IceCubesApp icon indicating copy to clipboard operation
IceCubesApp copied to clipboard

Published 20 hours ago verified publisher icon Dimillian

Bug:Sends access token via Sec-Websocket-Protocol

Open waldiTM opened this issue 11 months ago • 1 comments
trafficstars

Environment:

  • OS: iPadOS 18.1.1
  • IceCubesApp version: 1.11.2

Description

Ice Cubes sends the access token for the streaming API via the Sec-Websocket-Protocol header. The Mastodon documentation of the streaming API does not document this way of use. And this header is not considered sensitive, so often logged.

The documented way to do auth against the streaming API is to use the access_token query parameter.

The standard Authorization header is implemented as well for the streaming API, but not documented.

Related Issues

  • [x] Search that this bugs don't already exist before creating it.

waldiTM avatar Dec 17 '24 20:12 waldiTM

I don't know Swift, but the relevant code seems to be Client.makeWebSocketTask. It clearly shows the setup of the protocols parameter.

waldiTM avatar Dec 17 '24 20:12 waldiTM