Use the temporary auth token. (#195)

jsdt · web-flow · commit 6132ff8b6c73 · 2025-06-25T15:04:36.000-07:00
diff --git a/packages/sdk/src/websocket_decompress_adapter.ts b/packages/sdk/src/websocket_decompress_adapter.ts
@@ -90,6 +90,9 @@ export class WebsocketDecompressAdapter {
       WS = WebSocket;
     }
 
+    // We swap our original token to a shorter-lived token
+    // to avoid sending the original via query params.
+    let temporaryAuthToken: string | undefined = undefined;
     if (authToken) {
       headers.set('Authorization', `Bearer ${authToken}`);
       const tokenUrl = new URL('v1/identity/websocket-token', url);
@@ -98,7 +101,7 @@ export class WebsocketDecompressAdapter {
       const response = await fetch(tokenUrl, { method: 'POST', headers });
       if (response.ok) {
         const { token } = await response.json();
-        url.searchParams.set('token', token);
+        temporaryAuthToken = token;
       } else {
         return Promise.reject(
           new Error(`Failed to verify token: ${response.statusText}`)
@@ -107,6 +110,9 @@ export class WebsocketDecompressAdapter {
     }
 
     const databaseUrl = new URL(`v1/database/${nameOrAddress}/subscribe`, url);
+    if (temporaryAuthToken) {
+      databaseUrl.searchParams.set('token', temporaryAuthToken);
+    }
     databaseUrl.searchParams.set(
       'compression',
       compression === 'gzip' ? 'Gzip' : 'None'
