fix: require ws auth token for remote access by pproenca · Pull Request #23 · pproenca/agent-tui

pproenca · 2026-04-05T10:32:30Z

Restore an authentication gate for the WebSocket RPC transport because the previous change removed token checks and allowed unauthenticated remote clients to invoke privileged RPC methods when the WS server was exposed.

Read AGENT_TUI_API_TOKEN into WsConfig and carry it into runtime state (WsState) in cli/crates/agent-tui-app/src/app/daemon/ws_server.rs.
Require a valid token on WebSocket upgrade in ws_handler, accepting Authorization: Bearer <token> or ?token= / ?access_token= query parameters, and return 401 with an RPC error payload for unauthorized requests.
Enforce at bind time that AGENT_TUI_WS_ALLOW_REMOTE=1 requires AGENT_TUI_API_TOKEN to prevent accidental unauthenticated remote exposure.
Add a regression unit test that verifies the server rejects remote-mode startup when no token is configured.

Ran formatting: cd cli && cargo fmt (succeeded).
Ran unit test: cd cli && cargo test -p agent-tui-app ws_config_reads_ws_env (passed).
Ran regression unit test: cd cli && cargo test -p agent-tui-app bind_listener_requires_token_when_remote_is_allowed (passed).

fix: require ws auth token for remote access

41c066d

pproenca added aardvark codex labels Apr 5, 2026 — with ChatGPT Codex Connector

pproenca added the aardvark label Apr 5, 2026

pproenca closed this Apr 12, 2026

pproenca deleted the codex/propose-fix-for-websocket-rpc-vulnerability branch April 12, 2026 14:42

Provide feedback