Security: Unauthenticated WebSocket endpoint allows connection spoofing

**File**: `app/api/websocket.py`
**Line**: ~12

**Description**:
The WebSocket endpoint `@router.websocket("/ws/{user_id}")` accepts connections without validating any authentication token or session. Any user (or unauthenticated attacker) who knows or can guess a `user_id` can connect to that user's WebSocket stream. This allows connection spoofing and potentially leaks sensitive real-time watch activity, download progress, and recommendation events.

**Impact**: High (Security/Privacy issue). Allows unauthorized viewing of user activity.

**Suggested Fix**:
1. Require a `token` query parameter during the WebSocket connection handshake.
2. Validate the token against the active sessions (e.g., using `validate_token()`).
3. Reject the connection (`await websocket.close(code=1008)`) if the token is missing or invalid.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Security: Unauthenticated WebSocket endpoint allows connection spoofing #25

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Security: Unauthenticated WebSocket endpoint allows connection spoofing #25

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions