From 84e0caa1d3b047d33d169315f44b56031e2d96f6 Mon Sep 17 00:00:00 2001
From: Marc <marc@chillygeek.com>
Date: Sun, 12 Apr 2026 05:25:20 -0600
Subject: [PATCH] fix: embed token in HTML for WebSocket auth

The WebSocket connection at /ws was not including the token parameter,
relying solely on the session cookie from the initial redirect. When
scanning the QR code on a phone, the token (longest part of URL) was
being truncated, so no cookie was ever set and all requests got 403.

Fix: embed the token directly into the page as a JS variable, and
append it to the WebSocket connection URL as a fallback. Now both
the HTTP page and the WebSocket upgrade work even if the cookie
isn't available.
---
 extensions/pi-remote-control/html.ts   | 9 +++++++--
 extensions/pi-remote-control/server.ts | 4 ++--
 2 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/extensions/pi-remote-control/html.ts b/extensions/pi-remote-control/html.ts
index 4e624c5..d06280f 100644
--- a/extensions/pi-remote-control/html.ts
+++ b/extensions/pi-remote-control/html.ts
@@ -5,7 +5,7 @@
  * Everything is self-contained — no external dependencies.
  */
 
-export function buildHTML(nonce: string): string {
+export function buildHTML(nonce: string, token?: string): string {
 return /* html */ `<!DOCTYPE html>
 <html lang="en">
 <head>
@@ -398,6 +398,7 @@ return /* html */ `<!DOCTYPE html>
   </div>
 </div>
 <script nonce="${nonce}">
+(function(){var _rcToken="${token || ''}";})();
 (function () {
   "use strict";
 
@@ -605,7 +606,11 @@ return /* html */ `<!DOCTYPE html>
   var ws, timer;
   function connect() {
     var wsProtocol = location.protocol === "https:" ? "wss:" : "ws:";
-    ws = new WebSocket(wsProtocol + "//" + location.host + "/ws");
+    var wsUrl = wsProtocol + "//" + location.host + "/ws";
+    if (typeof _rcToken !== "undefined" && _rcToken) {
+      wsUrl += "?token=" + encodeURIComponent(_rcToken);
+    }
+    ws = new WebSocket(wsUrl);
 
     ws.onopen = function () {
       clearTimeout(timer);
diff --git a/extensions/pi-remote-control/server.ts b/extensions/pi-remote-control/server.ts
index 9d5e058..506fe5f 100644
--- a/extensions/pi-remote-control/server.ts
+++ b/extensions/pi-remote-control/server.ts
@@ -126,7 +126,7 @@ export function startServer(pi: ExtensionAPI, ctx: ExtensionContext): Promise<Re
 				"Content-Security-Policy":
 					`default-src 'none'; script-src 'nonce-${nonce}'; style-src 'nonce-${nonce}'; connect-src 'self'; base-uri 'none'`,
 			});
-			res.end(buildHTML(nonce));
+			res.end(buildHTML(nonce, token));
 		} else {
 			res.writeHead(404, { "Content-Type": "text/plain; charset=utf-8" });
 			res.end("Not found");
@@ -350,7 +350,7 @@ export function startServerTailscale(pi: ExtensionAPI, ctx: ExtensionContext): P
 				"Content-Security-Policy":
 					`default-src 'none'; script-src 'nonce-${nonce}'; style-src 'nonce-${nonce}'; connect-src 'self'; base-uri 'none'`,
 			});
-			res.end(buildHTML(nonce));
+			res.end(buildHTML(nonce, token));
 		} else {
 			res.writeHead(404, { "Content-Type": "text/plain; charset=utf-8" });
 			res.end("Not found");