From cf9573c0ce0a7973d957e70e87e36df54aa50544 Mon Sep 17 00:00:00 2001
From: xintaofei <itpkcn@gmail.com>
Date: Sat, 18 Apr 2026 20:18:58 +0800
Subject: [PATCH] fix(web-auth): url-decode token query param for websocket
 auth

---
 src-tauri/src/web/auth.rs | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/src-tauri/src/web/auth.rs b/src-tauri/src/web/auth.rs
index ea07fc8..8999b8c 100644
--- a/src-tauri/src/web/auth.rs
+++ b/src-tauri/src/web/auth.rs
@@ -10,10 +10,21 @@ pub async fn require_token(
     next: Next,
     token: String,
 ) -> Response {
-    // Allow WebSocket upgrade requests to authenticate via query param
+    // Allow WebSocket upgrade requests to authenticate via query param.
+    // The token value is URL-encoded by the client, so decode before comparing.
     if let Some(query) = request.uri().query() {
-        if query.contains(&format!("token={}", token)) {
-            return next.run(request).await;
+        for pair in query.split('&') {
+            let Some((key, value)) = pair.split_once('=') else {
+                continue;
+            };
+            if key != "token" {
+                continue;
+            }
+            if let Ok(decoded) = urlencoding::decode(value) {
+                if decoded == token {
+                    return next.run(request).await;
+                }
+            }
         }
     }