From 356c0d97b9b1eff7d222d56676341494d740ffad Mon Sep 17 00:00:00 2001 From: Erik Date: Tue, 14 Apr 2026 21:10:02 +0200 Subject: [PATCH] fix: allow internal Docker connections to /ws/live without auth The Discord bot connects to /ws/live from the Docker internal network (172.x.x.x) but has no session cookie, causing 4401 auth failures. Now: connections from Docker internal network (172.x.x.x), localhost, or ::1 skip the session cookie check. External connections (through Nginx) still require authentication. Co-Authored-By: Claude Opus 4.6 (1M context) --- main.py | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/main.py b/main.py index 85710960..bf2051dc 100644 --- a/main.py +++ b/main.py @@ -3643,11 +3643,16 @@ async def ws_live_updates(websocket: WebSocket): Manages a set of connected browser clients; listens for incoming command messages and forwards them to the appropriate plugin client WebSocket. """ - # Require valid session cookie for browser WebSocket - token = websocket.cookies.get("session") - if not token or not verify_session_cookie(token): - await websocket.close(code=4401, reason="Not authenticated") - return + # Require valid session cookie for browser WebSocket. + # Internal Docker network connections (172.x.x.x) are trusted — this allows + # the Discord bot and other internal services to connect without a cookie. + client_host = websocket.client.host if websocket.client else "" + is_internal = client_host.startswith("172.") or client_host in ("127.0.0.1", "::1", "localhost") + if not is_internal: + token = websocket.cookies.get("session") + if not token or not verify_session_cookie(token): + await websocket.close(code=4401, reason="Not authenticated") + return global _browser_connections # Add new browser client to the set