SSE auth is being passed via ?token=... in the URL. Firebase ID tokens in query strings are easy to leak via reverse-proxy logs, browser history, error reports, and referrers; additionally chi/middleware.Logger can log the full URL including the token. Prefer an approach that does not put credentials in the URL (e.g., a same-origin cookie session, a short-lived one-time SSE ticket obtained via an authenticated fetch, or an EventSource polyfill that supports Authorization headers).
SSE auth is being passed via ?token=... in the URL. Firebase ID tokens in query strings are easy to leak via reverse-proxy logs, browser history, error reports, and referrers; additionally chi/middleware.Logger can log the full URL including the token. Prefer an approach that does not put credentials in the URL (e.g., a same-origin cookie session, a short-lived one-time SSE ticket obtained via an authenticated fetch, or an EventSource polyfill that supports Authorization headers).