fix(core): move auth logic from rpc package to core

Author: antfu

packages/core/src/node/ws.ts

@@ -3,11 +3,13 @@ import type { ConnectionMeta, DevToolsNodeContext, DevToolsNodeRpcSession, DevTo
 import type { WebSocket } from 'ws'
 import type { RpcFunctionsHost } from './host-functions'
 import { AsyncLocalStorage } from 'node:async_hooks'
+import process from 'node:process'
 import { createRpcServer } from '@vitejs/devtools-rpc'
 import { createWsRpcPreset } from '@vitejs/devtools-rpc/presets/ws/server'
 import c from 'ansis'
 import { getPort } from 'get-port-please'
 import { MARK_CHECK } from './constants'
+import { getInternalContext } from './context-internal'
 
 export interface CreateWsServerOptions {
   cwd: string
@@ -26,11 +28,28 @@ export async function createWsServer(options: CreateWsServerOptions) {
 
   const wsClients = new Set<WebSocket>()
 
+  const context = options.context
+  const contextInternal = getInternalContext(context)
+
+  const isClientAuthDisabled = context.mode === 'build' || context.viteConfig.devtools?.clientAuth === false || process.env.VITE_DEVTOOLS_DISABLE_CLIENT_AUTH === 'true'
+  if (isClientAuthDisabled) {
+    console.warn('[Vite DevTools] Client authentication is disabled. Any browser can connect to the devtools and access to your server and filesystem.')
+  }
+
   const preset = createWsRpcPreset({
     port,
     host,
-    context: options.context,
-    onConnected: (ws, meta) => {
+    onConnected: (ws, req, meta) => {
+      const url = new URL(req.url ?? '', 'http://localhost')
+      const authId = url.searchParams.get('vite_devtools_auth_id') ?? undefined
+      if (isClientAuthDisabled) {
+        meta.isTrusted = true
+      }
+      else if (authId && contextInternal.storage.auth.get().trusted[authId]) {
+        meta.isTrusted = true
+        meta.clientAuthId = authId
+      }
+
       wsClients.add(ws)
       console.log(c.green`${MARK_CHECK} Websocket client [${meta.id}] connected`)
     },

packages/rpc/package.json

@@ -42,6 +42,7 @@
     }
   },
   "dependencies": {
+    "@vitejs/devtools-kit": "workspace:*",
     "birpc": "catalog:deps",
     "structured-clone-es": "catalog:deps"
   },

packages/rpc/src/presets/ws/server.ts

@@ -1,18 +1,16 @@
-import type { DevToolsNodeContext, DevToolsNodeRpcSessionMeta } from '@vitejs/devtools-kit'
+import type { DevToolsNodeRpcSessionMeta } from '@vitejs/devtools-kit'
 import type { BirpcGroup, BirpcOptions, ChannelOptions } from 'birpc'
+import type { IncomingMessage } from 'node:http'
 import type { WebSocket } from 'ws'
 import type { RpcServerPreset } from '..'
-import process from 'node:process'
 import { parse, stringify } from 'structured-clone-es'
 import { WebSocketServer } from 'ws'
 import { defineRpcServerPreset } from '..'
-import { getInternalContext } from '../../../../core/src/node/context-internal'
 
 export interface WebSocketRpcServerOptions {
   port: number
   host?: string
-  context: DevToolsNodeContext
-  onConnected?: (ws: WebSocket, meta: DevToolsNodeRpcSessionMeta) => void
+  onConnected?: (ws: WebSocket, req: IncomingMessage, meta: DevToolsNodeRpcSessionMeta) => void
   onDisconnected?: (ws: WebSocket, meta: DevToolsNodeRpcSessionMeta) => void
 }
 
@@ -35,16 +33,8 @@ export const createWsRpcPreset: RpcServerPreset<
     host = 'localhost',
     onConnected = NOOP,
     onDisconnected = NOOP,
-    context,
   } = options
 
-  const isClientAuthDisabled = context.mode === 'build' || context.viteConfig.devtools?.clientAuth === false || process.env.VITE_DEVTOOLS_DISABLE_CLIENT_AUTH === 'true'
-  if (isClientAuthDisabled) {
-    console.warn('[Vite DevTools] Client authentication is disabled. Any browser can connect to the devtools and access to your server and filesystem.')
-  }
-
-  const internal = getInternalContext(context)
-
   const wss = new WebSocketServer({
     port,
     host,
@@ -60,21 +50,9 @@ export const createWsRpcPreset: RpcServerPreset<
     } = options ?? {}
 
     wss.on('connection', (ws, req) => {
-      const url = new URL(req.url ?? '', 'http://localhost')
-      const authId = url.searchParams.get('vite_devtools_auth_id') ?? undefined
-      let isTrusted = false
-      if (isClientAuthDisabled) {
-        isTrusted = true
-      }
-      else if (authId && internal.storage.auth.get().trusted[authId]) {
-        isTrusted = true
-      }
-
       const meta: DevToolsNodeRpcSessionMeta = {
         id: id++,
         ws,
-        isTrusted,
-        clientAuthId: authId,
       }
 
       const channel: ChannelOptions = {
@@ -105,7 +83,7 @@ export const createWsRpcPreset: RpcServerPreset<
         })
         onDisconnected(ws, meta)
       })
-      onConnected(ws, meta)
+      onConnected(ws, req, meta)
     })
   }
 })