fix(websocket): send credentials and handle server auth protocol

shaunwarman · shaunwarman · commit 0d4d91383f26 · 2026-03-11T23:31:52.000-05:00
diff --git a/src/utils/websocket-client.js b/src/utils/websocket-client.js
@@ -309,18 +309,17 @@ export function createWebSocketClient(opts = {}) {
     console.info('[ws] Connecting...');
 
     try {
-      // NOTE: Browser WebSocket API does not support custom headers, and
-      // modern browsers no longer send an Authorization header from URL
-      // userinfo (user:pass@host) on WebSocket upgrade requests.
-      // The server's _authenticate() exclusively reads basicAuth(request)
-      // from the Authorization header, so browser clients cannot currently
-      // authenticate.  Until the server is updated to accept query-param
-      // or token-based auth for WebSocket upgrades, the connection will
-      // fall through to broadcastOnly mode.
-      // TODO: Update server _authenticate() to read query.username /
-      // query.password when Authorization header is absent, then pass
-      // credentials here via searchParams.
-      const connectURL = url;
+      // Browser WebSocket API does not support custom headers, so we pass
+      // credentials via query params.  The server's _authenticate() reads
+      // query.username / query.password when the Authorization header is
+      // absent (see api-websocket-handler.js).
+      let connectURL = url;
+      if (opts.email && opts.password) {
+        const u = new URL(url);
+        u.searchParams.set('username', opts.email);
+        u.searchParams.set('password', opts.password);
+        connectURL = u.toString();
+      }
 
       socket = new WebSocket(connectURL);
       if (wantsMsgpackr && msgpackrAvailable) {
@@ -372,7 +371,6 @@ export function createWebSocketClient(opts = {}) {
           if (parsed.status === 'ok') {
             authenticated = true;
             console.info('[ws] Authenticated');
-            // Start ping timeout now — server begins sending pings after auth
             resetPingTimeout();
             dispatch('_authenticated', {});
           } else {
@@ -382,6 +380,19 @@ export function createWebSocketClient(opts = {}) {
           }
           return;
 
+        case 'connected':
+          // Server sends { event: 'connected', aliasId } on successful auth,
+          // or { event: 'connected', broadcastOnly: true } for unauthenticated.
+          if (parsed.aliasId && !parsed.broadcastOnly) {
+            authenticated = true;
+            console.info('[ws] Authenticated (aliasId:', parsed.aliasId, ')');
+            resetPingTimeout();
+            dispatch('_authenticated', { aliasId: parsed.aliasId });
+          } else {
+            console.info('[ws] Connected in broadcast-only mode');
+          }
+          return;
+
         default:
           break;
       }
