update mian.rs and openapi.json

api/auth/mod.rs

@@ -16,6 +16,7 @@ pub mod rsa;
 pub mod verify_2fa;
 pub mod verify_email;
 pub mod verify_reset_password;
+pub mod ws_token;
 
 use actix_web::web;
 
@@ -27,6 +28,7 @@ pub fn configure(cfg: &mut web::ServiceConfig) {
             .route("/login", web::post().to(login::handle))
             .route("/logout", web::post().to(logout::handle))
             .route("/me", web::get().to(me::handle))
+            .route("/ws-token", web::post().to(ws_token::handle))
             .route(
                 "/register/email-code",
                 web::post().to(register_email_code::handle),

api/auth/ws_token.rs

@@ -0,0 +1,57 @@
+use std::collections::HashMap;
+
+use actix_web::{HttpResponse, web};
+use serde::Serialize;
+
+use crate::api::response::{ApiErrorResponse, ApiResponse};
+use crate::error::AppError;
+use crate::service::AppService;
+use crate::session::Session;
+
+/// Response payload for `POST /auth/ws-token`.
+#[derive(Debug, Serialize, utoipa::ToSchema)]
+pub struct WsTokenResponse {
+    /// Short-lived JWT prefixed with "Bearer " for use in the Socket.IO CONNECT auth packet.
+    pub token: String,
+    /// Unix timestamp (seconds) when the token expires.
+    pub expires_at: i64,
+}
+
+#[utoipa::path(
+    post,
+    path = "/api/v1/auth/ws-token",
+    tag = "Auth",
+    operation_id = "authWsToken",
+    summary = "Issue a short-lived WebSocket token",
+    description = "Issue a short-lived JWT (30 minutes) scoped to IM WebSocket access. \
+        The token is signed by the appks signing key and can be verified by imks either \
+        locally (via cached signing keys) or via RPC. The returned token should be passed \
+        as `{ token: <value> }` in the Socket.IO CONNECT auth packet. Requires an \
+        authenticated session.",
+    responses(
+        (status = 200, description = "Token issued successfully.", body = ApiResponse<WsTokenResponse>),
+        (status = 401, description = "The current session is unauthenticated or the login state has expired.", body = ApiErrorResponse),
+        (status = 500, description = "Token issuance or Redis write failed.", body = ApiErrorResponse)
+    )
+)]
+pub async fn handle(
+    service: web::Data<AppService>,
+    session: Session,
+) -> Result<HttpResponse, AppError> {
+    let user_uid = session.user().ok_or(AppError::Unauthorized)?;
+
+    let issued = service
+        .internal_auth
+        .issue_token(
+            &user_uid.to_string(),
+            1800, // 30-minute TTL (frontend refreshes every 25 min)
+            vec!["im:read".into(), "im:write".into()],
+            HashMap::new(),
+        )
+        .await?;
+
+    Ok(HttpResponse::Ok().json(ApiResponse::new(WsTokenResponse {
+        token: format!("Bearer {}", issued.access_token),
+        expires_at: issued.expires_at,
+    })))
+}

api/openapi.rs

@@ -4,6 +4,7 @@ use crate::api::auth::regenerate_2fa_backup_codes::{
     Regenerate2FABackupCodesRequest, Regenerate2FABackupCodesResponse,
 };
 use crate::api::auth::register::RegisterResponse;
+use crate::api::auth::ws_token::WsTokenResponse;
 use crate::api::issue::lock::LockIssueParams;
 use crate::api::issue::subscribers::MuteIssueParams;
 use crate::api::issue::transfer::TransferIssueParams;
@@ -174,6 +175,7 @@ use crate::service::im::members::{InviteMemberParams, UpdateMemberParams};
         crate::api::auth::disable_2fa::handle,
         crate::api::auth::regenerate_2fa_backup_codes::handle,
         crate::api::auth::change_password::change_password,
+        crate::api::auth::ws_token::handle,
         // User
         crate::api::user::get_account::get_account,
         crate::api::user::update_account::update_account,
@@ -839,6 +841,8 @@ use crate::service::im::members::{InviteMemberParams, UpdateMemberParams};
         NotifyUpdateTemplateParams,
         // Auth additions
         ChangePasswordParams,
+        ApiResponse<WsTokenResponse>,
+        WsTokenResponse,
         // User additions - Presence/Block/Follow
         ApiResponse<UserPresence>,
         UserPresence,