forgejo-lila/lila
1
0
Fork 0
Code Issues 50 Pull requests Projects 1 Releases Packages Wiki Activity Actions

WS auth middleware: validate session on upgrade #34

New issue
Open
opened 2026-04-19 07:23:36 +00:00 by forgejo-lila · 0 comments
forgejo-lila commented 2026-04-19 07:23:36 +00:00
Owner
Copy link

Context

WebSocket connections must be authenticated. The session cookie is sent during the HTTP upgrade handshake.

What to do

Validate Better Auth session during WebSocket upgrade. Reject unauthenticated connections.

Files to create/change

  • apps/api/src/ws/auth.ts — new file. Extract and validate session from upgrade request.
  • apps/api/src/ws/index.ts — call auth during upgrade event.

Implementation outline

import { fromNodeHeaders } from 'better-auth/node';
import { auth } from '../lib/auth.js';

export async function authenticateWs(request: IncomingMessage) {
  const session = await auth.api.getSession({
    headers: fromNodeHeaders(request.headers),
  });
  return session; // null if not authenticated
}

Acceptance criteria

  • Unauthenticated upgrade requests rejected with 401
  • Authenticated connections have user/session info attached
  • Cookie-based session works across subdomains (COOKIE_DOMAIN=.lilastudy.com)
  • Unit tests for the auth function

Notes

Reference: apps/api/src/middleware/authMiddleware.ts uses same auth.api.getSession() pattern but with Express Request. WebSocket version uses raw IncomingMessage headers.

## Context WebSocket connections must be authenticated. The session cookie is sent during the HTTP upgrade handshake. ## What to do Validate Better Auth session during WebSocket upgrade. Reject unauthenticated connections. ## Files to create/change - `apps/api/src/ws/auth.ts` — new file. Extract and validate session from upgrade request. - `apps/api/src/ws/index.ts` — call auth during upgrade event. ## Implementation outline ```typescript import { fromNodeHeaders } from 'better-auth/node'; import { auth } from '../lib/auth.js'; export async function authenticateWs(request: IncomingMessage) { const session = await auth.api.getSession({ headers: fromNodeHeaders(request.headers), }); return session; // null if not authenticated } ``` ## Acceptance criteria - Unauthenticated upgrade requests rejected with 401 - Authenticated connections have user/session info attached - Cookie-based session works across subdomains (COOKIE_DOMAIN=.lilastudy.com) - Unit tests for the auth function ## Notes Reference: `apps/api/src/middleware/authMiddleware.ts` uses same `auth.api.getSession()` pattern but with Express Request. WebSocket version uses raw `IncomingMessage` headers.
forgejo-lila added the
multiplayer
 label 2026-04-19 07:23:36 +00:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
feat/adding-spanish
feat/data-feeding
feat/landing-page
feat/navbar
dev
feat/multiplayer-mode
No results found.
Labels
Clear labels   
debt

Technical cleanup, refactoring

  
feature

   
feature

New user-facing functionality

  
infra

Infrastructure, deployment, DevOps

  
multiplayer

   
multiplayer

Multiplayer lobby and game features

  
security

Security improvements

  
ux

User experience, accessibility, polish

No labels
debt
feature
feature
infra
multiplayer
multiplayer
security
ux
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: forgejo-lila/lila#34
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?