Skip to content

fix(relay): route WebSocket auth by request domain#2386

Merged
kixelated merged 3 commits into
mainfrom
codex/demo-protocol-egress
Jul 18, 2026
Merged

fix(relay): route WebSocket auth by request domain#2386
kixelated merged 3 commits into
mainfrom
codex/demo-protocol-egress

Conversation

@kixelated

@kixelated kixelated commented Jul 18, 2026

Copy link
Copy Markdown
Collaborator

What changed

  • Apply Auth::params_from_url to WebSocket fallback sessions, matching native WebTransport authentication routing.
  • Read the request authority in a way that works across Axum 0.8 releases.
  • Build authentication URLs from Uri::path_and_query, including for absolute-form requests.
  • Cover project-subdomain routing, JWT extraction, and both origin-form and absolute-form URIs with a regression test.

Root cause

The WebTransport accept path passed its full request URL through Auth::params_from_url, but the WebSocket fallback constructed AuthParams directly from only the request path and query. A URL such as https://demo.cdn.moq.pro/bbb.hang therefore authenticated as /bbb.hang over WebSocket instead of /demo/bbb.hang, causing public and token-scoped project access to fail whenever the client fell back from WebTransport.

The first URL reconstruction also formatted the entire Uri. For absolute-form requests that would duplicate the scheme and authority. Restricting reconstruction to path_and_query makes both HTTP URI forms behave identically.

Validation

  • just ci (1,726 tests passed, repository checks, docs, and flake evaluation)
  • cargo test -p moq-relay websocket_auth_applies_subdomain_routing -- --nocapture after rebasing onto current main

Public API changes

None.

(Written by GPT-5)

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry @kixelated, you have reached your weekly rate limit of 500000 diff characters.

Please try again later or upgrade to continue using Sourcery

@kixelated
kixelated marked this pull request as ready for review July 18, 2026 11:46
@coderabbitai

coderabbitai Bot commented Jul 18, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Walkthrough

The WebSocket endpoint now derives authentication parameters from the request host and full original URI, including the path and query. Host extraction uses the Host header with URI authority fallback, and URL construction failures return 400 BAD_REQUEST. Non-WebSocket requests continue to receive the landing response. A test verifies subdomain-based path routing and JWT preservation.

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Title check ✅ Passed The title clearly summarizes the main change: WebSocket auth now routes by request domain.
Description check ✅ Passed The description matches the changeset and accurately describes the auth routing fix and regression test coverage.
✨ Finishing Touches
✨ Simplify code
  • Create PR with simplified code
  • Commit simplified code in branch codex/demo-protocol-egress

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@rs/moq-relay/src/websocket.rs`:
- Around line 85-88: Update request_auth_params to construct the URL using
uri.path_and_query() rather than formatting the full Uri, so absolute-form URIs
do not duplicate scheme and authority. Preserve the existing https scheme, host,
parsing error mapping to BAD_REQUEST, and auth.params_from_url flow.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 0bfdc123-9d08-4569-bd83-7317b78c13b6

📥 Commits

Reviewing files that changed from the base of the PR and between 2be3a55 and e7d12f2.

📒 Files selected for processing (1)
  • rs/moq-relay/src/websocket.rs

Comment thread rs/moq-relay/src/websocket.rs
@kixelated
kixelated force-pushed the codex/demo-protocol-egress branch from e7d12f2 to b908a34 Compare July 18, 2026 12:29
@kixelated kixelated changed the title Route WebSocket auth by request domain fix(relay): route WebSocket auth by request domain Jul 18, 2026
@kixelated
kixelated merged commit 265efb6 into main Jul 18, 2026
2 checks passed
@kixelated
kixelated deleted the codex/demo-protocol-egress branch July 18, 2026 12:48
@moq-bot moq-bot Bot mentioned this pull request Jul 18, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant