fix: allow internal Docker connections to /ws/live without auth

The Discord bot connects to /ws/live from the Docker internal network (172.x.x.x) but has no session cookie, causing 4401 auth failures. Now: connections from Docker internal network (172.x.x.x), localhost, or ::1 skip the session cookie check. External connections (through Nginx) still require authentication. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-14 21:10:02 +02:00 · 2026-04-14 21:10:02 +02:00 · 356c0d97b9
commit 356c0d97b9
parent adb9d5feab
1 changed files with 10 additions and 5 deletions
--- a/main.py
+++ b/main.py
@ -3643,11 +3643,16 @@ async def ws_live_updates(websocket: WebSocket):
    Manages a set of connected browser clients; listens for incoming command messages
    and forwards them to the appropriate plugin client WebSocket.
    """
-    # Require valid session cookie for browser WebSocket
-    token = websocket.cookies.get("session")
-    if not token or not verify_session_cookie(token):
-        await websocket.close(code=4401, reason="Not authenticated")
-        return
+    # Require valid session cookie for browser WebSocket.
+    # Internal Docker network connections (172.x.x.x) are trusted — this allows
+    # the Discord bot and other internal services to connect without a cookie.
+    client_host = websocket.client.host if websocket.client else ""
+    is_internal = client_host.startswith("172.") or client_host in ("127.0.0.1", "::1", "localhost")
+    if not is_internal:
+        token = websocket.cookies.get("session")
+        if not token or not verify_session_cookie(token):
+            await websocket.close(code=4401, reason="Not authenticated")
+            return

    global _browser_connections
    # Add new browser client to the set