feat(auth): implement token-based authentication between server and b… #6
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ridge This commit implements a comprehensive token-based authentication system to secure WebSocket connections between the server API and bridge clients (macOS, Windows, and Python). Server-side changes: - Add apiToken, tokenCreatedAt, and tokenLastUsedAt fields to OBSInstance model - Create AuthService for token generation, validation, and revocation - Update OBSGateway to validate tokens on WebSocket connection - Add token management API endpoints (generate, revoke, info) - Reject unauthenticated connections with appropriate error codes (4001, 4002) Bridge-side changes (macOS): - Add authToken field to AppSettings with UserDefaults persistence - Update WebsiteWebSocketClient to include token in connection URL - Add authToken to OBSProfile model for multi-profile support - Update validation to require authentication token Configuration: - Update .env.example with AUTH_TOKEN documentation - Create comprehensive AUTHENTICATION.md guide Security features: - 32-byte cryptographically secure random tokens (base64url encoded) - Token usage tracking with timestamps - Token revocation capability - Connection-level authentication before message processing Breaking change: All bridge clients must now provide a valid authentication token to connect to the server. Existing deployments require: 1. Running database migration 2. Generating tokens for each instance 3. Updating bridge client configurations Closes authentication security gap identified in initial codebase review. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
There was a problem hiding this comment.
Pull Request Overview
This PR implements token-based authentication for WebSocket connections between the server API and bridge clients to secure the system against unauthorized access. The authentication system uses cryptographically secure 32-byte tokens that are validated on connection and tracked for usage monitoring.
Key changes:
- Server-side token generation, validation, and revocation system with database persistence
- Connection-level authentication in WebSocket gateway with custom close codes for auth failures
- Bridge client updates (macOS app) to include tokens in connection URLs and configuration
Reviewed Changes
Copilot reviewed 11 out of 11 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| server-api/src/obs/obs.module.ts | Adds AuthService to module providers and exports |
| server-api/src/obs/obs.gateway.ts | Implements token validation on WebSocket connections and authenticates clients before processing messages |
| server-api/src/obs/obs-admin.controller.ts | Adds three token management endpoints (generate, revoke, info) |
| server-api/src/obs/auth.service.ts | New service implementing token generation, validation, extraction, and revocation |
| server-api/prisma/schema.prisma | Adds apiToken, tokenCreatedAt, and tokenLastUsedAt fields to OBSInstance model |
| server-api/prisma/migrations/20251021174330_add_auth_token/migration.sql | Database migration adding authentication fields and indexes |
| bridge/OBSBridge/WebsiteWebSocketClient.swift | Updates connection logic to append auth token as query parameter |
| bridge/OBSBridge/OBSProfile.swift | Adds authToken field to profile configuration with validation |
| bridge/OBSBridge/AppSettings.swift | Adds authToken property with UserDefaults persistence and validation |
| AUTHENTICATION.md | Comprehensive documentation covering setup, API usage, security practices, and troubleshooting |
| .env.example | Documents AUTH_TOKEN environment variable requirement |
Comment on lines
+3
to
+4
| ALTER TABLE "obs_instances" ADD COLUMN "tokenCreatedAt" DATETIME; | ||
| ALTER TABLE "obs_instances" ADD COLUMN "tokenLastUsedAt" DATETIME; |
There was a problem hiding this comment.
The migration uses SQLite's DATETIME type, but the schema.prisma file is configured for PostgreSQL (the connector is likely 'postgresql'). PostgreSQL uses TIMESTAMP or TIMESTAMPTZ for datetime fields. This type mismatch will cause migration failures in PostgreSQL databases. Change DATETIME to TIMESTAMP to match Prisma's DateTime mapping for PostgreSQL.
Suggested change
| ALTER TABLE "obs_instances" ADD COLUMN "tokenCreatedAt" DATETIME; | |
| ALTER TABLE "obs_instances" ADD COLUMN "tokenLastUsedAt" DATETIME; | |
| ALTER TABLE "obs_instances" ADD COLUMN "tokenCreatedAt" TIMESTAMP; | |
| ALTER TABLE "obs_instances" ADD COLUMN "tokenLastUsedAt" TIMESTAMP; |
|
|
||
| return { valid: true, instance }; | ||
| } catch (error) { | ||
| console.error('Token validation error:', error); |
There was a problem hiding this comment.
Using console.error directly instead of NestJS's Logger service is inconsistent with logging practices used elsewhere in the codebase. Replace with this.logger.error('Token validation error:', error) after adding a Logger instance to the class, matching the pattern used in obs.gateway.ts.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
…ridge
This commit implements a comprehensive token-based authentication system to secure WebSocket connections between the server API and bridge clients (macOS, Windows, and Python).
Server-side changes:
Bridge-side changes (macOS):
Configuration:
Security features:
Breaking change: All bridge clients must now provide a valid authentication token to connect to the server. Existing deployments require:
Closes authentication security gap identified in initial codebase review.
🤖 Generated with Claude Code