fix(sensing-server): exempt /api/v1/stream/pose WS from bearer auth + UI token field (#1310)#1313
Merged
Merged
Conversation
…add UI token field Browsers cannot attach an Authorization header to a WebSocket upgrade, so with RUVIEW_API_TOKEN set the Live Demo pose stream at /api/v1/stream/pose always failed with 401 — the same reason /ws/sensing is already exempted (see bearer_auth module docs). Adds a narrow EXEMPT_PATHS list plus a regression test that the exemption does not leak to other /api/v1/* paths. Query-string tokens remain rejected (CWE-598 test untouched). Also adds an 'API Access' bearer-token field to the QuickSettings panel: ui/services/api.service.js had setAuthToken() but nothing ever called it, so enabling RUVIEW_API_TOKEN broke every /api/v1/* call from the bundled dashboard. The token is stored in localStorage and applied before the first request. Fixes ruvnet#1310 Co-Authored-By: claude-flow <ruv@ruv.net>
Owner
|
Merged via #1332 — thanks, this makes |
pchaganti
pushed a commit
to pchaganti/ax-ru-view
that referenced
this pull request
Jul 14, 2026
…CHANGELOG - sdkconfig.defaults.devkitc: header build command idf v5.2 -> v5.4 (source needs esp_driver_uart, IDF >=5.3 — same reason the PR fixed the README refs) - engine/lib.rs: separate doc comments — set_room_adapter's ADR-150 adapter/witness doc had merged into set_multistatic_config's doc - ui: apply stored bearer token at api.service.js module load instead of QuickSettings.init — services + dashboard tab dispatch their first /api/v1/* requests before initializeEnhancements() runs, so the first requests on every load went out without the Authorization header - CHANGELOG: Unreleased entries for ruvnet#1308/ruvnet#1309/ruvnet#1310 Co-Authored-By: claude-flow <ruv@ruv.net>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #1310
What
bearer_auth.rs: adds a narrowEXEMPT_PATHSlist (/api/v1/stream/pose) checked alongsidePROTECTED_PREFIX, plus a regression test asserting the pose-stream WS stays reachable without a token and that the exemption does not leak to other/api/v1/*paths. The existing CWE-598 test (query-string tokens rejected) is untouched.ui/utils/quick-settings.js+ui/style.css: adds an "API Access" section to the QuickSettings panel — a password-type field that stores the bearer token inlocalStorageand applies it viaapiService.setAuthToken()before the first request (with save/clear + status line).Why
Browsers cannot attach an
Authorizationheader to a WebSocket upgrade, so withRUVIEW_API_TOKENset the Live Demo pose stream always failed (Failed to start: WebSocket connection failed)./ws/sensingis already exempted for exactly this reason (see the bearer_auth module docs);/api/v1/stream/posewas presumably missed because it sits inside the protected prefix.Separately, the bundled dashboard had no way to supply the token at all:
api.service.jsshipssetAuthToken()but nothing ever called it, so enabling bearer auth broke every/api/v1/*call from the UI (constant 401s). The two changes together makeRUVIEW_API_TOKENactually usable with the bundled dashboard. Can split the UI part into its own PR if preferred.Verification
Deployed against a live 2-node ESP32-S3 setup with
RUVIEW_API_TOKENset: token entered via the new Settings field → all REST 401s gone; Live Demo tab connects (LIVE — ESP32 HARDWARE CONNECTED, frames processed, 0 errors). New unit test passes alongside the existing bearer_auth suite; image builds clean viadocker/Dockerfile.rust.🤖 Generated with claude-flow