Talon/chat_grid
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix session cookie routing and proxy-aware auth throttling

Browse Source
This commit is contained in:
Jage9
2026-03-01 23:57:31 -05:00
parent b8375e82f7
commit 2956fa8083
5 changed files with 90 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

52
server/app/server.py
View File

@@ -9,6 +9,7 @@ from contextlib import suppress
from datetime import datetime, timezone
from getpass import getpass
from importlib.metadata import PackageNotFoundError, version as package_version
import ipaddress
import json
import logging
import os
@@ -456,10 +457,53 @@ class SignalingServer:
address = getattr(client.websocket, "remote_address", None)
if isinstance(address, tuple) and address:
return str(address[0])
if isinstance(address, str):
return address
return "unknown"
peer_raw = address[0]
elif isinstance(address, str):
peer_raw = address
else:
peer_raw = None
peer_ip = SignalingServer._normalized_ip(peer_raw)
if not peer_ip:
return "unknown"
# Trust X-Forwarded-For only from a loopback proxy hop (e.g., local Apache/nginx).
try:
peer_addr = ipaddress.ip_address(peer_ip)
except ValueError:
return peer_ip
if not peer_addr.is_loopback:
return peer_ip
request = getattr(client.websocket, "request", None)
headers = getattr(request, "headers", None)
if headers is None:
return peer_ip
forwarded = str(headers.get("X-Forwarded-For", "")).strip()
if not forwarded:
return peer_ip
for candidate in forwarded.split(","):
parsed = SignalingServer._normalized_ip(candidate)
if parsed:
return parsed
return peer_ip
@staticmethod
def _normalized_ip(value: object) -> str | None:
"""Return normalized IP text or None when input is invalid."""
if value is None:
return None
text = str(value).strip()
if not text:
return None
if text.startswith("[") and text.endswith("]"):
text = text[1:-1]
if "%" in text:
text = text.split("%", 1)[0]
try:
return str(ipaddress.ip_address(text))
except ValueError:
return None
@staticmethod
def _prune_failure_window(bucket: deque[float], now_s: float) -> None:

27
server/tests/test_server_message_handling.py
View File

@@ -3,6 +3,7 @@ from __future__ import annotations
import asyncio
import json
from pathlib import Path
from types import SimpleNamespace
from time import monotonic
from typing import cast
import uuid
@@ -23,6 +24,32 @@ def _packet_types(payloads: list[object]) -> list[str]:
return [getattr(packet, "type", "") for packet in payloads]
def test_client_ip_prefers_forwarded_for_from_loopback_proxy() -> None:
server = SignalingServer("127.0.0.1", 8765, None, None)
ws = cast(
ServerConnection,
SimpleNamespace(
remote_address=("127.0.0.1", 12345),
request=SimpleNamespace(headers={"X-Forwarded-For": "198.51.100.25, 127.0.0.1"}),
),
)
client = ClientConnection(websocket=ws, id="u1", nickname="tester")
assert server._client_ip(client) == "198.51.100.25"
def test_client_ip_ignores_forwarded_for_from_non_loopback_peer() -> None:
server = SignalingServer("127.0.0.1", 8765, None, None)
ws = cast(
ServerConnection,
SimpleNamespace(
remote_address=("203.0.113.20", 12345),
request=SimpleNamespace(headers={"X-Forwarded-For": "198.51.100.25"}),
),
)
client = ClientConnection(websocket=ws, id="u1", nickname="tester")
assert server._client_ip(client) == "203.0.113.20"
@pytest.mark.asyncio
async def test_update_position_rejects_out_of_bounds(monkeypatch: pytest.MonkeyPatch) -> None:
server = SignalingServer("127.0.0.1", 8765, None, None, grid_size=41)