fix(sse): Fix critical SSE auth and URL issues

1. Fix SSE URL mismatch (CRITICAL): - Frontend was connecting to /events instead of /events/stream - Updated useProjectEvents.ts to use correct endpoint path 2. Fix SSE token authentication (CRITICAL): - EventSource API doesn't support custom headers - Added get_current_user_sse dependency that accepts tokens from: - Authorization header (preferred, for non-EventSource clients) - Query parameter 'token' (fallback for browser EventSource) - Updated SSE endpoint to use new auth dependency - Both auth methods now work correctly Files changed: - backend/app/api/dependencies/auth.py: +80 lines (new SSE auth) - backend/app/api/routes/events.py: +23 lines (query param support) - frontend/src/lib/hooks/useProjectEvents.ts: +5 lines (URL fix) All 20 backend SSE tests pass. All 17 frontend useProjectEvents tests pass. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2025-12-31 11:59:33 +01:00
parent 3d6fa6b791
commit 15d747eb28
3 changed files with 101 additions and 7 deletions
--- a/backend/app/api/routes/events.py
+++ b/backend/app/api/routes/events.py
@@ -20,12 +20,12 @@ import logging
 from typing import TYPE_CHECKING
 from uuid import UUID

-from fastapi import APIRouter, Depends, Header, Request
+from fastapi import APIRouter, Depends, Header, Query, Request
 from slowapi import Limiter
 from slowapi.util import get_remote_address
 from sse_starlette.sse import EventSourceResponse

-from app.api.dependencies.auth import get_current_user
+from app.api.dependencies.auth import get_current_user, get_current_user_sse
 from app.api.dependencies.event_bus import get_event_bus
 from app.core.database import get_db
 from app.core.exceptions import AuthorizationError
@@ -150,9 +150,16 @@ async def event_generator(
    description="""
    Stream real-time events for a project via Server-Sent Events (SSE).

-    **Authentication**: Required (Bearer token)
+    **Authentication**: Required (Bearer token OR query parameter)
    **Authorization**: Must have access to the project

+    **Authentication Methods**:
+    - Bearer token in Authorization header (preferred)
+    - Query parameter `token` (for EventSource compatibility)
+
+    Note: EventSource API doesn't support custom headers, so the query parameter
+    option is provided for browser-based SSE clients.
+
    **SSE Event Format**:
    ```
    event: agent.status_changed
@@ -190,9 +197,10 @@ async def event_generator(
 async def stream_project_events(
    request: Request,
    project_id: UUID,
-    current_user: User = Depends(get_current_user),
-    event_bus: EventBus = Depends(get_event_bus),
    db: "AsyncSession" = Depends(get_db),
+    event_bus: EventBus = Depends(get_event_bus),
+    token: str | None = Query(None, description="Auth token (for EventSource compatibility)"),
+    authorization: str | None = Header(None, alias="Authorization"),
    last_event_id: str | None = Header(None, alias="Last-Event-ID"),
 ):
    """
@@ -207,6 +215,11 @@ async def stream_project_events(

    The connection is automatically cleaned up when the client disconnects.
    """
+    # Authenticate user (supports both header and query param tokens)
+    current_user = await get_current_user_sse(
+        db=db, authorization=authorization, token=token
+    )
+
    logger.info(
        f"SSE connection request for project {project_id} "
        f"by user {current_user.id} "