Fix Bus.unsubscribe splice(-1) bug and add auth validation to copilot-stream endpoint

Fixes two security issues: 1. CLI Bus.unsubscribe (issue #492): Fix splice(-1,1) bug when indexOf returns -1. - When unsubscribe is called twice, splice(-1,1) removes the last element instead of doing nothing. - Guard with indexOf check before splicing. 2. Copilot stream auth validation (issue #493/#494): Return 401 when Bearer token is missing. - Extract and validate apiKey before passing to controller. - Prevents undefined apiKey from bypassing auth checks.
2026-04-25 00:16:29 +02:00 · 2026-04-17 06:06:40 +08:00 · 2026-04-17 06:06:40 +08:00 · e0ca073f82
commit e0ca073f82
parent 2133d7226f
3 changed files with 14 additions and 3 deletions
--- a/apps/cli/src/application/lib/bus.ts
+++ b/apps/cli/src/application/lib/bus.ts
@ -29,7 +29,8 @@ export class InMemoryBus implements IBus {
        }
        this.subscribers.get(runId)!.push(handler);
        return () => {
-            this.subscribers.get(runId)!.splice(this.subscribers.get(runId)!.indexOf(handler), 1);
+            const idx = this.subscribers.get(runId)!.indexOf(handler);
+            if (idx !== -1) this.subscribers.get(runId)!.splice(idx, 1);
        };
    }
 }
--- a/apps/rowboat/app/api/copilot-stream-response/[streamId]/route.ts
+++ b/apps/rowboat/app/api/copilot-stream-response/[streamId]/route.ts
@ -10,6 +10,15 @@ export async function GET(request: Request, props: { params: Promise<{ streamId:
  // get user data
  const user = await requireAuth();

+  // Validate auth token
+  const apiKey = request.headers.get("Authorization")?.split(" ")[1];
+  if (!apiKey) {
+    return new Response(JSON.stringify({ error: "Missing or invalid Authorization header" }), {
+      status: 401,
+      headers: { "Content-Type": "application/json" },
+    });
+  }
+
  const runCopilotCachedTurnController = container.resolve<IRunCopilotCachedTurnController>("runCopilotCachedTurnController");

  const encoder = new TextEncoder();
@ -21,7 +30,7 @@ export async function GET(request: Request, props: { params: Promise<{ streamId:
        for await (const event of runCopilotCachedTurnController.execute({
          caller: "user",
          userId: user.id,
-          apiKey: request.headers.get("Authorization")?.split(" ")[1],
+          apiKey,
          key: params.streamId,
        })) {
          // Check if this is a content event
--- a/apps/x/packages/core/src/application/lib/bus.ts
+++ b/apps/x/packages/core/src/application/lib/bus.ts
@ -29,7 +29,8 @@ export class InMemoryBus implements IBus {
        }
        this.subscribers.get(runId)!.push(handler);
        return () => {
-            this.subscribers.get(runId)!.splice(this.subscribers.get(runId)!.indexOf(handler), 1);
+            const idx = this.subscribers.get(runId)!.indexOf(handler);
+            if (idx !== -1) this.subscribers.get(runId)!.splice(idx, 1);
        };
    }
 }