From d3c2a9bdffd3741fb016eb9005ec1ecc731b23d7 Mon Sep 17 00:00:00 2001
From: kcar <kcar@kevlarai.com>
Date: Thu, 21 May 2026 17:09:39 +0000
Subject: [PATCH] security: pass TLSYNC_SECRET token in sync WebSocket URI

Reads VITE_TLSYNC_SECRET from env and appends ?token=... to the
/connect/:roomId WebSocket URI so tlsync server can authenticate connections.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 src/services/tldraw/syncService.ts | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/src/services/tldraw/syncService.ts b/src/services/tldraw/syncService.ts
index 655cd2b..21c31e2 100644
--- a/src/services/tldraw/syncService.ts
+++ b/src/services/tldraw/syncService.ts
@@ -66,14 +66,17 @@ export function createSyncConnectionOptions(options: SyncConnectionOptions) {
         }
     };
 
-    logger.info('sync-service', '🔄 Creating sync connection', { 
-        userId, 
-        displayName, 
-        roomId: effectiveRoomId 
+    logger.info('sync-service', '🔄 Creating sync connection', {
+        userId,
+        displayName,
+        roomId: effectiveRoomId
     });
 
+    const token = import.meta.env.VITE_TLSYNC_SECRET ?? ''
+    const tokenParam = token ? `?token=${encodeURIComponent(token)}` : ''
+
     return {
-        uri: `${baseUrl}/connect/${effectiveRoomId}`,
+        uri: `${baseUrl}/connect/${effectiveRoomId}${tokenParam}`,
         assets: multiplayerAssets,
         roomId: effectiveRoomId
     };
@@ -114,4 +117,3 @@ export function generateSharedRoomId(path: string): string {
     const sanitizedPath = path.replace(/[^a-zA-Z0-9]/g, '-');
     return `shared-${sanitizedPath}`;
 }
-