From a5ea632cc20185ed29a7c109bc3753370b5602d8 Mon Sep 17 00:00:00 2001
From: Smittix <jamessmith1@outlook.com>
Date: Sun, 8 Feb 2026 13:03:34 +0000
Subject: [PATCH] Fix WebSocket waterfall blocked by login redirect

The before_request require_login hook was returning a 302 redirect
for WebSocket upgrade requests, which browsers report as "Invalid
frame header". WebSocket requests don't always carry session cookies
reliably. Allow /ws/ paths through the login check since the page
that initiates these connections already requires authentication.

Also keeps the prior fix: serialize WebSocket sends through a queue
to avoid concurrent read/write on the non-thread-safe simple-websocket.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 app.py | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/app.py b/app.py
index 470f909..d89f9c6 100644
--- a/app.py
+++ b/app.py
@@ -292,6 +292,10 @@ def require_login():
     if request.path.startswith('/listening/audio/'):
         return None
 
+    # Allow WebSocket upgrade requests (page load already required auth)
+    if request.path.startswith('/ws/'):
+        return None
+
     # Controller API endpoints use API key auth, not session auth
     # Allow agent push/pull endpoints without session login
     if request.path.startswith('/controller/'):