Skip to content

fix: add proper token authentication to mobile server#10

Merged
yejiming merged 1 commit into
yejiming:mainfrom
whitelonng:fix/01-mobile-token-auth
Jun 21, 2026
Merged

fix: add proper token authentication to mobile server#10
yejiming merged 1 commit into
yejiming:mainfrom
whitelonng:fix/01-mobile-token-auth

Conversation

@whitelonng

Copy link
Copy Markdown
Contributor

Summary

Fixes a security issue where the mobile server rejects all requests without the X-Mobile-Token header, including public assets and the status endpoint that should be accessible without authentication.

Changes

  • Token validation: Add validate_token() helper that checks token from:
    • X-Mobile-Token header (existing)
    • ?token=... query parameter (new)
    • Cookie header (new)
  • Public route exemption: Allow unauthenticated access to:
    • GET / (root)
    • GET /assets/* (static assets)
    • GET /api/mobile/status (status endpoint)
  • Frontend improvements: Include token in status response and Settings UI for easy client access
  • Test coverage: Add 6 test cases covering token validation, public routes, and rejection scenarios

Test Plan

  • ✅ All 190 Rust unit tests pass (including 6 new mobile_server tests)
  • ✅ TypeScript type check passes
  • ✅ Verified public routes accessible without token
  • ✅ Verified protected routes require valid token
  • ✅ Verified token validation from header/query/cookie

Impact

This ensures legitimate clients can access public endpoints while still protecting sensitive API routes.

Security issue: The mobile server currently rejects all requests without
X-Mobile-Token header, including public assets and status endpoint that
should be accessible without authentication.

Changes:
- Add validate_token() helper that checks X-Mobile-Token header, query
  parameter (?token=...), and Cookie header
- Exempt public routes from auth: GET /, GET /assets/*, GET /api/mobile/status
- Include token in status response and Settings UI for easy access
- Add 6 test cases covering token validation, public routes, and rejection

This ensures legitimate clients can access public endpoints while still
protecting sensitive API routes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants