feat: add websocket auth for app-server#14847
Conversation
viyatb-oai
changed the title
viyatb-oai
force-pushed
the
codex/viyatb/app-server-websocket-auth
branch
from
7bde80f to
ba5da01
Compare
viyatb-oai
requested review from
bolinfest,
etraut-openai and
maxj-oai
and removed request for
bolinfest
|
@codex review |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 612dc17da1
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
@codex security review |
|
Security review completed. No security issues were found in this pull request. ℹ️ About Codex security reviews in GitHubThis is an experimental Codex feature. Security reviews are triggered when:
Once complete, Codex will leave suggestions, or a comment if no findings are found. |
etraut-openai
left a comment
etraut-openai
left a comment
There was a problem hiding this comment.
The implementation looks good to me.
I have some concerns about this from a usability standpoint. The "signed bearer token" auth method is very advanced and will not be appropriate for most codex users and use cases. The capability token approach is easier to configure, but it still requires multiple steps. We'll need to document this very well to help users get through the steps.
etraut-openai
force-pushed
the
codex/viyatb/app-server-websocket-auth
branch
from
612dc17 to
4e69aa8
Compare
2 participants
Summary
This change adds websocket authentication at the app-server transport boundary and enforces it before JSON-RPC
initialize, so authenticated deployments reject unauthenticated clients during the websocket handshake rather than after a connection has already been admitted.During rollout, websocket auth is opt-in for non-loopback listeners so we do not break existing remote clients. If
--ws-auth ...is configured, the server enforces auth during websocket upgrade. If auth is not configured, non-loopback listeners still start, but app-server logs a warning and the startup banner calls out that auth should be configured before real remote use.The server supports two auth modes: a file-backed capability token, and a standard HMAC-signed JWT/JWS bearer token verified with the
jsonwebtokencrate, with optional issuer, audience, and clock-skew validation. Capability tokens are normalized, hashed, and compared in constant time. Short shared secrets for signed bearer tokens are rejected at startup. Requests carrying anOriginheader are rejected with403by transport middleware, and authenticated clients present credentials asAuthorization: Bearer <token>during websocket upgrade.Validation
cargo test -p codex-app-server transport::authcargo test -p codex-cli app_server_cargo clippy -p codex-app-server --all-targets -- -D warningsjust bazel-lock-checkNote: in the broad
cargo test -p codex-app-server connection_handling_websocketrun, the touched websocket auth cases passed, but unrelated Unix shutdown tests failed with a timeout in this environment.