Return a clean 403 for unauthenticated WebSocket connections

MarcSkovMadsen · claude · MarcSkovMadsen · commit 5d7d075b57b6 · 2026-06-06T04:17:48.000Z
Bokeh's WSHandler.open is wrapped with @authenticated, which redirects unauthenticated requests to the login page. A WebSocket upgrade cannot be redirected, so after the handshake this raised an uncaught RuntimeError ('Method not supported for Web Sockets'). Reject unauthenticated WebSocket upgrades with a clean 403 in prepare() (which runs before the handshake) instead. Refs #8634. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
diff --git a/panel/io/server.py b/panel/io/server.py
@@ -751,6 +751,21 @@ async def get(self, *args, **kwargs) -> None:
 
 class WSHandler(BkWSHandler):
 
+    async def prepare(self):
+        await super().prepare()
+        # A WebSocket upgrade cannot be redirected to a login page, so the
+        # @authenticated check on Bokeh's open() (which runs after the
+        # handshake) raises an uncaught RuntimeError ("Method not supported for
+        # Web Sockets") for unauthenticated connections. Reject the handshake
+        # cleanly with a 403 here instead, before it is performed.
+        if self.current_user is None:
+            logger.debug(
+                "Rejecting unauthenticated WebSocket connection to %r with 403.",
+                self.request.path
+            )
+            self.set_status(403)
+            self.finish()
+
     def open(self, *args, **kwargs):
         _set_request_route_context(self, *args, suffix='/ws', **kwargs)
         return super().open()
diff --git a/panel/tests/test_server.py b/panel/tests/test_server.py
@@ -167,6 +167,30 @@ def test_server_doc_page_is_not_cached():
     assert r.status_code == 200
     assert r.headers.get('Cache-Control') == 'no-store'
 
+def test_unauthenticated_websocket_returns_403(port):
+    # An unauthenticated WebSocket upgrade cannot be redirected to a login page,
+    # so it must be rejected with a clean 403 rather than raising server-side.
+    import asyncio
+
+    import websockets
+
+    html = Markdown('# Title')
+    serve_and_wait(
+        html, port=port, basic_auth="secret-password", cookie_secret="cookie-secret"
+    )
+
+    async def _connect():
+        url = f"ws://localhost:{port}/ws"
+        try:
+            async with websockets.connect(
+                url, subprotocols=["bokeh", "dummy-token"], open_timeout=10
+            ):
+                return None  # handshake unexpectedly succeeded
+        except websockets.InvalidStatus as e:
+            return e.response.status_code
+
+    assert asyncio.run(_connect()) == 403
+
 def test_server_static_dirs_index():
     html = Markdown('# Title')
 
