Skip to content

fix(sensing-server): exempt /api/v1/stream/pose WS from bearer auth + UI token field (#1310)#1313

Open
erichkusuki wants to merge 1 commit into
ruvnet:mainfrom
erichkusuki:fix/pose-ws-bearer-auth
Open

fix(sensing-server): exempt /api/v1/stream/pose WS from bearer auth + UI token field (#1310)#1313
erichkusuki wants to merge 1 commit into
ruvnet:mainfrom
erichkusuki:fix/pose-ws-bearer-auth

Conversation

@erichkusuki

Copy link
Copy Markdown

Fixes #1310

What

  • bearer_auth.rs: adds a narrow EXEMPT_PATHS list (/api/v1/stream/pose) checked alongside PROTECTED_PREFIX, plus a regression test asserting the pose-stream WS stays reachable without a token and that the exemption does not leak to other /api/v1/* paths. The existing CWE-598 test (query-string tokens rejected) is untouched.
  • ui/utils/quick-settings.js + ui/style.css: adds an "API Access" section to the QuickSettings panel — a password-type field that stores the bearer token in localStorage and applies it via apiService.setAuthToken() before the first request (with save/clear + status line).

Why

Browsers cannot attach an Authorization header to a WebSocket upgrade, so with RUVIEW_API_TOKEN set the Live Demo pose stream always failed (Failed to start: WebSocket connection failed). /ws/sensing is already exempted for exactly this reason (see the bearer_auth module docs); /api/v1/stream/pose was presumably missed because it sits inside the protected prefix.

Separately, the bundled dashboard had no way to supply the token at all: api.service.js ships setAuthToken() but nothing ever called it, so enabling bearer auth broke every /api/v1/* call from the UI (constant 401s). The two changes together make RUVIEW_API_TOKEN actually usable with the bundled dashboard. Can split the UI part into its own PR if preferred.

Verification

Deployed against a live 2-node ESP32-S3 setup with RUVIEW_API_TOKEN set: token entered via the new Settings field → all REST 401s gone; Live Demo tab connects (LIVE — ESP32 HARDWARE CONNECTED, frames processed, 0 errors). New unit test passes alongside the existing bearer_auth suite; image builds clean via docker/Dockerfile.rust.

🤖 Generated with claude-flow

…add UI token field

Browsers cannot attach an Authorization header to a WebSocket upgrade,
so with RUVIEW_API_TOKEN set the Live Demo pose stream at
/api/v1/stream/pose always failed with 401 — the same reason
/ws/sensing is already exempted (see bearer_auth module docs). Adds a
narrow EXEMPT_PATHS list plus a regression test that the exemption
does not leak to other /api/v1/* paths. Query-string tokens remain
rejected (CWE-598 test untouched).

Also adds an 'API Access' bearer-token field to the QuickSettings
panel: ui/services/api.service.js had setAuthToken() but nothing ever
called it, so enabling RUVIEW_API_TOKEN broke every /api/v1/* call
from the bundled dashboard. The token is stored in localStorage and
applied before the first request.

Fixes ruvnet#1310

Co-Authored-By: claude-flow <ruv@ruv.net>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

sensing-server: /api/v1/stream/pose WebSocket is unreachable when RUVIEW_API_TOKEN is set (browsers cannot send Authorization on WS upgrade)

1 participant