fix: pass auth token in WebSocket connections for private spaces

WebSocket clients were connecting without auth tokens, causing 401 rejections for authenticated/members_only spaces. Now reads the encryptid_session from localStorage and appends ?token= to WS URLs. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-28 22:08:07 -08:00 · 2026-02-28 22:08:07 -08:00 · d5563d4636
parent f8c51fad0b
commit d5563d4636
4 changed files with 33 additions and 4 deletions
--- a/lib/community-sync.ts
+++ b/lib/community-sync.ts
@ -193,7 +193,17 @@ export class CommunitySync extends EventTarget {
 			return;
 		}

-		this.#ws = new WebSocket(wsUrl);
+		// Attach auth token for private/authenticated spaces
+		let authUrl = wsUrl;
+		try {
+			const sess = JSON.parse(localStorage.getItem('encryptid_session') || '');
+			if (sess?.accessToken) {
+				const sep = wsUrl.includes('?') ? '&' : '?';
+				authUrl = `${wsUrl}${sep}token=${encodeURIComponent(sess.accessToken)}`;
+			}
+		} catch {}
+
+		this.#ws = new WebSocket(authUrl);
 		this.#ws.binaryType = "arraybuffer";

 		this.#ws.onopen = () => {
--- a/lib/folk-canvas.ts
+++ b/lib/folk-canvas.ts
@ -368,7 +368,12 @@ export class FolkCanvas extends FolkShape {

 		const protocol = window.location.protocol === "https:" ? "wss:" : "ws:";
 		const nestParam = this.#parentSlug ? `&nest-from=${encodeURIComponent(this.#parentSlug)}` : "";
-		const wsUrl = `${protocol}//${window.location.host}/ws/${this.#sourceSlug}?mode=json${nestParam}`;
+		let tokenParam = "";
+		try {
+			const sess = JSON.parse(localStorage.getItem('encryptid_session') || '');
+			if (sess?.accessToken) tokenParam = `&token=${encodeURIComponent(sess.accessToken)}`;
+		} catch {}
+		const wsUrl = `${protocol}//${window.location.host}/ws/${this.#sourceSlug}?mode=json${nestParam}${tokenParam}`;

 		this.#ws = new WebSocket(wsUrl);

--- a/shared/local-first/sync.ts
+++ b/shared/local-first/sync.ts
@ -125,8 +125,18 @@ export class DocSyncManager {

    if (this.#ws?.readyState === WebSocket.OPEN) return;

+    // Attach auth token for private/authenticated spaces
+    let authUrl = wsUrl;
+    try {
+      const sess = JSON.parse(localStorage.getItem('encryptid_session') || '');
+      if (sess?.accessToken) {
+        const sep = wsUrl.includes('?') ? '&' : '?';
+        authUrl = `${wsUrl}${sep}token=${encodeURIComponent(sess.accessToken)}`;
+      }
+    } catch {}
+
    return new Promise((resolve, reject) => {
-      this.#ws = new WebSocket(wsUrl);
+      this.#ws = new WebSocket(authUrl);
      this.#ws.binaryType = 'arraybuffer';

      this.#ws.onopen = () => {
--- a/website/canvas.html
+++ b/website/canvas.html
@ -3071,7 +3071,11 @@

 			// Connect to server
 			const protocol = window.location.protocol === "https:" ? "wss:" : "ws:";
-			const wsUrl = `${protocol}//${window.location.host}/ws/${communitySlug}`;
+			let wsUrl = `${protocol}//${window.location.host}/ws/${communitySlug}`;
+			try {
+				const sess = JSON.parse(localStorage.getItem('encryptid_session') || '');
+				if (sess?.accessToken) wsUrl += `?token=${encodeURIComponent(sess.accessToken)}`;
+			} catch {};

 			// Handle browser online/offline events
 			window.addEventListener("online", () => {