deckide 3.5.6 → 3.5.8
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/bin/deckide.js +8 -5
- package/dist/websocket.js +8 -4
- package/package.json +1 -1
package/bin/deckide.js
CHANGED
|
@@ -449,11 +449,14 @@ if (isServerRunningOnPort(port)) {
|
|
|
449
449
|
process.exit(0);
|
|
450
450
|
}
|
|
451
451
|
|
|
452
|
-
// Kill old server if running on a different port
|
|
453
|
-
|
|
454
|
-
if (
|
|
455
|
-
|
|
456
|
-
|
|
452
|
+
// Kill old server if running on a different port (only in background mode,
|
|
453
|
+
// FG mode is always spawned by background mode which already handles this)
|
|
454
|
+
if (!startOptions.fg) {
|
|
455
|
+
const oldPid = getRunningPid();
|
|
456
|
+
if (oldPid) {
|
|
457
|
+
console.log('Stopping old server...');
|
|
458
|
+
stopServer();
|
|
459
|
+
}
|
|
457
460
|
}
|
|
458
461
|
|
|
459
462
|
// ── Background mode (default) ──
|
package/dist/websocket.js
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
import crypto from 'node:crypto';
|
|
2
2
|
import { WebSocketServer } from 'ws';
|
|
3
|
-
import { PORT, TRUST_PROXY } from './config.js';
|
|
3
|
+
import { PORT, TRUST_PROXY, CORS_ORIGIN } from './config.js';
|
|
4
4
|
import { logSecurityEvent } from './middleware/security.js';
|
|
5
5
|
import { verifyWebSocketAuth } from './middleware/auth.js';
|
|
6
6
|
const MIN_TERMINAL_SIZE = 1;
|
|
@@ -86,17 +86,21 @@ function validateTerminalSize(value) {
|
|
|
86
86
|
}
|
|
87
87
|
export function setupWebSocketServer(server, terminals) {
|
|
88
88
|
const wss = new WebSocketServer({ server });
|
|
89
|
-
const WS_ALLOWED_ORIGINS = [
|
|
89
|
+
const WS_ALLOWED_ORIGINS = new Set([
|
|
90
90
|
`http://localhost:${PORT}`,
|
|
91
91
|
'http://localhost:5173',
|
|
92
92
|
'http://localhost:3000',
|
|
93
|
-
];
|
|
93
|
+
]);
|
|
94
|
+
// Allow configured CORS origin for WebSocket too
|
|
95
|
+
if (CORS_ORIGIN && CORS_ORIGIN !== '*') {
|
|
96
|
+
WS_ALLOWED_ORIGINS.add(CORS_ORIGIN);
|
|
97
|
+
}
|
|
94
98
|
wss.on('connection', (socket, req) => {
|
|
95
99
|
const socketId = crypto.randomUUID();
|
|
96
100
|
const clientIP = getClientIP(req);
|
|
97
101
|
// Validate Origin header to prevent Cross-Site WebSocket Hijacking
|
|
98
102
|
const origin = req.headers['origin'];
|
|
99
|
-
if (origin && !WS_ALLOWED_ORIGINS.
|
|
103
|
+
if (origin && CORS_ORIGIN !== '*' && !WS_ALLOWED_ORIGINS.has(origin)) {
|
|
100
104
|
logSecurityEvent('WS_INVALID_ORIGIN', { ip: clientIP, origin });
|
|
101
105
|
socket.close(1008, 'Invalid origin');
|
|
102
106
|
return;
|