Description:
All four WebSocket handlers set user_id: None with a TODO comment:
WebSocketConnection {
id: Uuid::new_v4(),
user_id: None, // TODO: Extract from JWT tokenThe /ws/user/{id} endpoint is especially dangerous — any anonymous caller can subscribe to any user's private event stream by guessing or enumerating a UUID. Match result notifications, Elo changes, and matchmaking status are all exposed.
Affected files: src/realtime/websocket.rs
Proposed fix: Extract the JWT from the Authorization header or a token query parameter during the WebSocket upgrade handshake. Reject the upgrade with 401 if the token is missing or invalid. For /ws/user/{id}, verify that the authenticated user's ID matches the path parameter.
Description:
All four WebSocket handlers set
user_id: Nonewith a TODO comment:The
/ws/user/{id}endpoint is especially dangerous — any anonymous caller can subscribe to any user's private event stream by guessing or enumerating a UUID. Match result notifications, Elo changes, and matchmaking status are all exposed.Affected files:
src/realtime/websocket.rsProposed fix: Extract the JWT from the
Authorizationheader or atokenquery parameter during the WebSocket upgrade handshake. Reject the upgrade with401if the token is missing or invalid. For/ws/user/{id}, verify that the authenticated user's ID matches the path parameter.