feat: Socketio server add auth token

[nguyennk92]

Risks

Low

Background

What does this PR do?

Authenticate socketio connection using ELIZA_SERVER_AUTH_TOKEN

What kind of change is this?

Improvements (misc. changes to existing features)

Why are we doing this? Any context or related work?

Add a layer of security

Backward compatibility

This breaks older clients as they were not expecting SocketIO authentication. Doc will need to be updated as they only mention API authen with X-API-KEY header

[graphite-app]

How to use the Graphite Merge Queue

Add either label to this PR to merge it via the merge queue:

• merge-queue - adds this PR to the back of the merge queue
• merge-queue-hotfix - for urgent hot fixes, skip the queue and merge this PR next

You must have a Graphite account in order to use the merge queue. Sign up using this link.

An organization admin has enabled the Graphite Merge Queue in this repository.

Please do not merge from GitHub as this will restart CI on PRs being processed by the merge queue.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

Tip

📝 Customizable high-level summaries are now available in beta!

You can now customize how CodeRabbit generates the high-level summary in your pull requests — including its content, structure, tone, and formatting.

• Provide your own instructions using the high_level_summary_instructions setting.
• Format the summary however you like (bullet lists, tables, multi-section layouts, contributor stats, etc.).
• Use high_level_summary_in_walkthrough to move the summary from the description to the walkthrough section.

Example instruction:

"Divide the high-level summary into five sections:

1. 📝 Description — Summarize the main change in 50–60 words, explaining what was done.
2. 📓 References — List relevant issues, discussions, documentation, or related PRs.
3. 📦 Dependencies & Requirements — Mention any new/updated dependencies, environment variable changes, or configuration updates.
4. 📊 Contributor Summary — Include a Markdown table showing contributions:
   | Contributor | Lines Added | Lines Removed | Files Changed |
5. ✔️ Additional Notes — Add any extra reviewer context.
   Keep each section concise (under 200 words) and use bullet or numbered lists for clarity."

Note: This feature is currently in beta for Pro-tier users, and pricing will be announced later.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[standujar]

Hello @nguyennk92 thanks for your contribution ! Could please re-use ELIZA_SERVER_AUTH_TOKEN instead of creating another one ? Thanks a lot !

[nguyennk92]

Hello @nguyennk92 thanks for your contribution ! Could please re-use ELIZA_SERVER_AUTH_TOKEN instead of creating another one ? Thanks a lot !

Sure, but I'm a little bit worry about backward compatibility if we re-use ELIZA_SERVER_AUTH_TOKEN, it would break old code as they are not expecting to have to auth socketio connection on setting ELIZA_SERVER_AUTH_TOKEN. What's your opinion about this?

[standujar]

@nguyennk92
You’re right, but it’s also, and quite simply, a major security gap.
If someone enables the AUTH token, they expect the entire stack to be secure, not just part of it.
So in that sense, enforcing authentication on Socket.IO as well is actually the safer and more consistent behavior.

I’ll let others share their thoughts.

[standujar]

I'm adding this on

#6107 too.

[nguyennk92]

@standujar I updated the env to reuse ELIZA_SERVER_AUTH_TOKEN as well as the description

[standujar]

Hi @nguyennk92 ! Thanks.

I think that we can close this one since #6107 will handle more complexe security level. Including this.

[nguyennk92]

@standujar Sure, that's great to hear