diff --git a/routers/web/web.go b/routers/web/web.go index 2658f4b40d..6cf209a886 100644 --- a/routers/web/web.go +++ b/routers/web/web.go @@ -593,9 +593,7 @@ func registerWebRoutes(m *web.Router, webAuth *AuthMiddleware) { }, reqSignOut) m.Any("/user/events", routing.MarkLongPolling, events.Events) - m.Group("", func() { - m.Get("/-/ws", gitea_websocket.Serve) - }, reqSignIn) + m.Get("/-/ws", gitea_websocket.Serve) m.Group("/login/oauth", func() { m.Group("", func() { diff --git a/routers/web/websocket/websocket.go b/routers/web/websocket/websocket.go index cfa146e347..b4d9619f6d 100644 --- a/routers/web/websocket/websocket.go +++ b/routers/web/websocket/websocket.go @@ -1,9 +1,11 @@ -// Copyright 2024 The Gitea Authors. All rights reserved. +// Copyright 2026 The Gitea Authors. All rights reserved. // SPDX-License-Identifier: MIT package websocket import ( + "net/http" + "code.gitea.io/gitea/modules/log" "code.gitea.io/gitea/services/context" "code.gitea.io/gitea/services/pubsub" @@ -12,8 +14,11 @@ import ( ) // Serve handles WebSocket upgrade and event delivery for the signed-in user. -// Authentication is enforced by the reqSignIn middleware in the router. func Serve(ctx *context.Context) { + if !ctx.IsSigned { + ctx.Status(http.StatusUnauthorized) + return + } conn, err := gitea_ws.Accept(ctx.Resp, ctx.Req, &gitea_ws.AcceptOptions{ InsecureSkipVerify: false, }) diff --git a/services/pubsub/broker.go b/services/pubsub/broker.go index 9143742489..1a8bef5321 100644 --- a/services/pubsub/broker.go +++ b/services/pubsub/broker.go @@ -1,4 +1,4 @@ -// Copyright 2024 The Gitea Authors. All rights reserved. +// Copyright 2026 The Gitea Authors. All rights reserved. // SPDX-License-Identifier: MIT package pubsub diff --git a/services/websocket/notifier.go b/services/websocket/notifier.go index d8f64ef7d5..2d93ae49ea 100644 --- a/services/websocket/notifier.go +++ b/services/websocket/notifier.go @@ -1,4 +1,4 @@ -// Copyright 2024 The Gitea Authors. All rights reserved. +// Copyright 2026 The Gitea Authors. All rights reserved. // SPDX-License-Identifier: MIT package websocket diff --git a/web_src/js/features/websocket.sharedworker.ts b/web_src/js/features/websocket.sharedworker.ts index 491c7f2a07..f8cc635570 100644 --- a/web_src/js/features/websocket.sharedworker.ts +++ b/web_src/js/features/websocket.sharedworker.ts @@ -34,7 +34,7 @@ class WsSource { const msg = JSON.parse(event.data); this.broadcast(msg); } catch { - // ignore malformed JSON + console.warn('websocket.sharedworker: received non-JSON message', event.data); } });