query parameter token could be leaked

backend/sockets/socketAuth.js

@@ -8,7 +8,7 @@ const cookie = require("cookie");
  * Verifies JWT token and attaches user to socket
  * Tokens can be provided via:
  * 1. Cookie (accessToken) - preferred for browser clients
- * 2. Query parameter (token) - fallback for mobile/other clients
+ * 2. Auth object (auth.token) - for mobile/native clients
  */
 const authenticateSocket = async (socket, next) => {
   try {
@@ -20,16 +20,11 @@ const authenticateSocket = async (socket, next) => {
       token = cookies.accessToken;
     }
 
-    // Fallback to query parameter (mobile/other clients)
+    // Auth object for mobile/native clients
     if (!token && socket.handshake.auth?.token) {
       token = socket.handshake.auth.token;
     }
 
-    // Fallback to legacy query parameter
-    if (!token && socket.handshake.query?.token) {
-      token = socket.handshake.query.token;
-    }
-
     if (!token) {
       logger.warn("Socket connection rejected - no token provided", {
         socketId: socket.id,
@@ -69,7 +64,9 @@ const authenticateSocket = async (socket, next) => {
         userVersion: user.jwtVersion,
       });
       return next(
-        new Error("Session expired due to password change. Please log in again.")
+        new Error(
+          "Session expired due to password change. Please log in again."
+        )
       );
     }