The latest updates on your projects. Learn more aboutVercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
rivetkit-next-js-max	Ready	Preview	Comment	Oct 22, 2025 4:26am
rivetkit-serverless	Ready	Preview	Comment	Oct 22, 2025 4:26am

• chore(examples): cursors example #1419
• feat(core): support routing via query params #1418 👈(View in Graphite)
• main

How to use the Graphite Merge Queue

Add either label to this PR to merge it via the merge queue:

• merge queue - adds this PR to the back of the merge queue
• hotfix - for urgent hot fixes, skip the queue and merge this PR next

You must have a Graphite account in order to use the merge queue. Sign up usingthis link.

This stack of pull requests is managed byGraphite. Learn more aboutstacking.

PR Review: Support routing via query params

Critical Security Concern 🔴

This PR introduces a serious security vulnerability by allowing sensitive tokens to be passed via query parameters, which directly contradicts an existing security comment in the codebase.

Inpackages/rivetkit/src/common/actor-router-consts.ts:12:

// IMPORTANT: Params must be in headers or in an E2EE part of the request (i.e. NOT the URL or query string)// in order to ensure that tokens can be securely passed in params.

The Problem

The PR adds fallback support for these parameters via query strings:

• x_rivet_conn_params (line 118)
• x_rivet_conn_token (line 120)

Why this is dangerous:

1. Query parameters are logged - They appear in server logs, proxy logs, browser history, and analytics
2. Query parameters are not encrypted - Even with HTTPS, they can leak through Referer headers
3. Query parameters are shareable - URLs with tokens can be accidentally shared or bookmarked
4. Violates existing security policy - The codebase explicitly warns against this pattern

Recommended Fix

Option 1: Remove token parameters from query param fallback (Recommended)

// Fallback to query parameters if not provided via protocols// SECURITY: Do NOT allow tokens/params via query stringtarget=target||queryParams.get("x_rivet_target");actorId=actorId||queryParams.get("x_rivet_actor");encodingRaw=encodingRaw||queryParams.get("x_rivet_encoding");// Explicitly omit connParamsRaw, connIdRaw, connTokenRaw from query fallback

Option 2: Add explicit security validation
If token parameters are needed via query params for specific use cases, add:

1. A runtime warning when tokens are passed via query params
2. An opt-in configuration flag that must be explicitly enabled
3. Documentation warning about the security implications

Code Quality Issues

1. Potential URL Parsing Bug

Location:parseQueryParams() function (line 219)

The dummy base URL approach may fail with relative URLs in certain edge cases:

consturlObj=newURL(url,"http://dummy");

Issue: Ifc.req.url is already a full URL with a different scheme/host, the base parameter is ignored. If it's a relative path, this works fine. However, the inconsistency could cause subtle bugs.

Recommendation: Use Hono's built-in query parsing instead:

constqueryParams=newMap<string,string>();for(const[key,value]ofObject.entries(c.req.query())){queryParams.set(key,value);}

2. Silent Error Handling

Location: Line 223-224

}catch{// If URL parsing fails, return empty params}

Issue: Silently swallowing errors makes debugging difficult. If URL parsing fails, it likely indicates a real problem.

Recommendation: Add logging:

}catch(error){logger().warn({msg:"failed to parse query params", url, error});}

3. Inconsistent Parameter Naming

Location: Lines 115-120

The query parameter names use underscores (x_rivet_target) while:

• HTTP headers use hyphens (x-rivet-target)
• WebSocket protocols use dots (rivet_target.)

Recommendation: Document this naming convention or consider using consistent naming (e.g., converting underscores to hyphens when reading from query params).

Missing Test Coverage

No tests were added for this new functionality. The following scenarios should be tested:

1. Query param fallback works for WebSocket connections

   • When protocol headers are missing
   • When protocol headers are present (should take precedence)

2. Query param fallback works for HTTP requests

   • When headers are missing
   • When headers are present (should take precedence)

3. Error cases

   • Invalid/malformed URLs
   • Missing required parameters (actor ID)
   • Invalid target values

4. Security tests (if tokens via query params are kept)

   • Verify tokens are sanitized from logs
   • Verify appropriate warnings are emitted

Performance Considerations

URL parsing on every request: The newparseQueryParams() function is called for every HTTP and WebSocket request, even when query parameters aren't being used.

Recommendation: Only parse query params when fallback is actually needed:

// Check headers firstconsttarget=c.req.header(HEADER_RIVET_TARGET);constactorId=c.req.header(HEADER_RIVET_ACTOR);// Only parse query params if headers are missingif(!target||!actorId){constqueryParams=parseQueryParams(c.req.url);target=target||queryParams.get("x_rivet_target");actorId=actorId||queryParams.get("x_rivet_actor");}

This avoids unnecessary URL parsing in the common case where headers are provided.

Documentation Gaps

1. No usage examples - How should developers use query params? When is it appropriate?
2. No security warnings - Users should be warned about passing sensitive data in query params
3. No migration guide - Is this for backward compatibility? For specific platforms?

Summary

Recommendation: Do not merge until the security concern is addressed. At minimum, remove token-related parameters from query param fallback.

Review generated based on RivetKit coding standards from CLAUDE.md

pnpm add https://pkg.pr.new/rivet-dev/rivetkit/@rivetkit/actor@1418

pnpm add https://pkg.pr.new/rivet-dev/rivetkit/@rivetkit/cloudflare-workers@1418

pnpm add https://pkg.pr.new/rivet-dev/rivetkit/@rivetkit/core@1418

pnpm add https://pkg.pr.new/rivet-dev/rivetkit/@rivetkit/db@1418

pnpm add https://pkg.pr.new/rivet-dev/rivetkit/@rivetkit/framework-base@1418

pnpm add https://pkg.pr.new/rivet-dev/rivetkit/@rivetkit/next-js@1418

pnpm add https://pkg.pr.new/rivet-dev/rivetkit/@rivetkit/react@1418

pnpm add https://pkg.pr.new/rivet-dev/rivetkit@1418

pnpm add https://pkg.pr.new/rivet-dev/rivetkit/@rivetkit/sql-loader@1418

commit:3999ee4