Skip to content
This repository was archived by the owner on Oct 22, 2025. It is now read-only.

feat(core): support routing via query params #1418

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

feat(core): support routing via query params #1418

wants to merge 1 commit into from

Conversation

NathanFlurry
Copy link
Member

No description provided.

@vercel
Copy link

vercel bot commented Oct 22, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Preview Comments Updated (UTC)
rivetkit-next-js-max Ready Ready Preview Comment Oct 22, 2025 4:26am
rivetkit-serverless Ready Ready Preview Comment Oct 22, 2025 4:26am

@NathanFlurry Graphite App
Copy link
Member Author

NathanFlurry commented Oct 22, 2025
edited
Loading

How to use the Graphite Merge Queue

Add either label to this PR to merge it via the merge queue:

  • merge queue - adds this PR to the back of the merge queue
  • hotfix - for urgent hot fixes, skip the queue and merge this PR next

You must have a Graphite account in order to use the merge queue. Sign up using this link.

An organization admin has enabled the Graphite Merge Queue in this repository.

Please do not merge from GitHub as this will restart CI on PRs being processed by the merge queue.

This stack of pull requests is managed by Graphite. Learn more about stacking.

@NathanFlurry NathanFlurry mentioned this pull request Oct 22, 2025
Draft
@claude
Copy link

claude bot commented Oct 22, 2025

PR Review: Support routing via query params

Critical Security Concern 🔴

This PR introduces a serious security vulnerability by allowing sensitive tokens to be passed via query parameters, which directly contradicts an existing security comment in the codebase.

In packages/rivetkit/src/common/actor-router-consts.ts:12:

// IMPORTANT: Params must be in headers or in an E2EE part of the request (i.e. NOT the URL or query string) 
// in order to ensure that tokens can be securely passed in params.

The Problem

The PR adds fallback support for these parameters via query strings:

  • x_rivet_conn_params (line 118)
  • x_rivet_conn_token (line 120)

Why this is dangerous:

  1. Query parameters are logged - They appear in server logs, proxy logs, browser history, and analytics
  2. Query parameters are not encrypted - Even with HTTPS, they can leak through Referer headers
  3. Query parameters are shareable - URLs with tokens can be accidentally shared or bookmarked
  4. Violates existing security policy - The codebase explicitly warns against this pattern

Recommended Fix

Option 1: Remove token parameters from query param fallback (Recommended)

// Fallback to query parameters if not provided via protocols
// SECURITY: Do NOT allow tokens/params via query string
target = target || queryParams.get("x_rivet_target");
actorId = actorId || queryParams.get("x_rivet_actor");
encodingRaw = encodingRaw || queryParams.get("x_rivet_encoding");
// Explicitly omit connParamsRaw, connIdRaw, connTokenRaw from query fallback

Option 2: Add explicit security validation
If token parameters are needed via query params for specific use cases, add:

  1. A runtime warning when tokens are passed via query params
  2. An opt-in configuration flag that must be explicitly enabled
  3. Documentation warning about the security implications

Code Quality Issues

1. Potential URL Parsing Bug

Location: parseQueryParams() function (line 219)

The dummy base URL approach may fail with relative URLs in certain edge cases:

const urlObj = new URL(url, "http://dummy");

Issue: If c.req.url is already a full URL with a different scheme/host, the base parameter is ignored. If it's a relative path, this works fine. However, the inconsistency could cause subtle bugs.

Recommendation: Use Hono's built-in query parsing instead:

const queryParams = new Map<string, string>();
for (const [key, value] of Object.entries(c.req.query())) {
  queryParams.set(key, value);
}

2. Silent Error Handling

Location: Line 223-224

} catch {
  // If URL parsing fails, return empty params
}

Issue: Silently swallowing errors makes debugging difficult. If URL parsing fails, it likely indicates a real problem.

Recommendation: Add logging:

} catch (error) {
  logger().warn({ msg: "failed to parse query params", url, error });
}

3. Inconsistent Parameter Naming

Location: Lines 115-120

The query parameter names use underscores (x_rivet_target) while:

  • HTTP headers use hyphens (x-rivet-target)
  • WebSocket protocols use dots (rivet_target.)

Recommendation: Document this naming convention or consider using consistent naming (e.g., converting underscores to hyphens when reading from query params).

Missing Test Coverage

No tests were added for this new functionality. The following scenarios should be tested:

  1. Query param fallback works for WebSocket connections

    • When protocol headers are missing
    • When protocol headers are present (should take precedence)

  2. Query param fallback works for HTTP requests

    • When headers are missing
    • When headers are present (should take precedence)

  3. Error cases

    • Invalid/malformed URLs
    • Missing required parameters (actor ID)
    • Invalid target values

  4. Security tests (if tokens via query params are kept)

    • Verify tokens are sanitized from logs
    • Verify appropriate warnings are emitted

Performance Considerations

URL parsing on every request: The new parseQueryParams() function is called for every HTTP and WebSocket request, even when query parameters aren't being used.

Recommendation: Only parse query params when fallback is actually needed:

// Check headers first
const target = c.req.header(HEADER_RIVET_TARGET);
const actorId = c.req.header(HEADER_RIVET_ACTOR);

// Only parse query params if headers are missing
if (!target || !actorId) {
  const queryParams = parseQueryParams(c.req.url);
  target = target || queryParams.get("x_rivet_target");
  actorId = actorId || queryParams.get("x_rivet_actor");
}

This avoids unnecessary URL parsing in the common case where headers are provided.

Documentation Gaps

  1. No usage examples - How should developers use query params? When is it appropriate?
  2. No security warnings - Users should be warned about passing sensitive data in query params
  3. No migration guide - Is this for backward compatibility? For specific platforms?

Summary

Category Status Severity
Security ❌ Critical 🔴 High
Code Quality ⚠️ Issues 🟡 Medium
Test Coverage ❌ Missing 🟡 Medium
Performance ⚠️ Minor 🟢 Low
Documentation ❌ Missing 🟡 Medium

Recommendation: Do not merge until the security concern is addressed. At minimum, remove token-related parameters from query param fallback.

Review generated based on RivetKit coding standards from CLAUDE.md

@pkg-pr-new
Copy link

pkg-pr-new bot commented Oct 22, 2025

More templates

@rivetkit/actor

pnpm add https://pkg.pr.new/rivet-dev/rivetkit/@rivetkit/actor@1418

@rivetkit/cloudflare-workers

pnpm add https://pkg.pr.new/rivet-dev/rivetkit/@rivetkit/cloudflare-workers@1418

@rivetkit/core

pnpm add https://pkg.pr.new/rivet-dev/rivetkit/@rivetkit/core@1418

@rivetkit/db

pnpm add https://pkg.pr.new/rivet-dev/rivetkit/@rivetkit/db@1418

@rivetkit/framework-base

pnpm add https://pkg.pr.new/rivet-dev/rivetkit/@rivetkit/framework-base@1418

@rivetkit/next-js

pnpm add https://pkg.pr.new/rivet-dev/rivetkit/@rivetkit/next-js@1418

@rivetkit/react

pnpm add https://pkg.pr.new/rivet-dev/rivetkit/@rivetkit/react@1418

rivetkit

pnpm add https://pkg.pr.new/rivet-dev/rivetkit@1418

@rivetkit/sql-loader

pnpm add https://pkg.pr.new/rivet-dev/rivetkit/@rivetkit/sql-loader@1418

commit: 3999ee4

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@NathanFlurry