deckide 3.5.7 → 3.5.8
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/websocket.js +8 -4
- package/package.json +1 -1
package/dist/websocket.js
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
import crypto from 'node:crypto';
|
|
2
2
|
import { WebSocketServer } from 'ws';
|
|
3
|
-
import { PORT, TRUST_PROXY } from './config.js';
|
|
3
|
+
import { PORT, TRUST_PROXY, CORS_ORIGIN } from './config.js';
|
|
4
4
|
import { logSecurityEvent } from './middleware/security.js';
|
|
5
5
|
import { verifyWebSocketAuth } from './middleware/auth.js';
|
|
6
6
|
const MIN_TERMINAL_SIZE = 1;
|
|
@@ -86,17 +86,21 @@ function validateTerminalSize(value) {
|
|
|
86
86
|
}
|
|
87
87
|
export function setupWebSocketServer(server, terminals) {
|
|
88
88
|
const wss = new WebSocketServer({ server });
|
|
89
|
-
const WS_ALLOWED_ORIGINS = [
|
|
89
|
+
const WS_ALLOWED_ORIGINS = new Set([
|
|
90
90
|
`http://localhost:${PORT}`,
|
|
91
91
|
'http://localhost:5173',
|
|
92
92
|
'http://localhost:3000',
|
|
93
|
-
];
|
|
93
|
+
]);
|
|
94
|
+
// Allow configured CORS origin for WebSocket too
|
|
95
|
+
if (CORS_ORIGIN && CORS_ORIGIN !== '*') {
|
|
96
|
+
WS_ALLOWED_ORIGINS.add(CORS_ORIGIN);
|
|
97
|
+
}
|
|
94
98
|
wss.on('connection', (socket, req) => {
|
|
95
99
|
const socketId = crypto.randomUUID();
|
|
96
100
|
const clientIP = getClientIP(req);
|
|
97
101
|
// Validate Origin header to prevent Cross-Site WebSocket Hijacking
|
|
98
102
|
const origin = req.headers['origin'];
|
|
99
|
-
if (origin && !WS_ALLOWED_ORIGINS.
|
|
103
|
+
if (origin && CORS_ORIGIN !== '*' && !WS_ALLOWED_ORIGINS.has(origin)) {
|
|
100
104
|
logSecurityEvent('WS_INVALID_ORIGIN', { ip: clientIP, origin });
|
|
101
105
|
socket.close(1008, 'Invalid origin');
|
|
102
106
|
return;
|