From f74240e1365196e050b2b29305a102d9d3f1be83 Mon Sep 17 00:00:00 2001
From: tuanaiseo <tuanaiseo@gmail.com>
Date: Sun, 12 Apr 2026 06:17:30 +0700
Subject: [PATCH] fix(security)(components): authentication token sent in
 websocket query strin

The shell WebSocket URL appends the auth token as a `?token=` query parameter. Query-string tokens are prone to leakage via logs, monitoring tools, reverse proxies, browser history, and diagnostics. This increases risk of token exposure and session hijacking.

Affected files: socket.ts

Signed-off-by: tuanaiseo <221258316+tuanaiseo@users.noreply.github.com>
---
 src/components/shell/utils/socket.ts | 8 +-------
 1 file changed, 1 insertion(+), 7 deletions(-)

diff --git a/src/components/shell/utils/socket.ts b/src/components/shell/utils/socket.ts
index 6cb18d626..b220e9c41 100644
--- a/src/components/shell/utils/socket.ts
+++ b/src/components/shell/utils/socket.ts
@@ -8,13 +8,7 @@ export function getShellWebSocketUrl(): string | null {
     return `${protocol}//${window.location.host}/shell`;
   }
 
-  const token = localStorage.getItem('auth-token');
-  if (!token) {
-    console.error('No authentication token found for Shell WebSocket connection');
-    return null;
-  }
-
-  return `${protocol}//${window.location.host}/shell?token=${encodeURIComponent(token)}`;
+  return `${protocol}//${window.location.host}/shell`;
 }
 
 export function parseShellMessage(payload: string): ShellIncomingMessage | null {