changes from code review

SteffenDE · SteffenDE · commit cbb832f1e86e · 2025-02-15T13:08:42.000+01:00
diff --git a/assets/js/phoenix/constants.js b/assets/js/phoenix/constants.js
@@ -27,3 +27,4 @@ export const TRANSPORTS = {
 export const XHR_STATES = {
   complete: 4
 }
+export const AUTH_TOKEN_PREFIX = "base64url.bearer.phx."
diff --git a/assets/js/phoenix/longpoll.js b/assets/js/phoenix/longpoll.js
@@ -1,6 +1,7 @@
 import {
   SOCKET_STATES,
-  TRANSPORTS
+  TRANSPORTS,
+  AUTH_TOKEN_PREFIX
 } from "./constants"
 
 import Ajax from "./ajax"
@@ -17,9 +18,9 @@ export default class LongPoll {
 
   constructor(endPoint, protocols){
     // we only support subprotocols for authToken
-    // ["phoenix", "base64url.bearer.authorization.phx.BASE64_ENCODED_TOKEN"]
-    if (protocols.length === 2 && protocols[1].startsWith("base64url.bearer.authorization.phx.")) {
-      this.authToken = atob(protocols[1].slice("base64url.bearer.authorization.phx.".length))
+    // ["phoenix", "base64url.bearer.phx.BASE64_ENCODED_TOKEN"]
+    if (protocols.length === 2 && protocols[1].startsWith(AUTH_TOKEN_PREFIX)) {
+      this.authToken = atob(protocols[1].slice(AUTH_TOKEN_PREFIX.length))
     }
     this.endPoint = null
     this.token = null
@@ -64,8 +65,8 @@ export default class LongPoll {
 
   poll(){
     const headers = {"Accept": "application/json"}
-    if (this.authToken) {
-      headers["Authorization"] = `Bearer ${this.authToken}`
+    if(this.authToken){
+      headers["X-Phoenix-AuthToken"] = this.authToken
     }
     this.ajax("GET", headers, null, () => this.ontimeout(), resp => {
       if(resp){
diff --git a/assets/js/phoenix/socket.js b/assets/js/phoenix/socket.js
@@ -6,7 +6,8 @@ import {
   DEFAULT_VSN,
   SOCKET_STATES,
   TRANSPORTS,
-  WS_CLOSE_NORMAL
+  WS_CLOSE_NORMAL,
+  AUTH_TOKEN_PREFIX
 } from "./constants"
 
 import {
@@ -352,7 +353,7 @@ export default class Socket {
     // Sec-WebSocket-Protocol based token
     // (longpoll uses Authorization header instead)
     if (this.authToken) {
-      protocols.push(`base64url.bearer.authorization.phx.${btoa(this.authToken).replace(/=/g, "")}`)
+      protocols.push(`${AUTH_TOKEN_PREFIX}${btoa(this.authToken).replace(/=/g, "")}`)
     }
     this.conn = new this.transport(this.endPointURL(), protocols)
     this.conn.binaryType = this.binaryType
diff --git a/assets/test/channel_test.js b/assets/test/channel_test.js
@@ -67,7 +67,7 @@ describe("with transport", function (){
       const socket = new Socket("/socket", {authToken})
       
       socket.connect()
-      expect(socket.conn.protocols).toEqual(["phoenix", "base64url.bearer.authorization.phx.MTIzNA"])
+      expect(socket.conn.protocols).toEqual(["phoenix", "base64url.bearer.phx.MTIzNA"])
     })
   })
 
diff --git a/lib/phoenix/endpoint.ex b/lib/phoenix/endpoint.ex
@@ -846,8 +846,7 @@ defmodule Phoenix.Endpoint do
         * the websocket transport, this enables a token to be passed through the `Sec-WebSocket-Protocol` header.
         * the longpoll transport, this allows the token to be passed through the `Authorization` header.
 
-      The token is available in the `connect_info` as `:auth_token`, which must be separately enabled in the
-      corresponding `websocket` or `longpoll` configurations.
+      The token is available in the `connect_info` as `:auth_token`.
 
       Custom transports might implement their own mechanism.
 
diff --git a/lib/phoenix/socket/transport.ex b/lib/phoenix/socket/transport.ex
@@ -259,6 +259,14 @@ defmodule Phoenix.Socket.Transport do
   def load_config(config) do
     {connect_info, config} = Keyword.pop(config, :connect_info, [])
 
+    connect_info =
+      if config[:auth_token] do
+        # auth_token is included by default when enabled
+        [:auth_token | connect_info]
+      else
+        connect_info
+      end
+
     connect_info =
       Enum.map(connect_info, fn
         key when key in [:peer_data, :trace_context_headers, :uri, :user_agent, :x_headers, :auth_token] ->
@@ -486,7 +494,7 @@ defmodule Phoenix.Socket.Transport do
           {:session, connect_session(conn, endpoint, session, opts)}
 
         :auth_token ->
-          {:auth_token, conn.private[:__phoenix_transport_auth_token]}
+          {:auth_token, conn.private[:phoenix_transport_auth_token]}
 
         {key, val} ->
           {key, val}
diff --git a/lib/phoenix/transports/long_poll.ex b/lib/phoenix/transports/long_poll.ex
@@ -268,12 +268,12 @@ defmodule Phoenix.Transports.LongPoll do
   end
 
   defp maybe_auth_token_from_header(conn, true) do
-    case Plug.Conn.get_req_header(conn, "authorization") do
+    case Plug.Conn.get_req_header(conn, "x-phoenix-authtoken") do
       [] ->
         conn
 
-      ["Bearer " <> token | _] ->
-        Plug.Conn.put_private(conn, :__phoenix_transport_auth_token, token)
+      [token | _] ->
+        Plug.Conn.put_private(conn, :phoenix_transport_auth_token, token)
     end
   end
 
diff --git a/lib/phoenix/transports/websocket.ex b/lib/phoenix/transports/websocket.ex
@@ -17,7 +17,7 @@ defmodule Phoenix.Transports.WebSocket do
 
   @connect_info_opts [:check_csrf]
 
-  @auth_token_prefix "base64url.bearer.authorization.phx."
+  @auth_token_prefix "base64url.bearer.phx."
 
   import Plug.Conn
 
@@ -112,7 +112,7 @@ defmodule Phoenix.Transports.WebSocket do
             token = Base.decode64!(encoded_token, padding: false)
 
             conn
-            |> put_private(:__phoenix_transport_auth_token, token)
+            |> put_private(:phoenix_transport_auth_token, token)
             |> set_actual_subprotocols(actual_subprotocols)
 
           _ ->

Original file line number	Diff line number	Diff line change
`@@ -27,3 +27,4 @@ export const TRANSPORTS = {`
`27`	`27`	`export const XHR_STATES = {`
`28`	`28`	`complete: 4`
`29`	`29`	`}`
	`30`	`+export const AUTH_TOKEN_PREFIX = "base64url.bearer.phx."`