WebSocket notifications require access_token query parameter #1499

New Issue

MrUnknownDE · 2026-04-06T01:58:52+02:00

MrUnknownDE commented

2026-04-06 01:58:52 +02:00

Originally created by @AChep on 8/14/2023

Subject of the issue

Looking at the updated WebSocket notifications implementation, we explicitly check for the access_token parameter here: 3dbfc484a5/src/api/notifications.rs (L86)

While this is correct most of the time, the token can actually be passed with Authorization Bearer token!
ts: 721cd72b62/src/SignalR/clients/ts/signalr/src/WebSocketTransport.ts (L55)
java: 721cd72b62/src/SignalR/clients/java/signalr/core/src/main/java/com/microsoft/signalr/WebSocketTransport.java (L48)

Expected behaviour

Access token is derived from either query params or bearer header.

Actual behaviour

Access token is derived from only query params.

*Originally created by @AChep on 8/14/2023* ### Subject of the issue Looking at the updated WebSocket notifications implementation, we explicitly check for the `access_token` parameter here: https://github.com/BlackDex/vaultwarden/blob/3dbfc484a54c41d1759646444b439da06445060b/src/api/notifications.rs#L86 While this is correct most of the time, the token can actually be passed with Authorization Bearer token! ts: https://github.com/dotnet/aspnetcore/blob/721cd72b627bb43f4f9d7988662fbc5f26c46167/src/SignalR/clients/ts/signalr/src/WebSocketTransport.ts#L55 java: https://github.com/dotnet/aspnetcore/blob/721cd72b627bb43f4f9d7988662fbc5f26c46167/src/SignalR/clients/java/signalr/core/src/main/java/com/microsoft/signalr/WebSocketTransport.java#L48 ### Expected behaviour Access token is derived from either query params or bearer header. ### Actual behaviour Access token is derived from only query params.

MrUnknownDE closed this issue

2026-04-06 01:58:52 +02:00

MrUnknownDE added the enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement labels 2026-04-06 01:58:57 +02:00

Sign in to join this conversation.

No Label enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github/vaultwarden#1499

WebSocket notifications require access_token query parameter #1499

Subject of the issue

Expected behaviour

Actual behaviour

WebSocket notifications require `access_token` query parameter #1499