diff options
author | ThibG <thib@sitedethib.com> | 2019-05-24 15:21:42 +0200 |
---|---|---|
committer | Eugen Rochko <eugen@zeonfederated.com> | 2019-05-24 15:21:42 +0200 |
commit | d63c3c0cef9ab4e3713c6e4bea28a02f1c1e11a6 (patch) | |
tree | 7ea1070147189090017206a4ff3764e40849589b /app | |
parent | 84dc21d55d8627182ce201baeddb6fbbdf8748c2 (diff) |
Improve streaming server security (#10818)
* Check OAuth token scopes in the streaming API * Use Sec-WebSocket-Protocol instead of query string to pass WebSocket token Inspired by https://github.com/kubevirt/kubevirt/issues/1242
Diffstat (limited to 'app')
-rw-r--r-- | app/javascript/mastodon/stream.js | 6 |
1 files changed, 1 insertions, 5 deletions
diff --git a/app/javascript/mastodon/stream.js b/app/javascript/mastodon/stream.js index 306a068b7..c4642344f 100644 --- a/app/javascript/mastodon/stream.js +++ b/app/javascript/mastodon/stream.js @@ -71,11 +71,7 @@ export function connectStream(path, pollingRefresh = null, callbacks = () => ({ export default function getStream(streamingAPIBaseURL, accessToken, stream, { connected, received, disconnected, reconnected }) { const params = [ `stream=${stream}` ]; - if (accessToken !== null) { - params.push(`access_token=${accessToken}`); - } - - const ws = new WebSocketClient(`${streamingAPIBaseURL}/api/v1/streaming/?${params.join('&')}`); + const ws = new WebSocketClient(`${streamingAPIBaseURL}/api/v1/streaming/?${params.join('&')}`, accessToken); ws.onopen = connected; ws.onmessage = e => received(JSON.parse(e.data)); |