Switch to using header based auth bearer token (#770)

davidliu · web-flow · commit 636750b0bc06 · 2025-10-07T16:13:45.000+09:00
* Switch to using header based auth bearer token

* spotless

* Fix tests
diff --git a/.changeset/nervous-rings-suffer.md b/.changeset/nervous-rings-suffer.md
@@ -0,0 +1,5 @@
+---
+"client-sdk-android": patch
+---
+
+Switch to using header based auth bearer token
diff --git a/livekit-android-sdk/src/main/java/io/livekit/android/room/SignalClient.kt b/livekit-android-sdk/src/main/java/io/livekit/android/room/SignalClient.kt
@@ -163,7 +163,7 @@ constructor(
         // Clean up any pre-existing connection.
         close(reason = "Starting new connection", shouldClearQueuedRequests = false)
 
-        val wsUrlString = "${url.toWebsocketUrl()}/rtc" + createConnectionParams(token, getClientInfo(), options, roomOptions)
+        val wsUrlString = "${url.toWebsocketUrl()}/rtc" + createConnectionParams(getClientInfo(), options, roomOptions)
         isReconnecting = options.reconnect
 
         LKLog.i { "connecting to $wsUrlString" }
@@ -175,6 +175,7 @@ constructor(
 
         val request = Request.Builder()
             .url(wsUrlString)
+            .addHeader("Authorization", "Bearer $token")
             .build()
 
         return suspendCancellableCoroutine {
@@ -185,13 +186,11 @@ constructor(
     }
 
     private fun createConnectionParams(
-        token: String,
         clientInfo: LivekitModels.ClientInfo,
         options: ConnectOptions,
         roomOptions: RoomOptions,
     ): String {
         val queryParams = mutableListOf<Pair<String, String>>()
-        queryParams.add(CONNECT_QUERY_TOKEN to token)
         queryParams.add(CONNECT_QUERY_PROTOCOL to options.protocolVersion.value.toString())
 
         if (options.reconnect) {
@@ -308,9 +307,18 @@ constructor(
         }
         var reason: String? = null
         try {
+            val lastToken = webSocket.request().header("Authorization")
             lastUrl?.let {
                 val validationUrl = it.toHttpUrl().replaceFirst("/rtc?", "/rtc/validate?")
-                val request = Request.Builder().url(validationUrl).build()
+                val request = Request.Builder()
+                    .url(validationUrl)
+                    .apply {
+                        if (lastToken != null) {
+                            addHeader("Authorization", lastToken)
+                        }
+                    }
+                    .build()
+
                 val resp = okHttpClient.newCall(request).execute()
                 val body = resp.body
                 if (!resp.isSuccessful) {
diff --git a/livekit-android-test/src/main/java/io/livekit/android/test/MockE2ETest.kt b/livekit-android-test/src/main/java/io/livekit/android/test/MockE2ETest.kt
@@ -78,7 +78,7 @@ abstract class MockE2ETest : BaseTest() {
         val job = coroutineRule.scope.launch {
             room.connect(
                 url = TestData.EXAMPLE_URL,
-                token = "",
+                token = "token",
             )
         }
         wsFactory.listener.onOpen(wsFactory.ws, createOpenResponse(wsFactory.request))
diff --git a/livekit-android-test/src/test/java/io/livekit/android/room/RTCEngineMockE2ETest.kt b/livekit-android-test/src/test/java/io/livekit/android/room/RTCEngineMockE2ETest.kt
@@ -127,12 +127,16 @@ class RTCEngineMockE2ETest : MockE2ETest() {
     fun refreshToken() = runTest {
         connect()
 
-        val oldToken = wsFactory.request.url.queryParameter(SignalClient.CONNECT_QUERY_TOKEN)
+        val oldToken = wsFactory.request.header("Authorization")
+            ?.split(" ")
+            ?.get(1)
         wsFactory.listener.onMessage(wsFactory.ws, TestData.REFRESH_TOKEN.toOkioByteString())
         wsFactory.listener.onFailure(wsFactory.ws, Exception(), null)
 
         testScheduler.advanceUntilIdle()
-        val newToken = wsFactory.request.url.queryParameter(SignalClient.CONNECT_QUERY_TOKEN)
+        val newToken = wsFactory.request.header("Authorization")
+            ?.split(" ")
+            ?.get(1)
         Assert.assertNotEquals(oldToken, newToken)
         assertEquals(TestData.REFRESH_TOKEN.refreshToken, newToken)
     }
diff --git a/livekit-android-test/src/test/java/io/livekit/android/room/SignalClientTest.kt b/livekit-android-test/src/test/java/io/livekit/android/room/SignalClientTest.kt
@@ -1,5 +1,5 @@
 /*
- * Copyright 2023-2024 LiveKit, Inc.
+ * Copyright 2023-2025 LiveKit, Inc.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -94,6 +94,21 @@ class SignalClientTest : BaseTest() {
         client.onMessage(wsFactory.ws, JOIN.toOkioByteString())
     }
 
+    @Test
+    fun usesAuthToken() = runTest {
+        val token = "this-is-an-auth-token"
+        val job = async {
+            client.join(EXAMPLE_URL, token)
+        }
+
+        connectWebsocketAndJoin()
+        job.await()
+        val ws = wsFactory.ws
+
+        assertEquals("Bearer $token", ws.request().header("Authorization"))
+        assertFalse(ws.request().url.query?.contains(token) ?: true)
+    }
+
     @Test
     fun joinAndResponse() = runTest {
         val job = async {

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +"client-sdk-android": patch
 +---
++
 +Switch to using header based auth bearer token
Original file line number	Diff line number	Diff line change
`@@ -78,7 +78,7 @@ abstract class MockE2ETest : BaseTest() {`
`78`	`78`	`val job = coroutineRule.scope.launch {`
`79`	`79`	`room.connect(`
`80`	`80`	`url = TestData.EXAMPLE_URL,`
`81`		`- token = "",`
	`81`	`+ token = "token",`
`82`	`82`	`)`
`83`	`83`	`}`
`84`	`84`	`wsFactory.listener.onOpen(wsFactory.ws, createOpenResponse(wsFactory.request))`