mirror of
https://github.com/multica-ai/multica.git
synced 2026-07-06 05:49:12 +02:00
* fix(auth): fall back to token-mode WS for users with legacy localStorage token Users who logged in before the cookie-auth migration still have multica_token in localStorage but no multica_auth cookie. Forcing cookieAuth=true for every session caused their WebSocket upgrade to 401 with only workspace_id in the URL. Detect the legacy token at boot and run that session in token mode (Bearer HTTP + URL-param WS). Pure cookie-mode is used only when no legacy token is present, so new users get the intended path and legacy users migrate naturally on their next logout/login cycle (logout already clears multica_token). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * docs(auth): note sunset plan for legacy-token WS fallback Make the XSS-exposure tradeoff explicit and give future maintainers a concrete signal (<1% of sessions) for when to delete the compat branch. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>