fix: access token handling (#1512)

edgurgel · web-flow · commit 4f8984dc52ff · 2025-08-29T13:49:41.000+12:00
diff --git a/lib/realtime_web/channels/realtime_channel.ex b/lib/realtime_web/channels/realtime_channel.ex
@@ -538,19 +538,15 @@ defmodule RealtimeWeb.RealtimeChannel do
     end
   end
 
-  defp assign_access_token(%{assigns: %{headers: headers}} = socket, params) do
+  defp assign_access_token(%{assigns: %{tenant_token: tenant_token}} = socket, params) do
     access_token = Map.get(params, "access_token") || Map.get(params, "user_token")
-    {_, header} = Enum.find(headers, {nil, nil}, fn {k, _} -> k == "x-api-key" end)
 
     case access_token do
-      nil -> assign(socket, :access_token, header)
-      "sb_" <> _ -> assign(socket, :access_token, header)
+      "sb_" <> _ -> assign(socket, :access_token, tenant_token)
       _ -> handle_access_token(socket, params)
     end
   end
 
-  defp assign_access_token(socket, params), do: handle_access_token(socket, params)
-
   defp handle_access_token(%{assigns: %{tenant_token: _tenant_token}} = socket, %{"user_token" => user_token})
        when is_binary(user_token) do
     assign(socket, :access_token, user_token)
diff --git a/mix.exs b/mix.exs
@@ -4,7 +4,7 @@ defmodule Realtime.MixProject do
   def project do
     [
       app: :realtime,
-      version: "2.43.1",
+      version: "2.43.2",
       elixir: "~> 1.17.3",
       elixirc_paths: elixirc_paths(Mix.env()),
       start_permanent: Mix.env() == :prod,
diff --git a/test/realtime_web/channels/realtime_channel_test.exs b/test/realtime_web/channels/realtime_channel_test.exs
@@ -523,13 +523,71 @@ defmodule RealtimeWeb.RealtimeChannelTest do
   end
 
   describe "API Key validations" do
-    test "api_key has not expired", %{tenant: tenant} do
+    test "x-api-key header has not expired", %{tenant: tenant} do
       api_key = Generators.generate_jwt_token(tenant)
       {:ok, %Socket{} = socket} = connect(UserSocket, %{"log_level" => "warning"}, conn_opts(tenant, api_key))
 
       assert {:ok, _, %Socket{}} = subscribe_and_join(socket, "realtime:test", %{})
     end
 
+    test "apikey param has not expired", %{tenant: tenant} do
+      api_key = Generators.generate_jwt_token(tenant)
+
+      conn_opts = [
+        connect_info: %{
+          uri: URI.parse("https://#{tenant.external_id}.localhost:4000/socket/websocket"),
+          x_headers: []
+        }
+      ]
+
+      {:ok, %Socket{} = socket} = connect(UserSocket, %{"log_level" => "warning", "apikey" => api_key}, conn_opts)
+
+      assert {:ok, _, %Socket{} = socket} = subscribe_and_join(socket, "realtime:test", %{})
+      assert socket.assigns.access_token == api_key
+    end
+
+    test "join with access_token starting with sb_", %{tenant: tenant} do
+      api_key = Generators.generate_jwt_token(tenant)
+      {:ok, %Socket{} = socket} = connect(UserSocket, %{"log_level" => "warning"}, conn_opts(tenant, api_key))
+
+      assert {:ok, _, %Socket{} = socket} =
+               subscribe_and_join(socket, "realtime:test", %{"access_token" => "sb_something"})
+
+      assert socket.assigns.access_token == api_key
+    end
+
+    test "join with user_token starting with sb_", %{tenant: tenant} do
+      api_key = Generators.generate_jwt_token(tenant)
+      {:ok, %Socket{} = socket} = connect(UserSocket, %{"log_level" => "warning"}, conn_opts(tenant, api_key))
+
+      assert {:ok, _, %Socket{} = socket} =
+               subscribe_and_join(socket, "realtime:test", %{"user_token" => "sb_something"})
+
+      assert socket.assigns.access_token == api_key
+    end
+
+    test "join with access_token", %{tenant: tenant} do
+      api_key = Generators.generate_jwt_token(tenant)
+      access_token = Generators.generate_jwt_token(tenant)
+      {:ok, %Socket{} = socket} = connect(UserSocket, %{"log_level" => "warning"}, conn_opts(tenant, api_key))
+
+      assert {:ok, _, %Socket{} = socket} =
+               subscribe_and_join(socket, "realtime:test", %{"access_token" => access_token})
+
+      assert socket.assigns.access_token == access_token
+    end
+
+    test "join with user_token", %{tenant: tenant} do
+      api_key = Generators.generate_jwt_token(tenant)
+      user_token = Generators.generate_jwt_token(tenant)
+      {:ok, %Socket{} = socket} = connect(UserSocket, %{"log_level" => "warning"}, conn_opts(tenant, api_key))
+
+      assert {:ok, _, %Socket{} = socket} =
+               subscribe_and_join(socket, "realtime:test", %{"user_token" => user_token})
+
+      assert socket.assigns.access_token == user_token
+    end
+
     test "api_key has expired", %{tenant: tenant} do
       assert capture_log(fn ->
                api_key =
@@ -688,13 +746,12 @@ defmodule RealtimeWeb.RealtimeChannelTest do
     assert [{_, ^transport_pid_1}] = Registry.lookup(RealtimeWeb.SocketDisconnect.Registry, tenant.external_id)
   end
 
-  defp conn_opts(tenant, token, params \\ %{}) do
+  defp conn_opts(tenant, token) do
     [
       connect_info: %{
         uri: URI.parse("https://#{tenant.external_id}.localhost:4000/socket/websocket"),
         x_headers: [{"x-api-key", token}]
-      },
-      params: params
+      }
     ]
   end
 

Original file line number	Diff line number	Diff line change
`@@ -4,7 +4,7 @@ defmodule Realtime.MixProject do`
`4`	`4`	`def project do`
`5`	`5`	`[`
`6`	`6`	`app: :realtime,`
`7`		`- version: "2.43.1",`
	`7`	`+ version: "2.43.2",`
`8`	`8`	`elixir: "~> 1.17.3",`
`9`	`9`	`elixirc_paths: elixirc_paths(Mix.env()),`
`10`	`10`	`start_permanent: Mix.env() == :prod,`