feat: add query-param token auth and optional HTTP auth to gateway

Support ?token= query parameter as a fallback for WebSocket clients that cannot set Authorization headers (e.g. browsers). Add authHttp option to GatewayServer so token auth can be applied to HTTP requests too, returning 401 with WWW-Authenticate header on failure.
2026-02-06 16:51:41 -08:00
parent 0eb1f7a073
commit 20930a4816
4 changed files with 132 additions and 12 deletions
@@ -35,6 +35,8 @@ export interface GatewayServerConfig {
  toolExecutor: ToolExecutor;
  version?: string;
  auth?: AuthConfig;
+  /** Whether to apply token auth to HTTP requests too (default: true when token is set). */
+  authHttp?: boolean;
  uiDir?: string;
  config?: Config;
  /** Optional callback for system.restart. Should trigger graceful shutdown + process restart. */
@@ -195,10 +197,24 @@ export class GatewayServer {

  /**
   * Handle incoming HTTP requests.
+   * Optionally applies auth (when authHttp is enabled and a token is configured).
   * Delegates to serveStatic for UI files; returns 404 if no UI dir or file not found.
-   * Auth is NOT applied to HTTP requests — only to WS upgrade.
   */
  private async handleHttpRequest(req: IncomingMessage, res: ServerResponse): Promise<void> {
+    // Apply auth to HTTP requests when configured
+    const authConfig = this.config.auth ?? {};
+    if (this.config.authHttp !== false && authConfig.token) {
+      const authResult = authenticateRequest(req, authConfig);
+      if (!authResult.authenticated) {
+        res.writeHead(401, {
+          'Content-Type': 'text/plain',
+          'WWW-Authenticate': 'Bearer',
+        });
+        res.end(authResult.error ?? 'Unauthorized');
+        return;
+      }
+    }
+
    const uiDir = this.config.uiDir;

    if (uiDir) {