deckide 3.5.7 → 3.5.9

package/dist/websocket.js

@@ -1,6 +1,6 @@
 import crypto from 'node:crypto';
 import { WebSocketServer } from 'ws';
-import { PORT, TRUST_PROXY } from './config.js';
+import { PORT, TRUST_PROXY, CORS_ORIGIN, NODE_ENV } from './config.js';
 import { logSecurityEvent } from './middleware/security.js';
 import { verifyWebSocketAuth } from './middleware/auth.js';
 const MIN_TERMINAL_SIZE = 1;
@@ -86,17 +86,23 @@ function validateTerminalSize(value) {
 }
 export function setupWebSocketServer(server, terminals) {
     const wss = new WebSocketServer({ server });
-    const WS_ALLOWED_ORIGINS = [
+    const WS_ALLOWED_ORIGINS = new Set([
         `http://localhost:${PORT}`,
         'http://localhost:5173',
         'http://localhost:3000',
-    ];
+    ]);
+    // Allow configured CORS origin for WebSocket too
+    if (CORS_ORIGIN && CORS_ORIGIN !== '*') {
+        WS_ALLOWED_ORIGINS.add(CORS_ORIGIN);
+    }
     wss.on('connection', (socket, req) => {
         const socketId = crypto.randomUUID();
         const clientIP = getClientIP(req);
         // Validate Origin header to prevent Cross-Site WebSocket Hijacking
+        // Skip check if CORS_ORIGIN is '*' or unset in development mode
+        const skipOriginCheck = CORS_ORIGIN === '*' || (!CORS_ORIGIN && NODE_ENV !== 'production');
         const origin = req.headers['origin'];
-        if (origin && !WS_ALLOWED_ORIGINS.includes(origin)) {
+        if (origin && !skipOriginCheck && !WS_ALLOWED_ORIGINS.has(origin)) {
             logSecurityEvent('WS_INVALID_ORIGIN', { ip: clientIP, origin });
             socket.close(1008, 'Invalid origin');
             return;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "deckide",
-  "version": "3.5.7",
+  "version": "3.5.9",
   "description": "Deck IDE - Browser-based IDE with terminal, file explorer, and git integration",
   "type": "module",
   "bin": {