Skip to content
Tests

fix: send terminal auth via first WebSocket message instead of URL query param #731

Sign in to view logs

fix: send terminal auth via first WebSocket message instead of URL query param

fix: send terminal auth via first WebSocket message instead of URL query param #731

Triggered via pull request February 16, 2026 22:50
@grichagricha
synchronize #170
fix/terminal-websocket-auth
Status Success
Total duration 6m 34s
Artifacts 5

test.yml

on: pull_request
build
34s
build
docker
1m 15s
docker
lint
21s
lint
binary
15s
binary
test-unit
21s
test-unit
e2e
3m 19s
e2e
Matrix: test
Fit to window
Zoom out
Zoom in

Annotations

1 error and 3 warnings
WebSocket upgrade allowed without authentication: src/agent/run.ts#L154
The terminal WebSocket endpoint allows upgrade before authentication. While deferred auth happens in the handler, this creates a window where unauthenticated WebSocket connections exist. The connection can be upgraded (line 161) even when authResult.ok is false, allowing unauthenticated clients to establish WebSocket connections that are only closed later in the handler.
e2e
No files were found with the provided path: playwright-report/. No artifacts will be uploaded.
Authentication token sent over unencrypted WebSocket connection: mobile/scripts/bundle-terminal.ts#L103
The auth token is sent via WebSocket message without enforcing TLS/WSS. If users connect via ws:// instead of wss://, the token is transmitted in cleartext and can be intercepted by network attackers.
Authentication mismatch with PR description: src/agent/run.ts#L148
PR description states tokens are passed via query param (?token=), but the actual implementation uses WebSocket message-based authentication (auth.ts shows only Authorization header support, terminal handler expects auth messages). This inconsistency suggests either incomplete implementation or misleading documentation. If query params were intended but not implemented, tokens could be logged in server access logs, proxy logs, and browser history.

Artifacts

Produced during runtime
Name Size Digest
dist Expired
39.4 MB
sha256:8fb24f9ff317aa0502d8b28883bf48cb92d5afae0dfe9ceca97b043ec434bd07
docker-image Expired
1.09 GB
sha256:35be4682979381bbb559af44f825f0537bf1a10f2b4162c1e77fabf7e892ca22
gricha~perry~939IOE.dockerbuild
41.6 KB
sha256:1bd3460185bd08943eac575cbff2a3b466d44bd309164bd90e357dc098531d5f
gricha~perry~NITKVX.dockerbuild
70.9 KB
sha256:9edf9e7ad997b13f3243a80665384b7592c04896201a85f3acc19be0d1a8572c
playwright-report Expired
196 KB
sha256:bdc1ab01e06ee2eca5b59535d96c27fd121539b385b7bb6dbd9dd1148d3bf9f1