Security: Require authentication for all WebSocket and API endpoints

- REST API: All session/code/machine endpoints now require AuthenticatedUser - Viewer WebSocket: Requires JWT token in query params (token=...) - Agent WebSocket: Requires either valid support code OR API key - Dashboard: Passes JWT token when connecting to viewer WS - Native viewer: Passes token in protocol URL and WebSocket connection - Added AGENT_API_KEY env var support for persistent agents - Added get_status() to SupportCodeManager for auth validation This fixes the security vulnerability where unauthenticated agents could connect and appear in the dashboard without any credentials. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2025-12-30 06:30:28 -07:00
parent 56a9496f98
commit 4614df04fb
6 changed files with 136 additions and 17 deletions
--- a/agent/src/viewer/transport.rs
+++ b/agent/src/viewer/transport.rs
@@ -66,12 +66,14 @@ impl MessageReceiver {
 }

 /// Connect to the GuruConnect server
-pub async fn connect(url: &str, api_key: &str) -> Result<(WsSender, MessageReceiver)> {
-    // Add API key to URL
-    let full_url = if url.contains('?') {
-        format!("{}&api_key={}", url, api_key)
+pub async fn connect(url: &str, token: &str) -> Result<(WsSender, MessageReceiver)> {
+    // Add auth token to URL
+    let full_url = if token.is_empty() {
+        url.to_string()
+    } else if url.contains('?') {
+        format!("{}&token={}", url, urlencoding::encode(token))
    } else {
-        format!("{}?api_key={}", url, api_key)
+        format!("{}?token={}", url, urlencoding::encode(token))
    };

    debug!("Connecting to {}", full_url);