Talon/chat_grid
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Harden origin and media URL security

Browse Source
This commit is contained in:
Jage9
2026-03-08 20:51:50 -04:00
parent 3d69bbcea2
commit 78bc931cce
12 changed files with 378 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
docs/runtime-flow.md
View File

@@ -4,8 +4,8 @@
1. User clicks connect.
2. Client validates auth form and sets up local media.
3. Client connects signaling websocket.
4. Server attempts cookie-based session resume from websocket handshake cookie (`chgrid_session_token`).
3. Client connects signaling websocket from the configured app origin.
4. Server accepts the socket only when the browser `Origin` matches `CHGRID_HOST_ORIGIN`, then attempts cookie-based session resume from websocket handshake cookie (`chgrid_session_token`).
5. If resume does not authenticate, server sends `auth_required`.
- includes `authPolicy` limits for username/password.
6. Client sends `auth_login` or `auth_register` (or explicit `auth_resume` if provided by caller).