Skip to content

feat(server): token-based WebSocket authentication#5531

Merged
chenjiahan merged 5 commits intomainfrom
ws_token_0704
Jul 6, 2025
Merged

feat(server): token-based WebSocket authentication#5531
chenjiahan merged 5 commits intomainfrom
ws_token_0704

Conversation

@chenjiahan
Copy link
Copy Markdown
Member

@chenjiahan chenjiahan commented Jul 4, 2025

Summary

Enhance the security and functionality of the WebSocket across the codebase:

  • Replacing the compilationId mechanism with secure WebSocket tokens.
  • Refactoring the socket server to support token-based communication.
  • Allow Rsbuild plugin to access the token via environmentContext.webSocketToken:
api.modifyRspackConfig((config, { environment }) => {
  console.log(environment.webSocketToken);
});

Related Links

Checklist

  • Tests updated (or not required).
  • Documentation updated (or not required).

Copilot AI review requested due to automatic review settings July 4, 2025 04:00
@netlify
Copy link
Copy Markdown

netlify bot commented Jul 4, 2025
edited
Loading

Deploy Preview for rsbuild ready!

Name Link
🔨 Latest commit d2a2194
🔍 Latest deploy log https://app.netlify.com/projects/rsbuild/deploys/6869f711cf5af700085e3d69
😎 Deploy Preview https://deploy-preview-5531--rsbuild.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.
Lighthouse
Lighthouse		 1 paths audited
Performance: 76 (🔴 down 1 from production)
Accessibility: 97 (no change from production)
Best Practices: 100 (no change from production)
SEO: 100 (no change from production)
PWA: 60 (no change from production)
View the detailed breakdown and full score reports

To edit notification comments on pull requests, go to your Netlify project configuration.

Copilot AI reviewed Jul 4, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR replaces the previous compilationId mechanism with secure WebSocket tokens for development, updates the server and client to use token-based authentication, and removes obsolete compilation ID utilities.

  • Adds webSocketToken to the environment context and generates it in dev mode.
  • Refactors the socket server and middleware to authenticate and route messages by token.
  • Updates client HMR code to append and respect the new token parameter.

Reviewed Changes

Copilot reviewed 7 out of 8 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
packages/core/src/types/hooks.ts Add webSocketToken to EnvironmentContext
packages/core/src/server/socketServer.ts Refactor upgrade, connection tracking, and messaging to use tokens
packages/core/src/server/helper.ts Remove unused getCompilationId helper
packages/core/src/server/compilationMiddleware.ts Update server hooks to use token instead of compilationId
packages/core/src/server/compilationManager.ts Pass environments and tokens into middleware and socket server
packages/core/src/createContext.ts Generate secure WebSocket tokens in dev mode
packages/core/src/client/hmr.ts Append token to HMR URL and remove old compilationId logic
Comments suppressed due to low confidence (2)

packages/core/src/server/socketServer.ts:61

  • Add unit or integration tests for the WebSocket upgrade flow, covering valid and invalid token scenarios to ensure authentication logic behaves as expected.
  public upgrade = (

packages/core/src/types/hooks.ts:225

  • Public API docs (README or type reference) should be updated to reflect the new webSocketToken field and explain its usage in the environment API.
  webSocketToken: string;

cursor[bot]

This comment was marked as outdated.

Sign in to view

cursor[bot]

This comment was marked as outdated.

Sign in to view

cursor[bot]

This comment was marked as outdated.

Sign in to view

cursor[bot]
cursor bot reviewed Jul 6, 2025
View reviewed changes
Copy link
Copy Markdown

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: Compiler Index Mismatch Disables HMR

The setupCompiler function's signature changed to expect an index parameter. However, applyToCompiler may not pass this index, or the passed index (representing the compiler's position) may not consistently match the env.index used for webSocketToken lookup in options.environments. This mismatch or absence of index causes the token lookup to fail, leading setupCompiler to return early and silently disable HMR functionality for the affected compiler(s).

packages/core/src/server/compilationMiddleware.ts#L147-L174

rsbuild/packages/core/src/server/compilationMiddleware.ts

Lines 147 to 174 in d2a2194

const setupCompiler = (compiler: Compiler, index: number) => {
const token = Object.values(options.environments).find(
(env) => env.index === index,
)?.webSocketToken;
if (!token) {
return;
}
if (clientPaths) {
applyHMREntry({
compiler,
clientPaths,
devConfig,
resolvedClientConfig,
token,
});
}
// register hooks for each compilation, update socket stats if recompiled
setupServerHooks({
compiler,
callbacks,
token,
});
};
applyToCompiler(compiler, setupCompiler);

Fix in CursorFix in Web

Bug: WebSocket Token Overwrite Causes Untracked Connections

The SocketServer's sockets Map incorrectly handles multiple WebSocket connections sharing the same webSocketToken. When a new connection with an existing token is established, it overwrites the previous connection in the Map. However, the close handler of the old connection remains active and, upon its closure, removes the new, active connection from the Map. This causes active connections to become untracked, preventing them from receiving HMR/live-reload updates and breaking multi-tab development scenarios.

packages/core/src/server/socketServer.ts#L222-L227

rsbuild/packages/core/src/server/socketServer.ts

Lines 222 to 227 in d2a2194

this.sockets.set(token, connection);
connection.on('close', () => {
this.sockets.delete(token);
});

packages/core/src/server/socketServer.ts#L37-L38

rsbuild/packages/core/src/server/socketServer.ts

Lines 37 to 38 in d2a2194

private readonly sockets: Map<string, Ws> = new Map();

Fix in CursorFix in Web

Was this report helpful? Give feedback by reacting with 👍 or 👎

@chenjiahan chenjiahan merged commit a986484 into main Jul 6, 2025
12 checks passed
@chenjiahan chenjiahan deleted the ws_token_0704 branch July 6, 2025 04:47
This was referenced Jul 6, 2025
Merged
Merged
colinaaa added a commit to lynx-family/lynx-stack that referenced this pull request Jul 8, 2025
@colinaaa
feat: token-based WebSocket authentication
1239ee5 
See: web-infra-dev/rsbuild#5531
@chenjiahan chenjiahan mentioned this pull request Aug 14, 2025
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@cursor cursor[bot] cursor[bot] left review comments

Assignees

No one assigned

Labels

release: feature

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@chenjiahan