You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: src/content/docs/developers/chats.mdx
+6-5Lines changed: 6 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -17,7 +17,7 @@ This document explains how Ecency's chat experience works and how other Hive app
17
17
### Realtime transport
18
18
19
19
-**Websocket proxy**: `/api/mattermost/websocket` is a passthrough to Mattermost's websocket upgraded connection. It upgrades on the edge runtime, forwards all frames bi-directionally, and injects the authentication challenge upstream using the `mm_pat` cookie created during bootstrap.
20
-
-**Auth flow**: Clients do **not** need to send the PAT manually; the proxy pulls it from the cookie, opens the upstream websocket derived from `MATTERMOST_BASE_URL`, and immediately sends Mattermost's `authentication_challenge` action with the PAT.
20
+
-**Auth flow**: The proxy authenticates using the PAT created during bootstrap. Cookies work for same-site contexts, and external clients can now pass the PAT via `Authorization: Bearer <token>` or `?token=<mm_pat>` if cookies are unavailable.
21
21
-**Error handling**: Missing cookies receive `401 Unauthorized`; invalid upgrades respond with `400`; upstream issues (e.g., Mattermost unreachable) respond with `502`.
22
22
23
23
## Using Ecency-hosted chat endpoints
@@ -34,7 +34,7 @@ Other Hive apps can call Ecency's `/api/mattermost/*` routes directly - **no Mat
34
34
2.**Bootstrap against Ecency**:
35
35
-`POST https://ecency.com/api/mattermost/bootstrap` with JSON `{ username, accessToken, refreshToken, displayName?, community?, communityTitle? }` and `credentials: "include"`.
36
36
- The route validates the Hive token, creates/ensures the Mattermost user, and joins/creates the team and optional community channel.
37
-
- Response: `{ ok: true, userId, channelId?}` and an `mm_pat` cookie scoped to Ecency.
37
+
- Response: `{ ok: true, userId, channelId?, token }` and an `mm_pat` cookie scoped to Ecency. The `token` mirrors the PAT for clients that cannot use cookies.
38
38
3.**Call chat endpoints with the cookie**: Subsequent requests to `https://ecency.com/api/mattermost/*` automatically include the PAT cookie when `credentials: "include"` is set, enabling channel lists, posting, reactions, searches, and direct messages.
39
39
4.**Link back to your UI**: Use returned `channelId` or search endpoints to deep-link into chat surfaces within your app (e.g., from profiles or community pages).
- No token needs to be provided in the websocket URL or headers; the proxy pulls it from `mm_pat` and runs the `authentication_challenge` upstream for you.
72
-
- If the PAT cookie is missing or expired, the request returns `401` before upgrading. Re-run the bootstrap route to refresh it.
73
-
- The websocket endpoint is same-origin, so use `wss://<your-ecency-host>/api/mattermost/websocket` for staging or production as appropriate.
71
+
- Preferred same-site flow: rely on the `mm_pat` cookie and let the proxy run the `authentication_challenge` upstream for you.
72
+
- External-origin flow: call `POST /api/mattermost/bootstrap`, read `token` from the JSON response, then connect to `wss://ecency.com/api/mattermost/websocket?token=<mm_pat>` (or send `Authorization: Bearer <token>`) so browsers without cookie access can still authenticate.
73
+
- If the PAT cookie or token is missing or expired, the request returns `401` before upgrading. Re-run the bootstrap route to refresh it.
74
+
- The websocket endpoint is same-origin, so use `wss://<your-ecency-host>/api/mattermost/websocket` for staging or production as appropriate. Third-party origins should keep using the Ecency host while passing the token explicitly.
0 commit comments