Pass CSRF token using Sec-WebSocket-Protocol header

iarenaza · iarenaza · commit 53983f9e3c48 · 2025-04-02T22:28:02.000+02:00
The proposed change tries to respect other values in the Sec-WebSocket-Protocol header, that the caller may have set in the `headers` option when calling `make-channel-socket-client!` [Re: #418]
diff --git a/src/taoensso/sente.cljc b/src/taoensso/sente.cljc
@@ -1316,7 +1316,8 @@
                   (enc/oget @?node-npm-websocket_ "w3cwebsocket"))]
 
        (delay
-         (let [socket (WebSocket. uri-str)]
+         (let [protocols (:sec-websocket-protocol headers)
+               socket (WebSocket. uri-str protocols)]
            (doto socket
              (aset "onerror"   on-error)
              (aset "onmessage" on-message) ; Nb receives both push & cb evs!
@@ -1569,13 +1570,19 @@
                           {:on-error   on-error
                            :on-message on-message
                            :on-close   on-close
-                           :headers    headers
+                           :headers    (update headers :sec-websocket-protocol
+                                               (fn [x]
+                                                 (let [csrf-token (str "sente-csrf-token-"
+                                                                     (get-client-csrf-token-str :dynamic
+                                                                       (:csrf-token @state_)))]
+                                                   (cond
+                                                     (string? x) [x csrf-token]
+                                                     (coll? x) (conj x csrf-token)
+                                                     :else csrf-token))))
                            :uri-str
                            (enc/merge-url-with-query-string url
                              (merge params ; 1st (don't clobber impl.):
-                               {:client-id  client-id
-                                :csrf-token (get-client-csrf-token-str :dynamic
-                                              (:csrf-token @state_))}))}))
+                               {:client-id client-id}))}))
 
                       (catch #?(:clj Throwable :cljs :default) t
                         (timbre/errorf t "Error creating WebSocket client")
