From 7262b0e5c283a0bb13cc033d046f02dbb85eabd5 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Fri, 30 Jan 2026 16:01:34 +0000
Subject: [PATCH] Add security validation and documentation for botAuth
 parameter

Co-authored-by: SrIzan10 <66965250+SrIzan10@users.noreply.github.com>
---
 apps/chat/src/index.ts                  | 7 +++++--
 apps/docs/src/content/docs/api/chat.mdx | 4 +++-
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/apps/chat/src/index.ts b/apps/chat/src/index.ts
index f808475..cd1f976 100644
--- a/apps/chat/src/index.ts
+++ b/apps/chat/src/index.ts
@@ -47,8 +47,11 @@ app.get(
       let apiKey: string | null = null;
       if (authHeader && authHeader.startsWith('Bearer ')) {
         apiKey = authHeader.substring(7);
-      } else if (botAuth) {
-        apiKey = botAuth;
+      } else if (botAuth && typeof botAuth === 'string' && botAuth.trim().length > 0) {
+        // Validate botAuth query parameter format
+        if (botAuth.startsWith('hctvb_')) {
+          apiKey = botAuth;
+        }
       }
 
       if (apiKey) {
diff --git a/apps/docs/src/content/docs/api/chat.mdx b/apps/docs/src/content/docs/api/chat.mdx
index 4325e66..bacbd72 100644
--- a/apps/docs/src/content/docs/api/chat.mdx
+++ b/apps/docs/src/content/docs/api/chat.mdx
@@ -15,9 +15,11 @@ You'll need to provide authentication, which can be done by providing an `auth_s
 
 <Aside type="tip">
 Bot accounts are now supported. You can choose to connect as a bot by providing a bot account's API key in one of two ways:
-- Using the `Authorization` header: `Bearer hctvb_xxxxxxx` (for server-side connections)
+- Using the `Authorization` header: `Bearer hctvb_xxxxxxx` (for server-side connections) **[Recommended]**
 - Using the `?botAuth=hctvb_xxxxxxx` query parameter (for browser-based connections, since browsers cannot set custom headers on WebSocket connections)
 
+**Security Note:** When using the `?botAuth=` query parameter, be aware that query parameters may be logged in browser history, server logs, and proxy logs. Use the `Authorization` header method whenever possible. The query parameter method should only be used when connecting from a browser environment where headers cannot be set.
+
 It is highly advised to use a bot account for any automated task, and to implement anything pointed out in this page.
 
 </Aside>