From 4123e20062cbbfe670bcea182cb146f052076856 Mon Sep 17 00:00:00 2001
From: Melvin Carvalho <melvincarvalho@gmail.com>
Date: Tue, 26 May 2026 08:19:48 +0200
Subject: [PATCH] fix(tunnel): accept ?token= query param on /.tunnel for
 browser WS auth (#528)

---
 src/tunnel/index.js | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/tunnel/index.js b/src/tunnel/index.js
index 65a3c0d..73392c2 100644
--- a/src/tunnel/index.js
+++ b/src/tunnel/index.js
@@ -57,6 +57,14 @@ export async function tunnelPlugin(fastify, options = {}) {
   fastify.get(wsPath, { websocket: true }, async (connection, request) => {
     const socket = connection.socket;
 
+    // Browser WebSockets can't set an Authorization header, so accept the
+    // bearer token as a ?token= query param too — mirrors the /.webrtc
+    // endpoint. Lets browser-based tunnel clients authenticate. (#528)
+    const queryToken = request.query?.token;
+    if (queryToken && !request.headers.authorization) {
+      request.headers.authorization = `Bearer ${queryToken}`;
+    }
+
     // Authenticate
     const { webId } = await getWebIdFromRequestAsync(request);
     if (!webId) {