Skip to content

Security: Authentication token sent in WebSocket query string #648

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
tuanaiseo wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Security: Authentication token sent in WebSocket query string #648

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 1 addition & 7 deletions src/components/shell/utils/socket.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,13 +8,7 @@ export function getShellWebSocketUrl(): string | null {
return `${protocol}//${window.location.host}/shell`;
}

const token = localStorage.getItem('auth-token');
if (!token) {
console.error('No authentication token found for Shell WebSocket connection');
return null;
}

return `${protocol}//${window.location.host}/shell?token=${encodeURIComponent(token)}`;
return `${protocol}//${window.location.host}/shell`;
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai bot Apr 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# 1) Confirm /shell connection path and handler signature
rg -n -C3 "pathname === '/shell'|handleShellConnection\\s*\\("

# 2) Confirm OSS WebSocket auth expectations
rg -n -C3 "authenticateWebSocket\\s*\\(|if\\s*\\(!token\\)"

# 3) Inspect shell handler implementation for auth enforcement and request/cookie access
rg -n -C4 "function\\s+handleShellConnection|const\\s+handleShellConnection|handleShellConnection\\s*=|cookie|authorization|token|jwt"

Repository: siteboon/claudecodeui

Length of output: 50378

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Get full handleShellConnection function implementation (grep for function start and capture lines until next function or EOF)
rg -n -A50 "^function handleShellConnection" server/index.js | head -80

Repository: siteboon/claudecodeui

Length of output: 2867

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Get full handleShellConnection including all event handlers
rg -n -A150 "^function handleShellConnection" server/index.js | head -200

Repository: siteboon/claudecodeui

Length of output: 8784

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Search for the verifyClient or upgrade handler for /shell
rg -n -B10 "handleShellConnection" server/index.js | grep -E "(verifyClient|upgrade|pathname|/shell)" | head -30

Repository: siteboon/claudecodeui

Length of output: 208

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Find verifyClient function and examine auth for both /shell and /ws
rg -n -B5 -A15 "verifyClient\s*[:=]" server/index.js | head -100

Repository: siteboon/claudecodeui

Length of output: 859

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Get full verifyClient function
rg -n -A30 "verifyClient\s*:\s*\(info\)" server/index.js

Repository: siteboon/claudecodeui

Length of output: 1399

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Find the getShellWebSocketUrl or similar function to see if headers include token
rg -n -A10 "socket\.ts|getShellWebSocketUrl|/shell" src/components/shell/utils/socket.ts 2>/dev/null || rg -n -B5 -A10 "return.*shell" src/components/shell/utils/socket.ts

Repository: siteboon/claudecodeui

Length of output: 567

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Check if there's a WebSocket connection initiation with headers
rg -n -A10 "new WebSocket|getShellWebSocketUrl" src/components/shell --type ts --type tsx

Repository: siteboon/claudecodeui

Length of output: 92

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Check shell component for WebSocket connection
rg -n "getShellWebSocketUrl\|new WebSocket" src/components/shell/

Repository: siteboon/claudecodeui

Length of output: 47

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Find files importing or using getShellWebSocketUrl
rg -l "getShellWebSocketUrl" src/

Repository: siteboon/claudecodeui

Length of output: 150

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Check how shell WebSocket connection is initiated
cat src/components/shell/hooks/useShellConnection.ts

Repository: siteboon/claudecodeui

Length of output: 7442

OSS mode shell connections will fail authentication after removing client token transport.

The client now connects to /shell without any token in the URL or headers (Line 11). However, server/index.js Lines 295–325 (verifyClient) extracts the token from the query string or Authorization header and rejects the connection if authentication fails. Since the shell WebSocket sends neither, authenticateWebSocket(undefined) returns null, causing verifyClient to reject the connection.

This breaks shell functionality in OSS mode. Either restore token transport in the client URL, or implement an alternative auth mechanism (e.g., extract credentials from the WebSocket upgrade request metadata or use a secure session-based approach) on the server.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@src/components/shell/utils/socket.ts` at line 11, The client WebSocket URL
builder in socket.ts currently returns
`${protocol}//${window.location.host}/shell` with no token, so
server.verifyClient (which calls authenticateWebSocket) receives undefined and
rejects the connection; fix this by restoring token transport from the client
when opening the shell socket—modify the URL builder to append the client token
(e.g., ?token=...) or set an Authorization header on the WebSocket upgrade by
reading the existing client auth helper (e.g., getAuthToken/getClientToken or
localStorage/session) so authenticateWebSocket receives the token;
alternatively, if you prefer a server change, update server/index.js
verifyClient to accept a session-based credential (cookie/session) instead of
requiring a query/header token.

}

export function parseShellMessage(payload: string): ShellIncomingMessage | null {
Expand Down