From b47686ce321d444e35a5ae610faec1d54ad61411 Mon Sep 17 00:00:00 2001 From: Epid Date: Tue, 24 Mar 2026 10:58:02 +0300 Subject: [PATCH] fix(websocket): auth via IsSigned check instead of reqSignIn middleware reqSignIn sends a 303 redirect which breaks WebSocket upgrade; use the same pattern as /user/events: register the route without middleware and return 401 inside the handler when the user is not signed in. Also fix copyright year to 2026 in all three new Go files and add a console.warn for malformed JSON in the SharedWorker. --- routers/web/web.go | 4 +--- routers/web/websocket/websocket.go | 9 +++++++-- services/pubsub/broker.go | 2 +- services/websocket/notifier.go | 2 +- web_src/js/features/websocket.sharedworker.ts | 2 +- 5 files changed, 11 insertions(+), 8 deletions(-) diff --git a/routers/web/web.go b/routers/web/web.go index 2658f4b40d..6cf209a886 100644 --- a/routers/web/web.go +++ b/routers/web/web.go @@ -593,9 +593,7 @@ func registerWebRoutes(m *web.Router, webAuth *AuthMiddleware) { }, reqSignOut) m.Any("/user/events", routing.MarkLongPolling, events.Events) - m.Group("", func() { - m.Get("/-/ws", gitea_websocket.Serve) - }, reqSignIn) + m.Get("/-/ws", gitea_websocket.Serve) m.Group("/login/oauth", func() { m.Group("", func() { diff --git a/routers/web/websocket/websocket.go b/routers/web/websocket/websocket.go index cfa146e347..b4d9619f6d 100644 --- a/routers/web/websocket/websocket.go +++ b/routers/web/websocket/websocket.go @@ -1,9 +1,11 @@ -// Copyright 2024 The Gitea Authors. All rights reserved. +// Copyright 2026 The Gitea Authors. All rights reserved. // SPDX-License-Identifier: MIT package websocket import ( + "net/http" + "code.gitea.io/gitea/modules/log" "code.gitea.io/gitea/services/context" "code.gitea.io/gitea/services/pubsub" @@ -12,8 +14,11 @@ import ( ) // Serve handles WebSocket upgrade and event delivery for the signed-in user. -// Authentication is enforced by the reqSignIn middleware in the router. func Serve(ctx *context.Context) { + if !ctx.IsSigned { + ctx.Status(http.StatusUnauthorized) + return + } conn, err := gitea_ws.Accept(ctx.Resp, ctx.Req, &gitea_ws.AcceptOptions{ InsecureSkipVerify: false, }) diff --git a/services/pubsub/broker.go b/services/pubsub/broker.go index 9143742489..1a8bef5321 100644 --- a/services/pubsub/broker.go +++ b/services/pubsub/broker.go @@ -1,4 +1,4 @@ -// Copyright 2024 The Gitea Authors. All rights reserved. +// Copyright 2026 The Gitea Authors. All rights reserved. // SPDX-License-Identifier: MIT package pubsub diff --git a/services/websocket/notifier.go b/services/websocket/notifier.go index d8f64ef7d5..2d93ae49ea 100644 --- a/services/websocket/notifier.go +++ b/services/websocket/notifier.go @@ -1,4 +1,4 @@ -// Copyright 2024 The Gitea Authors. All rights reserved. +// Copyright 2026 The Gitea Authors. All rights reserved. // SPDX-License-Identifier: MIT package websocket diff --git a/web_src/js/features/websocket.sharedworker.ts b/web_src/js/features/websocket.sharedworker.ts index 491c7f2a07..f8cc635570 100644 --- a/web_src/js/features/websocket.sharedworker.ts +++ b/web_src/js/features/websocket.sharedworker.ts @@ -34,7 +34,7 @@ class WsSource { const msg = JSON.parse(event.data); this.broadcast(msg); } catch { - // ignore malformed JSON + console.warn('websocket.sharedworker: received non-JSON message', event.data); } });