From 62e0d6fbed16c2ffdb6908a997a8092952dd61ee Mon Sep 17 00:00:00 2001
From: ekko <fqsy1416@gmail.com>
Date: Wed, 15 Apr 2026 09:13:27 +0800
Subject: [PATCH] fix: pass auth token via query param for SSE EventSource

EventSource API doesn't support custom headers, so pass token as
?token= query parameter. Server auth middleware now accepts token
from both Authorization header and query param.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 server/src/services/auth.ts | 4 +++-
 src/api/chat.ts             | 5 +++--
 src/api/client.ts           | 2 +-
 3 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/server/src/services/auth.ts b/server/src/services/auth.ts
index e850b3df..779b3f52 100644
--- a/server/src/services/auth.ts
+++ b/server/src/services/auth.ts
@@ -58,7 +58,9 @@ export async function authMiddleware(token: string | null) {
     }
 
     const auth = ctx.headers.authorization || ''
-    const provided = auth.startsWith('Bearer ') ? auth.slice(7) : ''
+    const provided = auth.startsWith('Bearer ')
+      ? auth.slice(7)
+      : (ctx.query.token as string) || ''
 
     if (!provided || provided !== token) {
       ctx.status = 401
diff --git a/src/api/chat.ts b/src/api/chat.ts
index b19660da..c464533b 100644
--- a/src/api/chat.ts
+++ b/src/api/chat.ts
@@ -1,4 +1,4 @@
-import { request, getBaseUrlValue } from './client'
+import { request, getBaseUrlValue, getApiKey } from './client'
 
 export interface ChatMessage {
   role: 'user' | 'assistant' | 'system'
@@ -44,7 +44,8 @@ export function streamRunEvents(
   onError: (err: Error) => void,
 ) {
   const baseUrl = getBaseUrlValue()
-  const url = `${baseUrl}/v1/runs/${runId}/events`
+  const token = getApiKey()
+  const url = `${baseUrl}/v1/runs/${runId}/events${token ? `?token=${encodeURIComponent(token)}` : ''}`
 
   let closed = false
   const source = new EventSource(url)
diff --git a/src/api/client.ts b/src/api/client.ts
index 5e2dcad9..f56e5691 100644
--- a/src/api/client.ts
+++ b/src/api/client.ts
@@ -6,7 +6,7 @@ function getBaseUrl(): string {
   return localStorage.getItem('hermes_server_url') || DEFAULT_BASE_URL
 }
 
-function getApiKey(): string {
+export function getApiKey(): string {
   return localStorage.getItem('hermes_api_key') || ''
 }