Talon/chat_grid
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Harden origin and media URL security

Browse Source
This commit is contained in:
Jage9
2026-03-08 20:51:50 -04:00
parent 3d69bbcea2
commit 78bc931cce
12 changed files with 378 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
docs/local.md
View File

@@ -4,6 +4,8 @@
```bash
cd /home/jjm/code/chgrid/server
export CHGRID_AUTH_SECRET=dev-secret
export CHGRID_HOST_ORIGIN=http://localhost:5173
.venv/bin/python main.py --allow-insecure-ws
```
@@ -22,6 +24,7 @@ Defaults:
- Server defaults to TLS-required unless you set `network.allow_insecure_ws=true` or pass `--allow-insecure-ws` for local/dev.
- Client dev default is `localhost:5173`.
- Auth requires `CHGRID_AUTH_SECRET` in environment.
- Browser-origin enforcement requires `CHGRID_HOST_ORIGIN` in environment.
- Saved login uses server-managed `HttpOnly` cookie (`chgrid_session_token`) via `GET /auth/session/set` and `GET /auth/session/clear` (both require `X-Chgrid-Auth-Client: 1`).
## Quick Restarts
@@ -30,7 +33,7 @@ Server:
```bash
lsof -tiTCP:8765 -sTCP:LISTEN | xargs -r kill
cd /home/jjm/code/chgrid/server
nohup .venv/bin/python main.py --allow-insecure-ws > /tmp/chgrid-server.log 2>&1 &
CHGRID_AUTH_SECRET=dev-secret CHGRID_HOST_ORIGIN=http://localhost:5173 nohup .venv/bin/python main.py --allow-insecure-ws > /tmp/chgrid-server.log 2>&1 &
```
Client:

2
docs/protocol-notes.md
View File

@@ -125,6 +125,7 @@ This is a behavior guide for packet semantics beyond raw schemas.
- Server is authoritative for movement acceptance (bounds + rate/delta checks).
- Server persists account state (last nickname + last position) and restores spawn from that state on auth login/resume.
- Server also supports websocket handshake cookie resume:
- accepts browser sockets only when websocket `Origin` matches `CHGRID_HOST_ORIGIN`
- reads `chgrid_session_token` from websocket `Cookie` header
- attempts resume before sending `auth_required`
- exposes `GET /auth/session/clear` to expire the `HttpOnly` cookie (`X-Chgrid-Auth-Client: 1` required)
@@ -139,6 +140,7 @@ This is a behavior guide for packet semantics beyond raw schemas.
- `none/off` normalize to empty values
- bare filenames normalize to `sounds/<name>` for sound-reference fields
- media URL-like fields are trimmed/validated consistently
- radio stream metadata fetches only follow validated public `http`/`https` URLs and revalidate redirect hops
- Client-side item edit validation is convenience only; server remains source of truth.
## Heartbeat/Stale Recovery

4
docs/runtime-flow.md
View File

@@ -4,8 +4,8 @@
1. User clicks connect.
2. Client validates auth form and sets up local media.
3. Client connects signaling websocket.
4. Server attempts cookie-based session resume from websocket handshake cookie (`chgrid_session_token`).
3. Client connects signaling websocket from the configured app origin.
4. Server accepts the socket only when the browser `Origin` matches `CHGRID_HOST_ORIGIN`, then attempts cookie-based session resume from websocket handshake cookie (`chgrid_session_token`).
5. If resume does not authenticate, server sends `auth_required`.
- includes `authPolicy` limits for username/password.
6. Client sends `auth_login` or `auth_register` (or explicit `auth_resume` if provided by caller).