fix: inject gateway token into WebSocket requests for CF Access users

[yuki0627]

Summary

• When Cloudflare Access is enabled, the authentication redirect strips query parameters from the URL, causing authenticated users to lose the ?token= parameter
• The worker now injects MOLTBOT_GATEWAY_TOKEN into WebSocket requests server-side when the token parameter is missing
• Since the user has already passed CF Access authentication at this point, this is safe and expected

Fixes #58

Details

The root cause: CF Access redirects (for login) strip query params from the original URL. So even if a user visits https://example.com/?token=xxx, after CF Access authentication they land on https://example.com/ without the token. The gateway dashboard's JavaScript then opens WebSocket connections without ?token=, and the container gateway rejects them with 1008: Invalid or missing token.

The fix injects the gateway token at the Worker level before proxying the WebSocket to the container, only when:

1. MOLTBOT_GATEWAY_TOKEN is configured
2. The request doesn't already have a token query param

Test plan

• Deploy with CF Access enabled and MOLTBOT_GATEWAY_TOKEN set
• Access the gateway dashboard through CF Access (no ?token= in URL)
• Verify WebSocket connects successfully without "Invalid or missing token" error
• Verify device pairing flow works after WebSocket connects

[sidharthachatterjee]

Thanks for this!