mirror of
https://github.com/multica-ai/multica.git
synced 2026-07-05 21:39:54 +02:00
* fix(security): use first-message auth for WebSocket instead of URL query param Token was exposed in URL query parameters (HIGH-4 from security audit), visible in server/proxy logs, browser history, and referrer headers. Now non-cookie clients (desktop, CLI) send the token as the first WebSocket message after the connection opens. Cookie-based auth (web) continues to work unchanged. Server-side auth priority flipped to cookie-first. Closes MUL-580 * fix(security): add auth_ack and fix test JSON construction Server sends auth_ack after successful first-message auth so the client knows auth completed before firing reconnect callbacks. Test now uses json.Marshal instead of string concatenation for the auth message. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix(test): update WebSocket integration test for first-message auth The integration test still passed the token as a URL query param, causing a timeout since the server now expects first-message auth for non-cookie clients. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: yushen <ldnvnbl@gmail.com> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>