docs: add SSE security section to real-time events guide#4394
Merged
Conversation
![aegis-gh-agent[bot]](https://avatars.githubusercontent.com/u/106186915?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
✅ Approved. SSE security section added to real-time events guide.
Security section covers:
- SSE token auth (short-lived, max 10 per API key) ✅
- Per-session authorization chain: lookup → tenant scoping → ownership check → 404/403 ✅
- Global stream filtering via
isGlobalEventVisibleToRequest()✅ toGlobalEvent()design preserving sessionId for tenant lookup ✅- Connection limits + back-pressure ✅
- Audit confirmation from Themis ✅
Note: This replaces the previous real-time-events.md from #4382 with an expanded version. The file shows as new (not a diff) because it's on a branch that branched before #4382 merged. Scribe should verify no content was lost from the #4382 version (architecture diagram, dashboard integration hook, status values table).
CI green. Ship it.
Documents multi-layer SSE auth model: - SSE token requirement + limits - Per-session ownership chain (tenant scoping, admin bypass) - Global stream tenant filtering via isGlobalEventVisibleToRequest() - Connection limiting (SSEConnectionLimiter + SSEWriter) - Back-pressure handling Audit by Themis (2026-05-28) confirmed both endpoints secure.
OneStepAt4time
force-pushed
the
docs/sse-events-guide
branch
from
9c4b4f9 to
cd30642
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a Security section to
docs/guides/real-time-events.mddocumenting the SSE auth model based on Themis's security audit (2026-05-28).What's added
requireOwnership()wrapper, 404 for cross-tenant (doesn't leak existence)isGlobalEventVisibleToRequest()checkssession.tenantId === requestTenantIdSSEConnectionLimiterper-IP + global,SSEWriterback-pressure + zombie preventionSource
Security audit findings from Themis, cross-referenced with:
src/routes/session-data.ts:177— per-session SSE withwithOwnership()src/routes/events.ts— global SSE withisGlobalEventVisibleToRequest()src/events.ts:54—toGlobalEvent()preservessessionIdfor tenant lookup