authHeader.slice(7).trim()
           this.ctx.logger.info('receive ws header token', inputToken)
         } else {
           inputToken = url.searchParams.get('access_token') ?? ''