require valid OpenWebRX ticket for all authorize calls

server/index.js

@@ -5527,13 +5527,6 @@ function resolveOpenWebRxOwnerFromRequestContext(req, url) {
 }
 
 async function handleOpenWebRxAuthorize(req, res, url) {
-  if (canAuthorizeOpenWebRxByActiveSession()) {
-    await ensureOpenWebRxSdrPath(null, { force: false, minIntervalMs: 3000 });
-    res.writeHead(200, { "Content-Type": "text/plain; charset=utf-8" });
-    res.end("ok");
-    return;
-  }
-
   const queryTicket = String(url.searchParams.get("ticket") || "").trim();
   const cookieTicket = readCookie(req.headers && req.headers.cookie, "rms_owrx_ticket");
   const originalUriHeader = req.headers ? (req.headers["x-original-uri"] || req.headers["x-rewrite-uri"] || "") : "";
@@ -5554,12 +5547,6 @@ async function handleOpenWebRxAuthorize(req, res, url) {
     tickets.push(refererTicket);
   }
   if (tickets.length === 0) {
-    if (canAuthorizeOpenWebRxWebSocketWithoutTicket(req, originalUriHeader)) {
-      await ensureOpenWebRxSdrPath(null, { force: false, minIntervalMs: 3000 });
-      res.writeHead(200, { "Content-Type": "text/plain; charset=utf-8" });
-      res.end("ok");
-      return;
-    }
     res.writeHead(403, { "Content-Type": "text/plain; charset=utf-8" });
     res.end("forbidden");
     return;
@@ -5654,27 +5641,6 @@ function extractTicketFromUri(rawUri) {
   return String(params.get("ticket") || "").trim();
 }
 
-function canAuthorizeOpenWebRxWebSocketWithoutTicket(req, originalUriHeader) {
-  const headers = req && req.headers ? req.headers : {};
-  const upgrade = String(headers.upgrade || "").toLowerCase();
-  const hasWebSocketKey = Boolean(headers["sec-websocket-key"]);
-  const isWebSocket = upgrade === "websocket" || hasWebSocketKey;
-  if (!isWebSocket) {
-    return false;
-  }
-  if (!runtime.station || !runtime.station.isInUse || !runtime.station.activeByUserId) {
-    return false;
-  }
-  return true;
-}
-
-function canAuthorizeOpenWebRxByActiveSession() {
-  if (!runtime.station || !runtime.station.isInUse || !runtime.station.activeByUserId) {
-    return false;
-  }
-  return true;
-}
-
 async function handleHelpContent(res, user) {
   if (!hasRole(user, ["operator", "approver", "admin"])) {
     return sendError(res, 403, "auth.forbidden", "Nicht berechtigt");

test/auth-methods.integration.test.js

@@ -1671,6 +1671,9 @@ test("openwebrx session is owner-bound and release disables tx first", async (t)
   const authOk = await fetch(`${baseUrl}/v1/openwebrx/authorize?ticket=${encodeURIComponent(session.session.ticket)}`);
   assert.equal(authOk.status, 200);
 
+  const authWithoutTicket = await fetch(`${baseUrl}/v1/openwebrx/authorize`);
+  assert.equal(authWithoutTicket.status, 403);
+
   await requestJson(baseUrl, "/v1/openwebrx/tx/enable", {
     method: "POST",
     headers,