Cors and token #5850
Cors and token #5850
Conversation
There was a problem hiding this comment.
Pull request overview
This PR implements a security fix for unauthenticated WebSocket connections by adding token-based authentication and CORS restrictions. When no auth_token is configured, it generates a random UUID token that must be passed in WebSocket connections and restricts CORS to specific localhost origins.
Key changes:
- Adds ws_token generation for unauthenticated mode
- Restricts CORS to localhost origins when unauthenticated
- Passes token via query parameter in WebSocket connections
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
crates/goose-cli/static/script.js |
Updated WebSocket connection to include token query parameter from window.GOOSE_WS_TOKEN |
crates/goose-cli/src/commands/web.rs |
Added ws_token generation, CORS restrictions, token injection into HTML, and WebSocket token validation logic |
| if state.auth_token.is_none() { | ||
| let provided_token = query.token.as_deref().unwrap_or(""); | ||
| if provided_token != state.ws_token { | ||
| tracing::warn!("WebSocket connection rejected: invalid token"); | ||
| return Err(StatusCode::FORBIDDEN); | ||
| } | ||
| } |
There was a problem hiding this comment.
WebSocket connections will fail when auth_token is configured. The auth_middleware requires an Authorization header (line 99-117), but browsers cannot set custom headers in WebSocket upgrade requests. This means:
- When
auth_token.is_some(), the auth_middleware will always return 401 for/wsrequests - The websocket_handler will never execute
- WebSocket connections are broken in authenticated mode
The auth_middleware needs to allow /ws to pass through and let websocket_handler validate the token from the query parameter:
async fn auth_middleware(
State(state): State<AppState>,
req: Request,
next: Next,
) -> Result<Response, StatusCode> {
// Skip auth for health check and WebSocket
if req.uri().path() == "/api/health" || req.uri().path() == "/ws" {
return Ok(next.run(req).await);
}
// ... rest of auth logic
}Then in websocket_handler, validate auth_token when present:
if let Some(ref expected_token) = state.auth_token {
let provided_token = query.token.as_deref().unwrap_or("");
if provided_token != expected_token {
tracing::warn!("WebSocket connection rejected: invalid auth token");
return Err(StatusCode::FORBIDDEN);
}
} else if state.auth_token.is_none() {
// Validate ws_token
let provided_token = query.token.as_deref().unwrap_or("");
if provided_token != state.ws_token {
tracing::warn!("WebSocket connection rejected: invalid token");
return Err(StatusCode::FORBIDDEN);
}
}| return Ok(next.run(req).await); | ||
| } | ||
|
|
||
| // If no auth token is configured, skip authentication entirely |
There was a problem hiding this comment.
this is actually a helpful and IMO necessary comment, I don't like just blindly deleting oneline coments.
There was a problem hiding this comment.
interestingly enough, goose deleted this comment. which it probably did because I have general settings that it should delete useless comments.
I would still argue that the comment says the same thing as the code below though.
There was a problem hiding this comment.
it never ever wants to with mine - I guess it tends to follow "house style" over what system prompt says! @DOsinga sometimes I wonder if we need to put some logic in the editor tool for it to to return an error if it detects single line comment (error can be "this is an inane comment, please either remove and try again or consider if it is really needed) or something?
michaelneale
left a comment
michaelneale
left a comment
There was a problem hiding this comment.
seems reasonable (although gets rid of useful comments.
* main: (48 commits) [fix] generic check for gemini compat (#5842) Add scheduler to diagnostics (#5849) Cors and token (#5850) fix sessions coming back with empty messages (#5841) markdown export from URL (#5830) Next camp refactor live (#5706) Add out of context compaction test via error proxy (#5805) fix: Add backward compatibility for conversationCompacted message type (#5819) Add /agent/stop endpoint, make max active agents configurable (#5826) Handle 404s (#5791) Persist provider name and model config in the session (#5419) Comment out the flaky mcp callers (#5827) Slash commands (#5718) fix: remove setx calls to not permanently edit the windows shell PATH (#5821) fix: Parse maas models for gcp vertex provider (#5816) fix: support Gemini 3's thought signatures (#5806) chore: Add Adrian Cole to Maintainers (#5815) [MCP-UI] Proxy and Better Message Handling (#5487) Release 1.15.0 Document New Window menu in macOS dock (#5811) ...
Co-authored-by: Douwe Osinga <[email protected]>
Co-authored-by: Douwe Osinga <[email protected]> Signed-off-by: Sai Karthik <[email protected]>
Co-authored-by: Douwe Osinga <[email protected]> Signed-off-by: Blair Allan <[email protected]>
Fixes https://github.com/block/goose/security/advisories/GHSA-3cq5-5r4q-jg5w#event-502791