Scope server routes by base path
This commit is contained in:
Jage9
@@ -21,12 +21,13 @@ Open: `http://localhost:5173`
|
||||
Defaults:
|
||||
- Server reads `config.toml` automatically when present.
|
||||
- Server default bind/port is `127.0.0.1:8765`.
|
||||
- Server default base path is `/` for local/dev; production subpath deploys should set `server.base_path` to match the published client path such as `/chgrid/`.
|
||||
- Server defaults to TLS-required unless you set `network.allow_insecure_ws=true` or pass `--allow-insecure-ws` for local/dev.
|
||||
- Client dev default is `localhost:5173`.
|
||||
- Auth requires `CHGRID_AUTH_SECRET` in environment.
|
||||
- Browser-origin enforcement requires `CHGRID_HOST_ORIGIN` in environment.
|
||||
- A starter env file is available at `server/.env.sample`.
|
||||
- Saved login uses server-managed `HttpOnly` cookie (`chgrid_session_token`) via `GET /auth/session/set` and `GET /auth/session/clear` (both require `X-Chgrid-Auth-Client: 1`).
|
||||
- Saved login uses instance-scoped server-managed `HttpOnly` cookie helpers under the configured base path (for example `/chgrid/auth/session/set` and `/chgrid/auth/session/clear`) and both require `X-Chgrid-Auth-Client: 1`.
|
||||
|
||||
## Quick Restarts
|
||||
|
||||
|
||||
@@ -96,7 +96,7 @@ This is a behavior guide for packet semantics beyond raw schemas.
|
||||
- `policy` (`usernameMinLength`, `usernameMaxLength`, `passwordMinLength`, `passwordMaxLength`)
|
||||
- `auth_required.authPolicy`: server auth limits advertised before login/register submit.
|
||||
- `auth_result.authPolicy`: server auth limits echoed on auth success/failure responses.
|
||||
- `auth_result.sessionToken` is used by the client to call server HTTP endpoint `GET /auth/session/set` (`Authorization: Bearer <sessionToken>`, `X-Chgrid-Auth-Client: 1`) so the server can issue `Set-Cookie: chgrid_session_token=...; HttpOnly`.
|
||||
- `auth_result.sessionToken` is used by the client to call the instance-scoped HTTP endpoint `GET <base_path>auth/session/set` (`Authorization: Bearer <sessionToken>`, `X-Chgrid-Auth-Client: 1`) so the server can issue `Set-Cookie: chgrid_session_token=...; HttpOnly`.
|
||||
- `welcome.worldConfig.gridSize`: server-authoritative grid size used by clients for bounds/drawing.
|
||||
- `welcome.worldConfig.movementTickMs`: server movement-rate window used for client movement pacing.
|
||||
- `welcome.worldConfig.movementMaxStepsPerTick`: max allowed grid steps per movement window.
|
||||
@@ -126,9 +126,10 @@ This is a behavior guide for packet semantics beyond raw schemas.
|
||||
- Server persists account state (last nickname + last position) and restores spawn from that state on auth login/resume.
|
||||
- Server also supports websocket handshake cookie resume:
|
||||
- accepts browser sockets only when websocket `Origin` matches `CHGRID_HOST_ORIGIN`
|
||||
- websocket and auth helper routes are scoped under the configured `server.base_path`
|
||||
- reads `chgrid_session_token` from websocket `Cookie` header
|
||||
- attempts resume before sending `auth_required`
|
||||
- exposes `GET /auth/session/clear` to expire the `HttpOnly` cookie (`X-Chgrid-Auth-Client: 1` and matching `Origin` required)
|
||||
- exposes `GET <base_path>auth/session/clear` to expire the `HttpOnly` cookie (`X-Chgrid-Auth-Client: 1` and matching `Origin` required)
|
||||
- Server applies auth hardening before accepting login/register/resume:
|
||||
- login/register PBKDF2 work runs off the event loop in bounded worker concurrency
|
||||
- repeated auth failures are rate-limited by IP and IP+identity windows
|
||||
|
||||
@@ -5,14 +5,14 @@
|
||||
1. User clicks connect.
|
||||
2. Client validates auth form and sets up local media.
|
||||
3. Client connects signaling websocket from the configured app origin.
|
||||
4. Server accepts the socket only when the browser `Origin` matches `CHGRID_HOST_ORIGIN`, then attempts cookie-based session resume from websocket handshake cookie (`chgrid_session_token`).
|
||||
4. Server accepts the socket only on the configured instance websocket path and when the browser `Origin` matches `CHGRID_HOST_ORIGIN`, then attempts cookie-based session resume from websocket handshake cookie (`chgrid_session_token`).
|
||||
5. If resume does not authenticate, server sends `auth_required`.
|
||||
- includes `authPolicy` limits for username/password.
|
||||
6. Client sends `auth_login` or `auth_register` (or explicit `auth_resume` if provided by caller).
|
||||
7. Server sends `auth_result`.
|
||||
- includes role + permissions for authenticated session.
|
||||
8. Client persists authenticated session into a server-managed `HttpOnly` cookie via `GET /auth/session/set` (`Authorization: Bearer <sessionToken>`, `X-Chgrid-Auth-Client: 1`), and clears it via `GET /auth/session/clear` (`X-Chgrid-Auth-Client: 1`) on logout/session errors.
|
||||
- the optional PHP media proxy validates that same cookie through `GET /auth/session/check` before relaying media
|
||||
8. Client persists authenticated session into instance-scoped server-managed `HttpOnly` cookie helpers under the active app base path via `GET <base_path>auth/session/set` (`Authorization: Bearer <sessionToken>`, `X-Chgrid-Auth-Client: 1`), and clears it via `GET <base_path>auth/session/clear` on logout/session errors.
|
||||
- the optional PHP media proxy validates that same cookie through `GET <base_path>auth/session/check` before relaying media
|
||||
9. Server sends `welcome` with users/items snapshot.
|
||||
10. Client:
|
||||
- applies `welcome.worldConfig.gridSize` for authoritative grid bounds/rendering
|
||||
|
||||
Reference in New Issue
Block a user