@tagma/sdk 0.4.1 → 0.4.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/package.json +1 -1
  2. package/src/adapters/websocket-approval.ts +20 -4
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@tagma/sdk",
3
- "version": "0.4.1",
3
+ "version": "0.4.2",
4
4
  "license": "MIT",
5
5
  "repository": {
6
6
  "type": "git",
package/src/adapters/websocket-approval.ts CHANGED
@@ -32,10 +32,10 @@ export interface WebSocketApprovalAdapterOptions {
32
32
  */
33
33
  token?: string;
34
34
  /**
35
- * M11: opt-out of origin checking. Defaults to false, meaning we accept
36
- * any origin (including no Origin header). The recommended setup is to
37
- * combine `token` with hostname='localhost' / loopback bind so the
38
- * adapter is reachable only by trusted local processes.
35
+ * M11: opt-out of origin checking. Defaults to false, meaning Origin
36
+ * headers are restricted to loopback hosts (localhost / 127.0.0.1 / ::1).
37
+ * Requests without an Origin header are still allowed so non-browser local
38
+ * clients can connect. Set true only for trusted reverse-proxy setups.
39
39
  */
40
40
  allowAnyOrigin?: boolean;
41
41
  }
@@ -58,6 +58,16 @@ export function attachWebSocketApprovalAdapter(
58
58
  const port = options.port ?? 3000;
59
59
  const hostname = options.hostname ?? 'localhost';
60
60
  const requiredToken = options.token ?? null;
61
+ const enforceOriginCheck = options.allowAnyOrigin !== true;
62
+
63
+ function isLoopbackOrigin(origin: string): boolean {
64
+ try {
65
+ const host = new URL(origin).hostname.toLowerCase();
66
+ return host === 'localhost' || host === '127.0.0.1' || host === '::1' || host === '[::1]';
67
+ } catch {
68
+ return false;
69
+ }
70
+ }
61
71
 
62
72
  type WS = import('bun').ServerWebSocket<unknown>;
63
73
  const clients = new Set<WS>();
@@ -92,6 +102,12 @@ export function attachWebSocketApprovalAdapter(
92
102
  hostname,
93
103
 
94
104
  fetch(req, server) {
105
+ if (enforceOriginCheck) {
106
+ const origin = req.headers.get('origin');
107
+ if (origin && !isLoopbackOrigin(origin)) {
108
+ return new Response('forbidden origin', { status: 403 });
109
+ }
110
+ }
95
111
  // M11: enforce token before any upgrade so an unauthenticated client
96
112
  // can't even open a socket. Tokens may arrive via header or query.
97
113
  if (requiredToken !== null) {