coder
diff --git a/‎internal/api/src/routes/devhook.server.ts‎
Lines changed: 6 additions & 0 deletions b/‎internal/api/src/routes/devhook.server.ts‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎internal/api/src/routes/devhook.test.ts‎
Lines changed: 3 additions & 0 deletions b/‎internal/api/src/routes/devhook.test.ts‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎packages/server/src/devhook.test.ts‎
Lines changed: 52 additions & 3 deletions b/‎packages/server/src/devhook.test.ts‎
Lines changed: 52 additions & 3 deletions
@@ -4,6 +4,9 @@ import type { APIServer } from "../server";
 import { createWebhookURL } from "../server-helper";
 
 export default function mountDevhook(server: APIServer) {
+  // this endpoint is used by packages/server/src/server.ts
+  // to authorize the listen request. it must use the exact same auth
+  // method as the one required to listen on the matching devhook URL.
   server.get("/:devhook/url", withDevhookAuth, async (c) => {
     const id = c.req.param("devhook");
     if (!validate(id)) {
@@ -21,6 +24,9 @@ export default function mountDevhook(server: APIServer) {
     return c.json({ url });
   });
 
+  // this endpoint is somewhat misleading. in self-hosted mode,
+  // it's not used during the flow to listen on the devhook URL.
+  // websocket upgrade logic is handled in packages/server/src/server.ts
   server.get("/:devhook", withDevhookAuth, async (c) => {
     const id = c.req.param("devhook");
     if (!validate(id)) {
 
@@ -87,8 +87,11 @@ test.each([
     },
   });
 
+  // Ensure connection works.
   await connectPromise;
 
+  // Test wildcard hostname routing.
+  // We need to make the request go through the test server with the correct Host header.
   const devhookURL = bindings.createRequestURL!(id);
   const response = await fetch(url, { headers: { Host: devhookURL.host } });
   expect(response.status).toBe(200);
 
@@ -1,6 +1,7 @@
 import { afterAll, beforeAll, describe, expect, test } from "bun:test";
-import { serve } from "@blink.so/api/test";
+import Client from "@blink.so/api";
 import { createDevhookSupport } from "./devhook";
+import { serve } from "./test";
 
 describe("devhook integration tests", () => {
   let server: Awaited<ReturnType<typeof serve>>;
@@ -18,8 +19,8 @@ describe("devhook integration tests", () => {
     });
   });
 
-  afterAll(() => {
-    server.stop();
+  afterAll(async () => {
+    await server[Symbol.asyncDispose]();
   });
 
   describe("UUID validation", () => {
@@ -82,6 +83,54 @@ describe("devhook integration tests", () => {
     });
   });
 
+  describe("authentication", () => {
+    test("requires auth for devhook listen", async () => {
+      const id = crypto.randomUUID();
+      const client = new Client({ baseURL: server.url.toString() });
+      let connected = false;
+      let errorEvent: unknown;
+
+      const outcome = await new Promise<"error" | "disconnect">(
+        (resolve, reject) => {
+          const timer = setTimeout(() => {
+            reject(new Error("Timed out waiting for devhook auth failure"));
+          }, 5000);
+
+          let disposable: { dispose: () => void } | undefined;
+          disposable = client.devhook.listen({
+            id,
+            onRequest: async () => new Response("ok"),
+            onConnect: () => {
+              connected = true;
+            },
+            onDisconnect: () => {
+              clearTimeout(timer);
+              disposable?.dispose();
+              resolve("disconnect");
+            },
+            onError: (err) => {
+              errorEvent = err;
+              clearTimeout(timer);
+              disposable?.dispose();
+              resolve("error");
+            },
+          });
+        }
+      );
+
+      expect(outcome).toBe("error");
+      expect(connected).toBe(false);
+      expect(errorEvent).toBeDefined();
+
+      // Assert the actual auth error message via HTTP since WebSocket errors
+      // do not expose the handshake response body.
+      const response = await client.request("GET", `/api/devhook/${id}/url`);
+      expect(response.status).toBe(401);
+      const body = await response.json();
+      expect(body.message).toBe("Unauthorized");
+    });
+  });
+
   describe("devhook proxy flow", () => {
     test("proxies requests through connected devhook", async () => {
       const { helpers, bindings, url } = server;