feat(backend): accept OAuth bearer token (#11052)

* feat(backend): accept OAuth bearer token

* refactor

* Update packages/backend/src/server/api/ApiCallService.ts

Co-authored-by: Acid Chicken (硫酸鶏) <root@acid-chicken.com>

* Update packages/backend/src/server/api/ApiCallService.ts

Co-authored-by: Acid Chicken (硫酸鶏) <root@acid-chicken.com>

* fix

* kind: permission for account moved error

* also for suspended error

* Update packages/backend/src/server/api/StreamingApiServerService.ts

Co-authored-by: Acid Chicken (硫酸鶏) <root@acid-chicken.com>

---------

Co-authored-by: Acid Chicken (硫酸鶏) <root@acid-chicken.com>
Co-authored-by: syuilo <Syuilotan@yahoo.co.jp>

packages/backend/src/server/api/StreamingApiServerService.ts

@@ -58,11 +58,21 @@ export class StreamingApiServerService {
 			let user: LocalUser | null = null;
 			let app: AccessToken | null = null;
 
+			// https://datatracker.ietf.org/doc/html/rfc6750.html#section-2.1
+			// Note that the standard WHATWG WebSocket API does not support setting any headers,
+			// but non-browser apps may still be able to set it.
+			const token = request.headers.authorization?.startsWith('Bearer ')
+				? request.headers.authorization.slice(7)
+				: q.get('i');
+
 			try {
-				[user, app] = await this.authenticateService.authenticate(q.get('i'));
+				[user, app] = await this.authenticateService.authenticate(token);
 			} catch (e) {
 				if (e instanceof AuthenticationError) {
-					socket.write('HTTP/1.1 401 Unauthorized\r\n\r\n');
+					socket.write([
+						'HTTP/1.1 401 Unauthorized',
+						'WWW-Authenticate: Bearer realm="Misskey", error="invalid_token", error_description="Failed to authenticate"',
+					].join('\r\n') + '\r\n\r\n');
 				} else {
 					socket.write('HTTP/1.1 500 Internal Server Error\r\n\r\n');
 				}