fix: resolve websocket auth token exposure and ensure transaction#616
Open
Ankush-ai wants to merge 2 commits into
Open
fix: resolve websocket auth token exposure and ensure transaction#616Ankush-ai wants to merge 2 commits into
Ankush-ai wants to merge 2 commits into
Conversation
…e notification delivery
|
@Ankush-ai is attempting to deploy a commit to the CodeBlooded's projects Team on Vercel. A member of the Team first needs to authorize it. |
Author
|
@viru0909-dev I have made the Changes and Fixes , everything works as expected, kindly merge the PR . |
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Contributor
|
Hi @viru0909-dev, I noticed this issue currently has an open PR linked to it. If any additional improvements, testing, frontend integration, or fixes are still needed, I would be happy to contribute under GSSoC 2026. Please let me know if I can work on this. Thank you! |
Author
|
Dear Admin,
I have validated all parameters and conducted regression testing to ensure
the changes do not disrupt the existing project flow. I can confirm the
implementation was successful, and I have raised a Pull Request (PR #616)
following these tests.
Given that this PR addresses a critical security issue regarding websocket
auth token exposure, I kindly ask you to review and merge the updates.
Regards,
Ankush Srivastava
…On Mon, 25 May, 2026, 1:11 pm Mohitswamii, ***@***.***> wrote:
*Mohitswamii* left a comment (viru0909-dev/nyay-setu-working#616)
<#616 (comment)>
Hi @viru0909-dev <https://github.com/viru0909-dev>,
I noticed this issue currently has an open PR linked to it. If any
additional improvements, testing, frontend integration, or fixes are still
needed, I would be happy to contribute under GSSoC 2026.
Please let me know if I can work on this. Thank you!
—
Reply to this email directly, view it on GitHub
<#616 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AT5T55GCAEZF3CGDPNAU47L44P2L3AVCNFSM6AAAAACZLOAXSCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHM2DKMZSGQ3TSOJQGI>
.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
Author
|
Dear Project Admin,
I hope you have had the opportunity to validate the parameters and the code
for the pending Pull Request (#616).
As this PR has been open for some time and addresses critical security
updates, I kindly request that you review and merge it at your earliest
convenience.
Best regards,
Ankush Srivastava
On Mon, 25 May, 2026, 2:18 pm Ankush Srivastava, ***@***.***>
wrote:
… Dear Admin,
I have validated all parameters and conducted regression testing to ensure
the changes do not disrupt the existing project flow. I can confirm the
implementation was successful, and I have raised a Pull Request (PR #616)
following these tests.
Given that this PR addresses a critical security issue regarding websocket
auth token exposure, I kindly ask you to review and merge the updates.
Regards,
Ankush Srivastava
On Mon, 25 May, 2026, 1:11 pm Mohitswamii, ***@***.***>
wrote:
> *Mohitswamii* left a comment (viru0909-dev/nyay-setu-working#616)
> <#616 (comment)>
>
> Hi @viru0909-dev <https://github.com/viru0909-dev>,
>
> I noticed this issue currently has an open PR linked to it. If any
> additional improvements, testing, frontend integration, or fixes are still
> needed, I would be happy to contribute under GSSoC 2026.
>
> Please let me know if I can work on this. Thank you!
>
> —
> Reply to this email directly, view it on GitHub
> <#616 (comment)>,
> or unsubscribe
> <https://github.com/notifications/unsubscribe-auth/AT5T55GCAEZF3CGDPNAU47L44P2L3AVCNFSM6AAAAACZLOAXSCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHM2DKMZSGQ3TSOJQGI>
> .
> Triage notifications on the go with GitHub Mobile for iOS
> <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
> or Android
> <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
>
> You are receiving this because you were mentioned.Message ID:
> ***@***.***>
>
|
Owner
|
@Ankush-ai Sorry for the delay in reviewing this PR. My health has not been good recently, so I will need another 2–3 days to properly review it. I apologize for the wait and understand that it can be frustrating when a PR remains unreviewed for a long time. From my initial review, I noticed that the CI/CD checks are currently failing, and the Vercel deployment is also not passing. It would be helpful if you could take a look at those issues in the meantime. Thank you for your patience and understanding. If you face any issues or need to discuss anything regarding this PR, feel free to contact me via LinkedIn |
Author
|
Sure,
I will look into the issues.
…On Sat, 30 May, 2026, 1:41 am Virendra Gadekar, ***@***.***> wrote:
*viru0909-dev* left a comment (viru0909-dev/nyay-setu-working#616)
<#616 (comment)>
@Ankush-ai <https://github.com/Ankush-ai> Sorry for the delay in
reviewing this PR.
My health has not been good recently, so I will need another 2–3 days to
properly review it. I apologize for the wait and understand that it can be
frustrating when a PR remains unreviewed for a long time.
From my initial review, I noticed that the CI/CD checks are currently
failing, and the Vercel deployment is also not passing. It would be helpful
if you could take a look at those issues in the meantime.
Thank you for your patience and understanding. If you face any issues or
need to discuss anything regarding this PR, feel free to contact me via
LinkedIn: [https://www.linkedin.com/in/virendragadekar/]
—
Reply to this email directly, view it on GitHub
<#616?email_source=notifications&email_token=AT5T55DC2YB5PFD6OAVEW4L45HVIXA5CNFSNUABFM5UWIORPF5TWS5BNNB2WEL2JONZXKZKDN5WW2ZLOOQXTINJXHE2DOOJVGA42M4TFMFZW63VHNVSW45DJN5XKKZLWMVXHJLDGN5XXIZLSL5RWY2LDNM#issuecomment-4579479509>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AT5T55BKOSBRNOTAJG6AODD45HVIXAVCNFSM6AAAAACZLOAXSCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHM2DKNZZGQ3TSNJQHE>
.
Triage notifications, keep track of coding agent tasks and review pull
requests on the go with GitHub Mobile for iOS
<https://github.com/notifications/mobile/ios/AT5T55AS5JI75WGVJR7S2A345HVIXA5CNFSNUABFM5UWIORPF5TWS5BNNB2WEL2JONZXKZKDN5WW2ZLOOQXTINJXHE2DOOJVGA42M4TFMFZW63VHNVSW45DJN5XKKZLWMVXHJKTGN5XXIZLSL5UW64Y>
and Android
<https://github.com/notifications/mobile/android/AT5T55C2CSMKRH2AVC4XEZT45HVIXA5CNFSNUABFM5UWIORPF5TWS5BNNB2WEL2JONZXKZKDN5WW2ZLOOQXTINJXHE2DOOJVGA42M4TFMFZW63VHNVSW45DJN5XKKZLWMVXHJLTGN5XXIZLSL5QW4ZDSN5UWI>.
Download it today!
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pull Request
Description
Closes #594
This Pull Request resolves a critical security vulnerability where the JWT authentication token was exposed as a query parameter in the WebSocket connection URL string.
Both frontend and backend architectures have been upgraded to pass the token securely in-band via JSON text frames immediately following connection initialization. Additionally, an event-driven mechanism has been implemented on the backend to eliminate dual-write side effects during database transaction rollbacks.
Changes Made
NotificationService.js): Removed the sensitive token parameter from the core WebSocket URL. Added anonopenhook to safely transmit the token inside a structuredAUTHJSON frame. Handled application routing states forAUTH_SUCCESSandAUTH_ERROR.NotificationWebSocketHandler.java): Transitioned session registry keys from transient socket session IDs to explicit databaseLonguser identities. Implemented a 5-second connection sandboxing window that auto-evicts unauthenticated channels with Close Status1008.ApplicationEventPublisher. Created a lightweightNotificationCreatedEventand a transaction-awareNotificationWebSocketEventListenerlistening strictly on theAFTER_COMMITphase withREQUIRES_NEWpropagation.Type of change
Checklist: