Skip to content

fix: fix gateway token reading, rivetkit path token, vergen git sha #3721

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
MasterPtato wants to merge 1 commit into from
Closed

fix: fix gateway token reading, rivetkit path token, vergen git sha #3721

MasterPtato wants to merge 1 commit into from

Conversation

@MasterPtato
Copy link
Contributor

@MasterPtato MasterPtato commented Jan 1, 2026

No description provided.

@vercel
Copy link

vercel bot commented Jan 1, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Review Updated (UTC)
rivetkit-serverless Error Error Jan 6, 2026 1:34am
3 Skipped Deployments
Project Deployment Review Updated (UTC)
rivet-cloud Ignored Ignored Jan 6, 2026 1:34am
rivet-inspector Ignored Ignored Preview Jan 6, 2026 1:34am
rivet-site Ignored Ignored Preview Jan 6, 2026 1:34am

This was referenced Jan 1, 2026
Closed
Closed
Closed
@MasterPtato Graphite App
Copy link
Contributor Author

MasterPtato commented Jan 1, 2026
edited
Loading

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
Learn more

How to use the Graphite Merge Queue

Add the label merge-queue to this PR to add it to the merge queue.

You must have a Graphite account in order to use the merge queue. Sign up using this link.

An organization admin has enabled the Graphite Merge Queue in this repository.

Please do not merge from GitHub as this will restart CI on PRs being processed by the merge queue.

This stack of pull requests is managed by Graphite. Learn more about stacking.

@MasterPtato MasterPtato mentioned this pull request Jan 1, 2026
Closed
@pkg-pr-new
Copy link

pkg-pr-new bot commented Jan 1, 2026
edited
Loading

More templates

@rivetkit/cloudflare-workers

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/cloudflare-workers@3721

@rivetkit/db

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/db@3721

@rivetkit/framework-base

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/framework-base@3721

@rivetkit/next-js

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/next-js@3721

@rivetkit/react

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/react@3721

rivetkit

pnpm add https://pkg.pr.new/rivet-dev/rivet/rivetkit@3721

@rivetkit/sql-loader

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/sql-loader@3721

@rivetkit/engine-runner

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/engine-runner@3721

@rivetkit/engine-runner-protocol

pnpm add https://pkg.pr.new/rivet-dev/rivet/@rivetkit/engine-runner-protocol@3721

commit: a64352e

@claude
Copy link

claude bot commented Jan 1, 2026
edited
Loading

Pull Request Review - PR #3721

This PR fixes three related issues: gateway token reading, rivetkit path token handling, and vergen git SHA handling. Overall, the changes are well-structured and address real bugs. Here's my detailed review:

✅ Positive Aspects

  1. Good separation of concerns: Moving vergen build logic from rivet-env to rivet-util makes sense architecturally
  2. Proper URL encoding: The rivetkit changes correctly encode both actor IDs and tokens in URLs
  3. Token fallback logic: The pegboard gateway now properly checks WebSocket protocols when path tokens aren't provided

🔍 Code Quality & Best Practices

engine/packages/guard/src/routing/pegboard_gateway.rs

Good:

  • Follows the existing pattern for token extraction from WebSocket protocols
  • Proper error handling with context
  • Consistent with the route_request function's token parsing logic

Issues:

  1. Unused parameter (line 157): The token parameter is prefixed with _ but the comment says "NOTE: Token validation implemented in EE". Recommendation: Add a TODO comment or remove the parameter if it's genuinely not needed

  2. Missing validation: The token is extracted but never validated in the open-source version. Consider adding at least basic format validation or a more explicit warning log.

rivetkit-typescript/packages/rivetkit/src/remote-manager-driver/actor-websocket-client.ts

Critical Issue:

The buildWebSocketProtocols function does NOT include the token in WebSocket protocols. This is a bug because the gateway code expects to find the token in WebSocket protocols (pegboard_gateway.rs:52, 119), but the client doesn't send it there.

The path-based token (in the URL) works, but WebSocket protocol fallback won't work. The function should add the token to protocols when available.

engine/packages/util/build.rs

Good:

  • Proper use of vergen with gitcl for git metadata
  • OVERRIDE_GIT_SHA environment variable support for Docker builds

Minor suggestion: Consider logging when the override is used for better debugging visibility.

Cargo.toml

Concern: Enabling debug symbols in dev builds (debug = true) will improve debugging but significantly increase build times and binary size. Is this intentional for all developers, or was this meant for local debugging only? Consider documenting this decision.

scripts/run/docker/engine-rocksdb.sh

The addition of FILTERED_ARGS array appears to prepare for future argument filtering, but currently just passes all args through unchanged. This seems incomplete.

🔒 Security Considerations

  1. Token handling: Tokens are now properly URL-encoded, which prevents injection attacks ✅
  2. Token in URL path: While tokens in URL paths work, they may appear in logs. The WebSocket protocol approach is more secure—but the client doesn't implement it correctly (see issue above)
  3. No token validation: The OSS version doesn't validate tokens at all. This should be clearly documented

⚡ Performance Considerations

No significant performance concerns. The URL encoding adds negligible overhead.

🧪 Test Coverage

Major Gap: No tests found for the token extraction logic. Recommended tests:

  1. Test token extraction from WebSocket protocols
  2. Test token extraction from path
  3. Test fallback behavior (path → WebSocket → headers)
  4. Test URL encoding/decoding of special characters in tokens

📋 Summary of Required Changes

Critical (Must Fix):

  1. Fix buildWebSocketProtocols to include the token in WebSocket protocols

High Priority:

  1. Add tests for token extraction logic
  2. Clarify the debug = true change in Cargo.toml (document or revert)

Medium Priority:

  1. Remove _token parameter or add TODO for EE implementation
  2. Add URL encoding test cases for edge cases

Low Priority:

  1. Add logging for OVERRIDE_GIT_SHA usage
  2. Complete or remove the FILTERED_ARGS logic in the shell script

📝 Additional Notes

The Grafana dashboard changes (adding router filtering) are mechanical and look correct—they're just generated config files.

Overall, this PR addresses real issues but has one critical bug in the TypeScript client that needs to be fixed before merging.

Review generated by Claude Code

@MasterPtato MasterPtato force-pushed the 12-31-fix_fix_gateway_token_reading_rivetkit_path_token_vergen_git_sha branch from 7c1841f to a64352e Compare January 1, 2026 01:44
This was referenced Jan 5, 2026
Closed
Closed
NathanFlurry
NathanFlurry requested changes Jan 6, 2026
View reviewed changes
rivetkit-typescript/packages/rivetkit/src/remote-manager-driver/actor-websocket-client.ts Outdated
const guardUrl = combineUrlPath(endpoint, `/gateway/${actorId}${path}`);
let gatewayPath;
if (runConfig.token !== undefined) {
gatewayPath = `/gateway/${actorId}@${runConfig.token}${path}`;
Copy link
Member

@NathanFlurry NathanFlurry Jan 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

needs to be uri component encoded

rivetkit-typescript/packages/rivetkit/src/remote-manager-driver/actor-websocket-client.ts Outdated
if (runConfig.token !== undefined) {
gatewayPath = `/gateway/${actorId}@${runConfig.token}${path}`;
} else {
gatewayPath = `/gateway/${actorId}${path}`;
Copy link
Member

@NathanFlurry NathanFlurry Jan 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

my mistake but acto rid should also be uri component encoded

@MasterPtato MasterPtato force-pushed the 12-31-fix_fix_gateway_token_reading_rivetkit_path_token_vergen_git_sha branch from a64352e to 6ccf784 Compare January 6, 2026 01:33
@MasterPtato MasterPtato force-pushed the 12-18-chore_clean_up_metrics branch from 2bc37dc to 5cdf86a Compare January 6, 2026 01:33
@graphite-app
Copy link
Contributor

graphite-app bot commented Jan 6, 2026
edited
Loading

Merge activity

  • Jan 6, 1:36 AM UTC: MasterPtato added this pull request to the Graphite merge queue.
  • Jan 6, 1:37 AM UTC: CI is running for this pull request on a draft pull request (#3753) due to your merge queue CI optimization settings.
  • Jan 6, 1:37 AM UTC: Merged by the Graphite merge queue via draft PR: #3753.

graphite-app bot pushed a commit that referenced this pull request Jan 6, 2026
@MasterPtato
fix: fix gateway token reading, rivetkit path token, vergen git sha (#…
6a73c66 
…3721)
@graphite-app graphite-app bot closed this Jan 6, 2026
@graphite-app graphite-app bot deleted the 12-31-fix_fix_gateway_token_reading_rivetkit_path_token_vergen_git_sha branch January 6, 2026 01:37
@claude claude bot mentioned this pull request Jan 6, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@NathanFlurry NathanFlurry NathanFlurry approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@MasterPtato @NathanFlurry