diff options
| author | ThibG <thib@sitedethib.com> | 2019-05-24 15:21:42 +0200 |
|---|---|---|
| committer | multiple creatures <dev@multiple-creature.party> | 2019-11-19 13:43:02 -0600 |
| commit | 64a68bf2ea2d750894e55ab1b0f8024466e6f8ad (patch) | |
| tree | 74a8e15bcf9a5717ed0bd189cd4749671039f2f5 /app | |
| parent | 7952281bbb3b79884a73a6dd5f141469f5c42153 (diff) | |
Improve streaming server security (#10818)
* Check OAuth token scopes in the streaming API * Use Sec-WebSocket-Protocol instead of query string to pass WebSocket token Inspired by https://github.com/kubevirt/kubevirt/issues/1242
Diffstat (limited to 'app')
| -rw-r--r-- | app/javascript/mastodon/stream.js | 6 |
1 files changed, 1 insertions, 5 deletions
diff --git a/app/javascript/mastodon/stream.js b/app/javascript/mastodon/stream.js index 306a068b7..c4642344f 100644 --- a/app/javascript/mastodon/stream.js +++ b/app/javascript/mastodon/stream.js @@ -71,11 +71,7 @@ export function connectStream(path, pollingRefresh = null, callbacks = () => ({ export default function getStream(streamingAPIBaseURL, accessToken, stream, { connected, received, disconnected, reconnected }) { const params = [ `stream=${stream}` ]; - if (accessToken !== null) { - params.push(`access_token=${accessToken}`); - } - - const ws = new WebSocketClient(`${streamingAPIBaseURL}/api/v1/streaming/?${params.join('&')}`); + const ws = new WebSocketClient(`${streamingAPIBaseURL}/api/v1/streaming/?${params.join('&')}`, accessToken); ws.onopen = connected; ws.onmessage = e => received(JSON.parse(e.data)); |