feat: Allow websocket subscription with PAK/PAT

Author: JanCizmar

backend/api/src/main/kotlin/io/tolgee/websocket/WebSocketConfig.kt

@@ -1,8 +1,7 @@
 package io.tolgee.websocket
 
-import io.tolgee.dtos.cacheable.UserAccountDto
+import io.tolgee.dtos.cacheable.ApiKeyDto
 import io.tolgee.model.enums.Scope
-import io.tolgee.security.authentication.JwtService
 import io.tolgee.security.authentication.TolgeeAuthentication
 import io.tolgee.service.security.SecurityService
 import org.springframework.context.annotation.Configuration
@@ -23,10 +22,10 @@ import org.springframework.web.socket.config.annotation.WebSocketMessageBrokerCo
 @Configuration
 @EnableWebSocketMessageBroker
 class WebSocketConfig(
-  @Lazy
-  private val jwtService: JwtService,
   @Lazy
   private val securityService: SecurityService,
+  @Lazy
+  private val websocketAuthenticationResolver: WebsocketAuthenticationResolver,
 ) : WebSocketMessageBrokerConfigurer {
   override fun configureMessageBroker(config: MessageBrokerRegistry) {
     config.enableSimpleBroker("/")
@@ -46,15 +45,17 @@ class WebSocketConfig(
           val accessor = MessageHeaderAccessor.getAccessor(message, StompHeaderAccessor::class.java)
 
           if (accessor?.command == StompCommand.CONNECT) {
-            val tokenString = accessor.getNativeHeader("jwtToken")?.firstOrNull()
-            accessor.user = if (tokenString == null) null else jwtService.validateToken(tokenString)
+            val authorization = accessor.getNativeHeader("authorization")?.firstOrNull()
+            val xApiKey = accessor.getNativeHeader("x-api-key")?.firstOrNull()
+            val legacyJwt = accessor.getNativeHeader("jwtToken")?.firstOrNull()
+            accessor.user = websocketAuthenticationResolver.resolve(authorization, xApiKey, legacyJwt)
           }
 
-          val user = (accessor?.user as? TolgeeAuthentication)?.principal
+          val authentication = accessor?.user as? TolgeeAuthentication
 
           if (accessor?.command == StompCommand.SUBSCRIBE) {
-            checkProjectPathPermissions(user, accessor.destination)
-            checkUserPathPermissions(user, accessor.destination)
+            checkProjectPathPermissionsAuth(authentication, accessor.destination)
+            checkUserPathPermissionsAuth(authentication, accessor.destination)
           }
 
           return message
@@ -63,8 +64,8 @@ class WebSocketConfig(
     )
   }
 
-  fun checkProjectPathPermissions(
-    user: UserAccountDto?,
+  fun checkProjectPathPermissionsAuth(
+    authentication: TolgeeAuthentication?,
     destination: String?,
   ) {
     val projectId =
@@ -73,19 +74,30 @@ class WebSocketConfig(
           ?.getOrNull(1)?.toLong()
       } ?: return
 
-    if (user == null) {
+    if (authentication == null) {
       throw MessagingException("Unauthenticated")
     }
 
+    val creds = authentication.credentials
+    if (creds is ApiKeyDto) {
+      val matchesProject = creds.projectId == projectId
+      val hasScope = creds.scopes.contains(Scope.KEYS_VIEW)
+      if (!matchesProject || !hasScope) {
+        throw MessagingException("Forbidden")
+      }
+      return
+    }
+
+    val user = authentication.principal
     try {
       securityService.checkProjectPermissionNoApiKey(projectId = projectId, Scope.KEYS_VIEW, user)
     } catch (e: Exception) {
       throw MessagingException("Forbidden")
     }
   }
 
-  fun checkUserPathPermissions(
-    user: UserAccountDto?,
+  fun checkUserPathPermissionsAuth(
+    authentication: TolgeeAuthentication?,
     destination: String?,
   ) {
     val userId =
@@ -94,6 +106,17 @@ class WebSocketConfig(
           ?.getOrNull(1)?.toLong()
       } ?: return
 
+    if (authentication == null) {
+      throw MessagingException("Forbidden")
+    }
+
+    val creds = authentication.credentials
+    if (creds is ApiKeyDto) {
+      // API keys must not subscribe to user topics
+      throw MessagingException("Forbidden")
+    }
+
+    val user = (authentication as? TolgeeAuthentication)?.principal
     if (user?.id != userId) {
       throw MessagingException("Forbidden")
     }

backend/api/src/main/kotlin/io/tolgee/websocket/WebsocketAuthenticationResolver.kt

@@ -0,0 +1,104 @@
+package io.tolgee.websocket
+
+import io.tolgee.constants.Message
+import io.tolgee.dtos.cacheable.UserAccountDto
+import io.tolgee.exceptions.AuthenticationException
+import io.tolgee.security.PAT_PREFIX
+import io.tolgee.security.authentication.JwtService
+import io.tolgee.security.authentication.TolgeeAuthentication
+import io.tolgee.security.authentication.TolgeeAuthenticationDetails
+import io.tolgee.service.security.ApiKeyService
+import io.tolgee.service.security.PatService
+import io.tolgee.service.security.UserAccountService
+import org.springframework.context.annotation.Lazy
+import org.springframework.stereotype.Component
+
+@Component
+class WebsocketAuthenticationResolver(
+  @Lazy private val jwtService: JwtService,
+  @Lazy private val apiKeyService: ApiKeyService,
+  @Lazy private val patService: PatService,
+  @Lazy private val userAccountService: UserAccountService,
+) {
+  /**
+   * Resolves STOMP CONNECT headers into TolgeeAuthentication.
+   * Supports:
+   * - Authorization: Bearer <jwt>
+   * - X-API-Key: tgpat_<token> (PAT) or tgpak_<...> (PAK, incl. legacy/raw)
+   * - jwtToken: <jwt> (legacy header)
+   */
+  fun resolve(
+    authorizationHeader: String?,
+    xApiKeyHeader: String?,
+    legacyJwtHeader: String?,
+  ): TolgeeAuthentication? {
+    // Authorization: Bearer <jwt>
+    val bearer = extractBearer(authorizationHeader)
+    if (bearer != null) {
+      return runCatching { jwtService.validateToken(bearer) }.getOrNull()
+    }
+
+    // X-API-Key: PAT / PAK
+    val xApiKey = xApiKeyHeader
+    if (!xApiKey.isNullOrBlank()) {
+      return when {
+        xApiKey.startsWith(PAT_PREFIX) -> runCatching { patAuth(xApiKey) }.getOrNull()
+        else -> runCatching { pakAuth(xApiKey) }.getOrNull()
+      }
+    }
+
+    // Legacy jwtToken header
+    if (!legacyJwtHeader.isNullOrBlank()) {
+      return runCatching { jwtService.validateToken(legacyJwtHeader) }.getOrNull()
+    }
+
+    return null
+  }
+
+  private fun extractBearer(value: String?): String? {
+    if (value == null) return null
+    val prefix = "Bearer "
+    return if (value.startsWith(prefix, ignoreCase = true)) value.substring(prefix.length).trim() else null
+  }
+
+  private fun pakAuth(key: String): TolgeeAuthentication {
+    val parsed = apiKeyService.parseApiKey(key) ?: throw AuthenticationException(Message.INVALID_PROJECT_API_KEY)
+    val hash = apiKeyService.hashKey(parsed)
+    val pak = apiKeyService.findDto(hash) ?: throw AuthenticationException(Message.INVALID_PROJECT_API_KEY)
+
+    if (pak.expiresAt?.before(java.util.Date()) == true) {
+      throw AuthenticationException(Message.PROJECT_API_KEY_EXPIRED)
+    }
+
+    val userAccount: UserAccountDto =
+      userAccountService.findDto(pak.userAccountId) ?: throw AuthenticationException(Message.USER_NOT_FOUND)
+
+    apiKeyService.updateLastUsedAsync(pak.id)
+
+    return TolgeeAuthentication(
+      pak,
+      userAccount,
+      TolgeeAuthenticationDetails(false),
+    )
+  }
+
+  private fun patAuth(key: String): TolgeeAuthentication {
+    val hash = patService.hashToken(key.substring(PAT_PREFIX.length))
+    val pat = patService.findDto(hash) ?: throw AuthenticationException(Message.INVALID_PAT)
+
+    if (pat.expiresAt?.before(java.util.Date()) == true) {
+      throw AuthenticationException(Message.PAT_EXPIRED)
+    }
+
+    val userAccount: UserAccountDto =
+      userAccountService.findDto(pat.userAccountId) ?: throw AuthenticationException(Message.USER_NOT_FOUND)
+
+    patService.updateLastUsedAsync(pat.id)
+
+    return TolgeeAuthentication(
+      pat,
+      userAccount,
+      TolgeeAuthenticationDetails(false),
+    )
+  }
+}

backend/app/src/test/kotlin/io/tolgee/batch/BatchJobTestUtil.kt

@@ -261,7 +261,7 @@ class BatchJobTestUtil(
     websocketHelper =
       WebsocketTestHelper(
         port,
-        jwtService.emitToken(testData.user.id),
+        WebsocketTestHelper.Auth(jwtToken = jwtService.emitToken(testData.user.id)),
         testData.projectBuilder.self.id,
         testData.user.id,
       )

backend/app/src/test/kotlin/io/tolgee/websocket/AbstractWebsocketTest.kt

@@ -45,14 +45,14 @@ abstract class AbstractWebsocketTest : ProjectAuthControllerTest("/v2/projects/"
     currentUserWebsocket =
       WebsocketTestHelper(
         port,
-        jwtService.emitToken(testData.user.id),
+        WebsocketTestHelper.Auth(jwtToken = jwtService.emitToken(testData.user.id)),
         testData.projectBuilder.self.id,
         testData.user.id,
       )
     anotherUserWebsocket =
       WebsocketTestHelper(
         port,
-        jwtService.emitToken(anotherUser.id),
+        WebsocketTestHelper.Auth(jwtToken = jwtService.emitToken(anotherUser.id)),
         testData.projectBuilder.self.id,
         anotherUser.id,
       )
@@ -239,12 +239,13 @@ abstract class AbstractWebsocketTest : ProjectAuthControllerTest("/v2/projects/"
     val spyingUserWebsocket =
       WebsocketTestHelper(
         port,
-        jwtService.emitToken(anotherUser.id),
+        WebsocketTestHelper.Auth(jwtToken = jwtService.emitToken(anotherUser.id)),
         testData.projectBuilder.self.id,
         // anotherUser trying to spy on other user's websocket
         testData.user.id,
       )
     spyingUserWebsocket.listenForNotificationsChanged()
+    spyingUserWebsocket.waitForForbidden()
     saveNotificationForCurrentUser()
 
     assertCurrentUserReceivedMessage()