Skip to content

fix: use HTTPS for API and WSS for WebSocket connections #12

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ailuckly merged 1 commit into from
Apr 11, 2026
Merged

fix: use HTTPS for API and WSS for WebSocket connections #12

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion vocata-web/.env.production
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
# 生产环境配置
# 注意:VITE_APP_URL 将在CI/CD构建时动态替换
VITE_APP_URL=http://{{PRODUCTION_HOST}}:9009
VITE_APP_URL=https://{{PRODUCTION_HOST}}
Copy link

Copilot AI Apr 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This change removes the explicit :9009 port from VITE_APP_URL. If production traffic still reaches the backend on a non-default port (or if TLS termination isn’t providing HTTPS on 443), API and WebSocket connections built from this value will break.

If the port is still required in some environments, keep it in the template (or introduce a dedicated port env var) so CI/CD substitution remains unambiguous.

Suggested change
VITE_APP_URL=https://{{PRODUCTION_HOST}}
VITE_APP_URL=https://{{PRODUCTION_HOST}}:9009

Copilot uses AI. Check for mistakes.
VUE_APP_TITLE=VocaTa
VITE_APP_ENV=production
2 changes: 1 addition & 1 deletion vocata-web/.env.test
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
# 测试环境配置
# 注意:VITE_APP_URL 将在CI/CD构建时动态替换
VITE_APP_URL=http://{{STAGING_HOST}}:9009
VITE_APP_URL=https://{{STAGING_HOST}}
Copy link

Copilot AI Apr 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This change removes the explicit :9009 port from VITE_APP_URL. If staging traffic still reaches the backend on a non-default port (or if TLS termination isn’t providing HTTPS on 443), API and WebSocket connections built from this value will break.

If the port is still required in some environments, keep it in the template (or introduce a dedicated port env var) so CI/CD substitution remains unambiguous.

Suggested change
VITE_APP_URL=https://{{STAGING_HOST}}
VITE_APP_URL=https://{{STAGING_HOST}}:9009

Copilot uses AI. Check for mistakes.
VUE_APP_TITLE=VocaTa - 测试环境
VITE_APP_ENV=test
6 changes: 5 additions & 1 deletion vocata-web/src/utils/aiChat.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -105,7 +105,11 @@ export class VocaTaWebSocketClient {
return
}

const wsUrl = `ws://${import.meta.env.VITE_APP_URL.replace('http://', '')}/ws/chat/${this.conversationUuid}?token=${encodeURIComponent(token)}`
const appUrl = import.meta.env.VITE_APP_URL || window.location.origin
const isSecure = appUrl.startsWith('https')
const wsProtocol = isSecure ? 'wss' : 'ws'
const host = appUrl.replace(/^https?:\/\//, '')
Comment on lines +108 to +111
Copy link

Copilot AI Apr 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

isSecure is derived from VITE_APP_URL, but the PR description says WS protocol should be auto-detected from the current page URL. In practice VITE_APP_URL is typically always set via .env.*, so this won’t switch to wss when the page is served over HTTPS but the env is misconfigured.

Consider deriving the protocol from window.location.protocol (fallback to env only when window is unavailable) and build the host via new URL(appUrl) (or similar) to avoid edge cases like trailing slashes or accidental paths producing wss://example.com//ws/... or wss://example.com/foo/ws/....

Suggested change
const appUrl = import.meta.env.VITE_APP_URL || window.location.origin
const isSecure = appUrl.startsWith('https')
const wsProtocol = isSecure ? 'wss' : 'ws'
const host = appUrl.replace(/^https?:\/\//, '')
const hasWindow = typeof window !== 'undefined'
const appUrl = hasWindow ? window.location.origin : import.meta.env.VITE_APP_URL
const baseUrl = new URL(appUrl)
const isSecure = hasWindow ? window.location.protocol === 'https:' : baseUrl.protocol === 'https:'
const wsProtocol = isSecure ? 'wss' : 'ws'
const host = baseUrl.host

Copilot uses AI. Check for mistakes.
const wsUrl = `${wsProtocol}://${host}/ws/chat/${this.conversationUuid}?token=${encodeURIComponent(token)}`
console.log('🔌 尝试连接WebSocket:', wsUrl)
console.log('🔐 使用Token:', token.substring(0, 20) + '...')
Comment on lines 113 to 114
Copy link

Copilot AI Apr 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This logs part of the bearer token to the browser console. Even partial tokens can be sensitive when users share logs/screenshots or when console output is captured by monitoring tooling.

Recommend removing token logging or guarding it behind a strict development-only check (e.g., import.meta.env.DEV).

Suggested change
console.log('🔌 尝试连接WebSocket:', wsUrl)
console.log('🔐 使用Token:', token.substring(0, 20) + '...')
console.log('🔌 尝试连接WebSocket:', `${wsProtocol}://${host}/ws/chat/${this.conversationUuid}`)

Copilot uses AI. Check for mistakes.

Expand Down
Loading