[PR #162] [CLOSED] fix(sse): replace EventSource with fetch-event-source for secure auth headers #3048

Closed
opened 2026-06-15 05:26:27 -05:00 by GiteaMirror · 0 comments
Owner

📋 Pull Request Information

Original PR: https://github.com/reconurge/flowsint/pull/162
Author: @RithvikReddy0-0
Created: 6/3/2026
Status: Closed

Base: mainHead: fix/sse-auth-header


📝 Commits (1)

  • 9718ad1 fix(sse): replace EventSource with fetch-event-source for secure auth headers

📊 Changes

4 files changed (+105 additions, -92 deletions)

View changed files

📝 flowsint-api/app/api/deps.py (+8 -10)
📝 flowsint-app/package.json (+1 -0)
📝 flowsint-app/src/hooks/use-events.ts (+42 -40)
📝 flowsint-app/src/hooks/use-graph-refresh.ts (+54 -42)

📄 Description

Fixes #145 (in the upstream repo: reconurge/flowsint#145)

Problem

The native EventSource API doesn't support custom headers, so the auth
token was being passed as a URL query parameter (?token=...). This exposes
the token in server logs, browser history, and HTTP referrer headers.

Solution

  • Replaced new EventSource() with fetchEventSource() from
    @microsoft/fetch-event-source in use-events.ts and use-graph-refresh.ts
  • Token is now sent as Authorization: Bearer <token> header
  • Removed the query param fallback from get_current_user_sse in deps.py

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/reconurge/flowsint/pull/162 **Author:** [@RithvikReddy0-0](https://github.com/RithvikReddy0-0) **Created:** 6/3/2026 **Status:** ❌ Closed **Base:** `main` ← **Head:** `fix/sse-auth-header` --- ### 📝 Commits (1) - [`9718ad1`](https://github.com/reconurge/flowsint/commit/9718ad17d14f8ba94edef12251ab35d82814f897) fix(sse): replace EventSource with fetch-event-source for secure auth headers ### 📊 Changes **4 files changed** (+105 additions, -92 deletions) <details> <summary>View changed files</summary> 📝 `flowsint-api/app/api/deps.py` (+8 -10) 📝 `flowsint-app/package.json` (+1 -0) 📝 `flowsint-app/src/hooks/use-events.ts` (+42 -40) 📝 `flowsint-app/src/hooks/use-graph-refresh.ts` (+54 -42) </details> ### 📄 Description Fixes #145 (in the upstream repo: reconurge/flowsint#145) ## Problem The native EventSource API doesn't support custom headers, so the auth token was being passed as a URL query parameter (?token=...). This exposes the token in server logs, browser history, and HTTP referrer headers. ## Solution - Replaced `new EventSource()` with `fetchEventSource()` from `@microsoft/fetch-event-source` in `use-events.ts` and `use-graph-refresh.ts` - Token is now sent as `Authorization: Bearer <token>` header - Removed the query param fallback from `get_current_user_sse` in `deps.py` --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-06-15 05:26:27 -05:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/flowsint#3048