feat(middleware): support ?token= query param fallback for browser WebSocket auth

This commit is contained in:
2026-05-07 17:30:10 +08:00
parent 70ffddb76c
commit b22aacee62
+11 -3
View File
@@ -99,11 +99,19 @@ func UserIDFromContext(ctx context.Context) (uuid.UUID, bool) {
// prefix; case-insensitive matching is intentionally NOT performed
// because RFC 6750 specifies the literal "Bearer" scheme name and being
// strict here keeps the parsing surface small.
//
// As a fallback, ?token= query parameter is accepted for endpoints that
// cannot send custom headers (notably browser-native WebSocket connections).
// Callers must keep token lifetimes short so the URL-borne token is not a
// long-lived secret should it be logged by intermediaries.
func extractBearer(r *http.Request) string {
h := r.Header.Get("Authorization")
const prefix = "Bearer "
if !strings.HasPrefix(h, prefix) {
return ""
}
if strings.HasPrefix(h, prefix) {
return strings.TrimSpace(h[len(prefix):])
}
if q := r.URL.Query().Get("token"); q != "" {
return q
}
return ""
}