fix(websocket): auth via IsSigned check instead of reqSignIn middleware

reqSignIn sends a 303 redirect which breaks WebSocket upgrade; use the same pattern as /user/events: register the route without middleware and return 401 inside the handler when the user is not signed in. Also fix copyright year to 2026 in all three new Go files and add a console.warn for malformed JSON in the SharedWorker.
2026-04-13 09:35:13 +02:00 · 2026-03-24 10:58:02 +03:00 · 2026-03-24 10:58:02 +03:00 · b47686ce32
commit b47686ce32
parent 1a576b16c1
5 changed files with 11 additions and 8 deletions
--- a/routers/web/web.go
+++ b/routers/web/web.go
@ -593,9 +593,7 @@ func registerWebRoutes(m *web.Router, webAuth *AuthMiddleware) {
 	}, reqSignOut)

 	m.Any("/user/events", routing.MarkLongPolling, events.Events)
-	m.Group("", func() {
-		m.Get("/-/ws", gitea_websocket.Serve)
-	}, reqSignIn)
+	m.Get("/-/ws", gitea_websocket.Serve)

 	m.Group("/login/oauth", func() {
 		m.Group("", func() {
--- a/routers/web/websocket/websocket.go
+++ b/routers/web/websocket/websocket.go
@ -1,9 +1,11 @@
-// Copyright 2024 The Gitea Authors. All rights reserved.
+// Copyright 2026 The Gitea Authors. All rights reserved.
 // SPDX-License-Identifier: MIT

 package websocket

 import (
+	"net/http"
+
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/services/context"
 	"code.gitea.io/gitea/services/pubsub"
@ -12,8 +14,11 @@ import (
 )

 // Serve handles WebSocket upgrade and event delivery for the signed-in user.
-// Authentication is enforced by the reqSignIn middleware in the router.
 func Serve(ctx *context.Context) {
+	if !ctx.IsSigned {
+		ctx.Status(http.StatusUnauthorized)
+		return
+	}
 	conn, err := gitea_ws.Accept(ctx.Resp, ctx.Req, &gitea_ws.AcceptOptions{
 		InsecureSkipVerify: false,
 	})
--- a/services/pubsub/broker.go
+++ b/services/pubsub/broker.go
@ -1,4 +1,4 @@
-// Copyright 2024 The Gitea Authors. All rights reserved.
+// Copyright 2026 The Gitea Authors. All rights reserved.
 // SPDX-License-Identifier: MIT

 package pubsub
--- a/services/websocket/notifier.go
+++ b/services/websocket/notifier.go
@ -1,4 +1,4 @@
-// Copyright 2024 The Gitea Authors. All rights reserved.
+// Copyright 2026 The Gitea Authors. All rights reserved.
 // SPDX-License-Identifier: MIT

 package websocket
--- a/web_src/js/features/websocket.sharedworker.ts
+++ b/web_src/js/features/websocket.sharedworker.ts
@ -34,7 +34,7 @@ class WsSource {
        const msg = JSON.parse(event.data);
        this.broadcast(msg);
      } catch {
-        // ignore malformed JSON
+        console.warn('websocket.sharedworker: received non-JSON message', event.data);
      }
    });