From df34679f38e900c6d710872e34e531b7afa7218d Mon Sep 17 00:00:00 2001
From: Sukru Senli <sukru.senli@iopsys.eu>
Date: Sat, 17 Jan 2026 00:17:11 +0100
Subject: [PATCH] sulu-builder: integrate nginx-mod-ws-auth for WebSocket
 authentication

  Include ws-auth endpoints and fix nginx template updates to properly
  add WebSocket upgrade map and upstream directives independently.
---
 sulu/sulu-builder/files/etc/sulu/nginx.locations           | 3 +++
 .../sulu-builder/files/etc/uci-defaults/40-add-sulu-config | 7 ++++++-
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/sulu/sulu-builder/files/etc/sulu/nginx.locations b/sulu/sulu-builder/files/etc/sulu/nginx.locations
index 59e6d17be..6a77088ad 100644
--- a/sulu/sulu-builder/files/etc/sulu/nginx.locations
+++ b/sulu/sulu-builder/files/etc/sulu/nginx.locations
@@ -1,5 +1,8 @@
 error_page 497 301 =307 https://$host:$server_port$request_uri;
 
+# WebSocket authentication endpoints
+include /etc/nginx/ws-auth-locations.conf;
+
 location /robots.txt {
 	return 200 "User-agent: *\nDisallow: /\n";
 }
diff --git a/sulu/sulu-builder/files/etc/uci-defaults/40-add-sulu-config b/sulu/sulu-builder/files/etc/uci-defaults/40-add-sulu-config
index 50dbeb7f8..6e94774ce 100644
--- a/sulu/sulu-builder/files/etc/uci-defaults/40-add-sulu-config
+++ b/sulu/sulu-builder/files/etc/uci-defaults/40-add-sulu-config
@@ -20,8 +20,13 @@ update_nginx_uci_template()
 	port="$(uci -q get mosquitto.sulu.port)"
 	port="${port:-9009}"
 
-	if ! grep -w "upstream websocket" ${UCI_TEMPLATE} | grep -wq "127.0.0.1:${port}"; then
+	# Add map for WebSocket connection upgrade if not present
+	if ! grep -q "map \$http_upgrade \$connection_upgrade" ${UCI_TEMPLATE}; then
 		sed -i '/#UCI_HTTP_CONFIG$/i\   map $http_upgrade $connection_upgrade { default upgrade; "" close; }' ${UCI_TEMPLATE}
+	fi
+
+	# Add upstream websocket if not present
+	if ! grep -q "upstream websocket" ${UCI_TEMPLATE}; then
 		sed -i "/#UCI_HTTP_CONFIG$/i\   upstream websocket { server 127.0.0.1:${port}; }" ${UCI_TEMPLATE}
 	fi
 }