Skip to content

fix(sensing-server): exempt /api/v1/stream/pose WS from bearer auth + UI token field (#1310)#1313

Merged
ruvnet merged 1 commit into
ruvnet:mainfrom
erichkusuki:fix/pose-ws-bearer-auth
Jul 14, 2026
Merged

fix(sensing-server): exempt /api/v1/stream/pose WS from bearer auth + UI token field (#1310)#1313
ruvnet merged 1 commit into
ruvnet:mainfrom
erichkusuki:fix/pose-ws-bearer-auth

Conversation

@erichkusuki

Copy link
Copy Markdown
Contributor

Fixes #1310

What

  • bearer_auth.rs: adds a narrow EXEMPT_PATHS list (/api/v1/stream/pose) checked alongside PROTECTED_PREFIX, plus a regression test asserting the pose-stream WS stays reachable without a token and that the exemption does not leak to other /api/v1/* paths. The existing CWE-598 test (query-string tokens rejected) is untouched.
  • ui/utils/quick-settings.js + ui/style.css: adds an "API Access" section to the QuickSettings panel — a password-type field that stores the bearer token in localStorage and applies it via apiService.setAuthToken() before the first request (with save/clear + status line).

Why

Browsers cannot attach an Authorization header to a WebSocket upgrade, so with RUVIEW_API_TOKEN set the Live Demo pose stream always failed (Failed to start: WebSocket connection failed). /ws/sensing is already exempted for exactly this reason (see the bearer_auth module docs); /api/v1/stream/pose was presumably missed because it sits inside the protected prefix.

Separately, the bundled dashboard had no way to supply the token at all: api.service.js ships setAuthToken() but nothing ever called it, so enabling bearer auth broke every /api/v1/* call from the UI (constant 401s). The two changes together make RUVIEW_API_TOKEN actually usable with the bundled dashboard. Can split the UI part into its own PR if preferred.

Verification

Deployed against a live 2-node ESP32-S3 setup with RUVIEW_API_TOKEN set: token entered via the new Settings field → all REST 401s gone; Live Demo tab connects (LIVE — ESP32 HARDWARE CONNECTED, frames processed, 0 errors). New unit test passes alongside the existing bearer_auth suite; image builds clean via docker/Dockerfile.rust.

🤖 Generated with claude-flow

…add UI token field

Browsers cannot attach an Authorization header to a WebSocket upgrade,
so with RUVIEW_API_TOKEN set the Live Demo pose stream at
/api/v1/stream/pose always failed with 401 — the same reason
/ws/sensing is already exempted (see bearer_auth module docs). Adds a
narrow EXEMPT_PATHS list plus a regression test that the exemption
does not leak to other /api/v1/* paths. Query-string tokens remain
rejected (CWE-598 test untouched).

Also adds an 'API Access' bearer-token field to the QuickSettings
panel: ui/services/api.service.js had setAuthToken() but nothing ever
called it, so enabling RUVIEW_API_TOKEN broke every /api/v1/* call
from the bundled dashboard. The token is stored in localStorage and
applied before the first request.

Fixes ruvnet#1310

Co-Authored-By: claude-flow <ruv@ruv.net>
ruvnet added a commit that referenced this pull request Jul 14, 2026
…r 0.3.4

engine 0.3.1: additive StreamingEngine::set_multistatic_config (#1312)
sensing-server 0.3.4: bearer-auth pose-WS exemption + EngineBridge guard
config threading (#1312, #1313); no public lib API change (engine_bridge
is binary-internal)

Co-Authored-By: claude-flow <ruv@ruv.net>
@ruvnet ruvnet merged commit d59ca00 into ruvnet:main Jul 14, 2026
@ruvnet

ruvnet commented Jul 14, 2026

Copy link
Copy Markdown
Owner

Merged via #1332 — thanks, this makes RUVIEW_API_TOKEN actually usable with the bundled dashboard. One behavioral fix applied on the integration branch: the stored token is now applied at api.service.js module load rather than in QuickSettings.init()initializeServices() and the dashboard tab fire their first /api/v1/* requests before initializeEnhancements() runs, so the first requests on every page load still went out without the Authorization header (transient 401s). The QuickSettings panel keeps the save/clear UI. The pose-WS exemption was kept as-is, matching the /ws/sensing posture; a ticket-based WS auth flow is noted as a candidate follow-up.

pchaganti pushed a commit to pchaganti/ax-ru-view that referenced this pull request Jul 14, 2026
…CHANGELOG

- sdkconfig.defaults.devkitc: header build command idf v5.2 -> v5.4
  (source needs esp_driver_uart, IDF >=5.3 — same reason the PR fixed
  the README refs)
- engine/lib.rs: separate doc comments — set_room_adapter's ADR-150
  adapter/witness doc had merged into set_multistatic_config's doc
- ui: apply stored bearer token at api.service.js module load instead
  of QuickSettings.init — services + dashboard tab dispatch their first
  /api/v1/* requests before initializeEnhancements() runs, so the first
  requests on every load went out without the Authorization header
- CHANGELOG: Unreleased entries for ruvnet#1308/ruvnet#1309/ruvnet#1310

Co-Authored-By: claude-flow <ruv@ruv.net>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

sensing-server: /api/v1/stream/pose WebSocket is unreachable when RUVIEW_API_TOKEN is set (browsers cannot send Authorization on WS upgrade)

2 participants