fix(sensing-server): exempt /api/v1/stream/pose WS from bearer auth + UI token field (#1310)#1313
Open
erichkusuki wants to merge 1 commit into
Open
fix(sensing-server): exempt /api/v1/stream/pose WS from bearer auth + UI token field (#1310)#1313erichkusuki wants to merge 1 commit into
erichkusuki wants to merge 1 commit into
Conversation
…add UI token field Browsers cannot attach an Authorization header to a WebSocket upgrade, so with RUVIEW_API_TOKEN set the Live Demo pose stream at /api/v1/stream/pose always failed with 401 — the same reason /ws/sensing is already exempted (see bearer_auth module docs). Adds a narrow EXEMPT_PATHS list plus a regression test that the exemption does not leak to other /api/v1/* paths. Query-string tokens remain rejected (CWE-598 test untouched). Also adds an 'API Access' bearer-token field to the QuickSettings panel: ui/services/api.service.js had setAuthToken() but nothing ever called it, so enabling RUVIEW_API_TOKEN broke every /api/v1/* call from the bundled dashboard. The token is stored in localStorage and applied before the first request. Fixes ruvnet#1310 Co-Authored-By: claude-flow <ruv@ruv.net>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #1310
What
bearer_auth.rs: adds a narrowEXEMPT_PATHSlist (/api/v1/stream/pose) checked alongsidePROTECTED_PREFIX, plus a regression test asserting the pose-stream WS stays reachable without a token and that the exemption does not leak to other/api/v1/*paths. The existing CWE-598 test (query-string tokens rejected) is untouched.ui/utils/quick-settings.js+ui/style.css: adds an "API Access" section to the QuickSettings panel — a password-type field that stores the bearer token inlocalStorageand applies it viaapiService.setAuthToken()before the first request (with save/clear + status line).Why
Browsers cannot attach an
Authorizationheader to a WebSocket upgrade, so withRUVIEW_API_TOKENset the Live Demo pose stream always failed (Failed to start: WebSocket connection failed)./ws/sensingis already exempted for exactly this reason (see the bearer_auth module docs);/api/v1/stream/posewas presumably missed because it sits inside the protected prefix.Separately, the bundled dashboard had no way to supply the token at all:
api.service.jsshipssetAuthToken()but nothing ever called it, so enabling bearer auth broke every/api/v1/*call from the UI (constant 401s). The two changes together makeRUVIEW_API_TOKENactually usable with the bundled dashboard. Can split the UI part into its own PR if preferred.Verification
Deployed against a live 2-node ESP32-S3 setup with
RUVIEW_API_TOKENset: token entered via the new Settings field → all REST 401s gone; Live Demo tab connects (LIVE — ESP32 HARDWARE CONNECTED, frames processed, 0 errors). New unit test passes alongside the existing bearer_auth suite; image builds clean viadocker/Dockerfile.rust.🤖 Generated with claude-flow