WebSocket Connection Test Results

Date: November 15, 2025 Backend: archety-backend-dev.up.railway.app Status: ⚠️ Configuration Required

---

Test Results

❌ WebSocket Connection Failed

All authentication attempts resulted in HTTP 403 Forbidden, indicating that the EDGE_SECRET environment variable is either:

1. Not set on Railway (most likely)
2. Set to a different value than we're testing with

Tests Performed

✅ Backend is reachable (HTTP 200 on /health)
❌ WebSocket with default secret: HTTP 403
❌ WebSocket with empty secret: HTTP 403
❌ WebSocket with test secret: HTTP 403

---

Root Cause

The backend WebSocket endpoint (app/api/edge_routes.py:111-198) requires:

1. Authorization header: Bearer {EDGE_SECRET}
2. EDGE_SECRET must match between client and server

The backend code shows:

# app/edge/auth.py:24
EDGE_SECRET = getattr(settings, 'edge_secret', 'CHANGE_THIS_SECRET_IN_PRODUCTION')

The issue: EDGE_SECRET is not configured in Railway environment variables for the dev environment.

---

Required Fix

Option 1: Set EDGE_SECRET on Railway (Recommended for Dev)

Via Railway Dashboard: 1. Go to: https://railway.app/project/{project-id} 2. Select archety-backend-dev service 3. Go to Variables tab 4. Add new variable:

EDGE_SECRET=CHANGE_THIS_SECRET_IN_PRODUCTION

5. Redeploy the service

Via Railway CLI:

# Login to Railway
railway login

# Link to project
railway link

# Set the variable
railway variables --set EDGE_SECRET=CHANGE_THIS_SECRET_IN_PRODUCTION --service archety-backend-dev --environment development

# Or if you're in the project directory:
railway service
# Select: archety-backend-dev
railway environment
# Select: development
railway variables set EDGE_SECRET=CHANGE_THIS_SECRET_IN_PRODUCTION

Option 2: Use a Production-Ready Secret (Recommended for Production)

Generate a secure secret:

openssl rand -hex 32
# Example output: <64-hex>

Set on Railway:

railway variables set EDGE_SECRET=<generated_hex>

Share with edge client engineer:

# Edge client .env
EDGE_SECRET=<generated_hex>

---

After Setting EDGE_SECRET

Once the environment variable is set on Railway:

1. Redeploy Backend

railway up
# Or trigger redeploy via Railway dashboard

2. Verify Backend Configuration

# Check logs for confirmation
railway logs

# Look for:
# "EDGE_SECRET (first 50 chars): CHANGE_THIS_SECRET_I..."

3. Re-run WebSocket Test

# From this repo
python test_websocket_connection.py

# Expected output:
# ✅ WebSocket connected successfully!
# ✅ Pong received - keepalive working!

4. Update Edge Client

# In edge client repo, add to .env:
EDGE_SECRET=CHANGE_THIS_SECRET_IN_PRODUCTION
# (or whatever secret you set on Railway)

---

What the Edge Client Needs

Once EDGE_SECRET is configured on Railway, the edge client can connect with:

const EDGE_SECRET = process.env.EDGE_SECRET;
const EDGE_AGENT_ID = "edge_13238407486";

const ws = new WebSocket(
  `wss://archety-backend-dev.up.railway.app/edge/ws?edge_agent_id=${EDGE_AGENT_ID}`,
  {
    headers: {
      'Authorization': `Bearer ${EDGE_SECRET}`
    }
  }
);

ws.on('open', () => {
  console.log('✅ Connected!');
});

---

Backend Logging

The backend has extensive debug logging for WebSocket connections. After setting EDGE_SECRET, check Railway logs for:

Successful connection:

🔍 WebSocket connection attempt from edge_agent_id=edge_13238407486
🔍 Headers: {'authorization': 'Bearer CHANGE...', ...}
🔍 Auth header present: True
🔍 Token verification result: EdgeAuthToken(...)
✅ Token verified for edge_agent_id=edge_13238407486
✅ WebSocket connection established for edge_13238407486

Failed connection (current state):

🔍 WebSocket connection attempt from edge_agent_id=edge_13238407486
❌ WebSocket connection rejected: invalid token

---

Summary

Component	Status	Action Required
Backend WebSocket Endpoint	✅ Working	None
Backend EDGE_SECRET Config	❌ Not Set	Set on Railway
Edge Client Code	⏳ Ready	Waiting for backend config
Documentation	✅ Complete	None

Next Step: Set EDGE_SECRET on Railway dev environment

---

Testing After Fix

After setting EDGE_SECRET, run these tests in order:

# 1. Test from backend repo
cd archety
python test_websocket_connection.py
# Expected: ✅ ALL TESTS PASSED!

# 2. Test from edge client repo
cd ../archety-edge
EDGE_SECRET=CHANGE_THIS_SECRET_IN_PRODUCTION npm start
# Expected: ✅ WebSocket connected!

---

For Production

When deploying to production, use a strong secret:

# Generate
SECRET=$(openssl rand -hex 32)

# Set on both sides
railway variables set EDGE_SECRET=$SECRET --environment production  # Backend
echo "EDGE_SECRET=$SECRET" >> .env  # Edge client

Security Note: Never commit secrets to git. Use environment variables only.

---

Document Version: 1.0 Last Updated: November 15, 2025 Status: Awaiting Railway configuration