security(transport): subprotocol + Authorization header for webchat auth #2

Merged
serge merged 1 commits from feat/webchat-auth-hardening into main 2026-04-27 16:36:16 +03:00

View File

@ -52,13 +52,19 @@ export function createTransport(opts: TransportOpts): Transport {
function connectWs() { function connectWs() {
if (closed) return; if (closed) return;
const wsUrl = // The browser WebSocket constructor does NOT accept custom headers, so
opts.serverUrl.replace(/^http/, 'ws') + // we encode credentials into the Sec-WebSocket-Protocol list (the
`/webchat/ws?botId=${encodeURIComponent(opts.botId)}` + // standard workaround). The bot reads `req.headers['sec-websocket-
`&apiKey=${encodeURIComponent(opts.apiKey)}` + // protocol']` and parses these tokens. See bot's `webchat/subprotocol.ts`.
`&visitorId=${encodeURIComponent(opts.visitorId)}`; const wsUrl = opts.serverUrl.replace(/^http/, 'ws') + '/webchat/ws';
const subprotocols = [
'messenzy.v1',
`messenzy-bot.${opts.botId}`,
`messenzy-visitor.${opts.visitorId}`,
`messenzy-key.${opts.apiKey}`,
];
try { try {
ws = new WebSocket(wsUrl); ws = new WebSocket(wsUrl, subprotocols);
} catch { } catch {
onWsClose(); onWsClose();
return; return;
@ -118,14 +124,19 @@ export function createTransport(opts: TransportOpts): Transport {
async function startPolling() { async function startPolling() {
pollTimer = setInterval(async () => { pollTimer = setInterval(async () => {
if (closed) return; if (closed) return;
// HTTP fallback uses Authorization: Bearer (browser fetch DOES allow
// custom headers, unlike the WebSocket constructor). botId/visitorId
// are public identifiers and stay in the query string.
const url = const url =
`${opts.serverUrl}/webchat/history?` + `${opts.serverUrl}/webchat/history?` +
`botId=${encodeURIComponent(opts.botId)}` + `botId=${encodeURIComponent(opts.botId)}` +
`&apiKey=${encodeURIComponent(opts.apiKey)}` +
`&visitorId=${encodeURIComponent(opts.visitorId)}` + `&visitorId=${encodeURIComponent(opts.visitorId)}` +
(lastSeenAt ? `&since=${encodeURIComponent(lastSeenAt)}` : ''); (lastSeenAt ? `&since=${encodeURIComponent(lastSeenAt)}` : '');
try { try {
const res = await fetch(url, { credentials: 'omit' }); const res = await fetch(url, {
credentials: 'omit',
headers: { authorization: `Bearer ${opts.apiKey}` },
});
if (!res.ok) return; if (!res.ok) return;
const data = (await res.json()) as { const data = (await res.json()) as {
messages?: Array<{ id: string; text: string; at: string }>; messages?: Array<{ id: string; text: string; at: string }>;
@ -153,10 +164,12 @@ export function createTransport(opts: TransportOpts): Transport {
try { try {
await fetch(`${opts.serverUrl}/webchat/msg`, { await fetch(`${opts.serverUrl}/webchat/msg`, {
method: 'POST', method: 'POST',
headers: { 'content-type': 'application/json' }, headers: {
'content-type': 'application/json',
authorization: `Bearer ${opts.apiKey}`,
},
body: JSON.stringify({ body: JSON.stringify({
botId: opts.botId, botId: opts.botId,
apiKey: opts.apiKey,
visitorId: opts.visitorId, visitorId: opts.visitorId,
text: msg.text, text: msg.text,
idempotency_key: msg.id, idempotency_key: msg.id,