[C1] Secrets/tokens in WebSocket URL query strings #10

Open
opened 2026-06-05 17:34:55 -07:00 by azcomputerguru · 0 comments

Severity: Critical

Component(s): agent + dashboard

Affected file(s):

  • agent/src/transport/websocket.rs (+ session/mod.rs, viewer/transport.rs, install.rs)
  • dashboard/src/features/sessions/JoinSessionModal.tsx (buildViewerUrl)

Problem:
The agent api_key/cak_/support_code/machine_uid and the dashboard session-scoped viewer token travel in WebSocket URL query strings. These are logged by proxies, the relay, and browser history even over wss. Both Gemini and Grok flagged this #1 on both surfaces. This is partly by current design (guru-connect CLAUDE.md mandates the viewer token in a query param), so the fix starts with changing that spec rule.

Recommended fix:
Move auth out of the URL into the first post-connect protobuf frame, or into the Sec-WebSocket-Protocol header.

Remediation phase: P1 (SPEC-020)

From the 2026-06-05 three-way review (Claude+Gemini+Grok) — see reports/review-2026-06-05/SYNTHESIS-three-way.md (finding C1) and REMEDIATION-PLAN.md (P1).

**Severity:** Critical **Component(s):** agent + dashboard **Affected file(s):** - `agent/src/transport/websocket.rs` (+ `session/mod.rs`, `viewer/transport.rs`, `install.rs`) - `dashboard/src/features/sessions/JoinSessionModal.tsx` (`buildViewerUrl`) **Problem:** The agent `api_key`/`cak_`/`support_code`/`machine_uid` and the dashboard session-scoped viewer token travel in WebSocket URL query strings. These are logged by proxies, the relay, and browser history even over wss. Both Gemini and Grok flagged this #1 on both surfaces. This is partly by current design (guru-connect CLAUDE.md mandates the viewer token in a query param), so the fix starts with changing that spec rule. **Recommended fix:** Move auth out of the URL into the first post-connect protobuf frame, or into the `Sec-WebSocket-Protocol` header. **Remediation phase:** P1 (SPEC-020) From the 2026-06-05 three-way review (Claude+Gemini+Grok) — see reports/review-2026-06-05/SYNTHESIS-three-way.md (finding C1) and REMEDIATION-PLAN.md (P1).
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: azcomputerguru/guru-connect#10