From 1b6f7826488195b4c730f10555b33e750a73ad47 Mon Sep 17 00:00:00 2001
From: jackiettran <41605212+jackiettran@users.noreply.github.com>
Date: Thu, 15 Jan 2026 16:26:53 -0500
Subject: [PATCH] query parameter token could be leaked

---
 backend/sockets/socketAuth.js | 13 +++++--------
 1 file changed, 5 insertions(+), 8 deletions(-)

diff --git a/backend/sockets/socketAuth.js b/backend/sockets/socketAuth.js
index fcdee88..a97a03a 100644
--- a/backend/sockets/socketAuth.js
+++ b/backend/sockets/socketAuth.js
@@ -8,7 +8,7 @@ const cookie = require("cookie");
  * Verifies JWT token and attaches user to socket
  * Tokens can be provided via:
  * 1. Cookie (accessToken) - preferred for browser clients
- * 2. Query parameter (token) - fallback for mobile/other clients
+ * 2. Auth object (auth.token) - for mobile/native clients
  */
 const authenticateSocket = async (socket, next) => {
   try {
@@ -20,16 +20,11 @@ const authenticateSocket = async (socket, next) => {
       token = cookies.accessToken;
     }
 
-    // Fallback to query parameter (mobile/other clients)
+    // Auth object for mobile/native clients
     if (!token && socket.handshake.auth?.token) {
       token = socket.handshake.auth.token;
     }
 
-    // Fallback to legacy query parameter
-    if (!token && socket.handshake.query?.token) {
-      token = socket.handshake.query.token;
-    }
-
     if (!token) {
       logger.warn("Socket connection rejected - no token provided", {
         socketId: socket.id,
@@ -69,7 +64,9 @@ const authenticateSocket = async (socket, next) => {
         userVersion: user.jwtVersion,
       });
       return next(
-        new Error("Session expired due to password change. Please log in again.")
+        new Error(
+          "Session expired due to password change. Please log in again."
+        )
       );
     }