Talon/chat_grid
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix media proxy auth origin forwarding

Browse Source
This commit is contained in:
Jage9
2026-03-08 23:04:37 -04:00
parent 19b593b1aa
commit b229e20ae2
4 changed files with 7 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
client/public/version.js
View File

@@ -1,6 +1,6 @@
// Maintainer-controlled web client version metadata.
window.CHGRID_RELEASE_VERSION = "0.1.0";
window.CHGRID_BUILD_REVISION = "R343";
window.CHGRID_BUILD_REVISION = "R344";
window.CHGRID_WEB_VERSION = `${window.CHGRID_RELEASE_VERSION} ${window.CHGRID_BUILD_REVISION}`;
// Optional display timezone for timestamps. Falls back to America/Detroit if unset/invalid.
window.CHGRID_TIME_ZONE = "America/Detroit";

2
deploy/README.md
View File

@@ -108,7 +108,7 @@ ProxyPassReverse /listen/8000/ http://127.0.0.1:8000/
`deploy/php/media_proxy.php` is copied into your publish directory by `deploy_client.sh`.
When `server/.env` contains `CHGRID_HOST_ORIGIN`, `deploy_client.sh` also generates `media_proxy.config.php` in the publish directory so the proxy can enforce the same origin and validate authenticated sessions without extra Apache-specific config. The generated file derives the local auth-check URL from `server/config.toml`, so custom signaling ports continue to work.
When `server/.env` contains `CHGRID_HOST_ORIGIN`, `deploy_client.sh` also generates `media_proxy.config.php` in the publish directory so the proxy can enforce the same origin and validate authenticated sessions without extra Apache-specific config. The generated file derives the local auth-check URL from `server/config.toml`, so custom signaling ports continue to work, and the proxy reuses `CHGRID_HOST_ORIGIN` for its internal auth check.
If you deploy the PHP proxy some other way, you can still provide `CHGRID_HOST_ORIGIN` directly through your PHP/web-server environment.

5
deploy/php/media_proxy.php
View File

@@ -187,7 +187,7 @@ function load_proxy_session_check_url()
return $value;
}
function require_valid_proxy_session($sessionCheckUrl)
function require_valid_proxy_session($sessionCheckUrl, $allowedOrigin)
{
$cookieHeader = isset($_SERVER['HTTP_COOKIE']) ? trim((string) $_SERVER['HTTP_COOKIE']) : '';
if ($cookieHeader === '') {
@@ -216,6 +216,7 @@ function require_valid_proxy_session($sessionCheckUrl)
array(
'Cookie: ' . $cookieHeader,
'X-Chgrid-Auth-Client: 1',
'Origin: ' . $allowedOrigin,
)
);
@@ -521,7 +522,7 @@ if ($method !== 'GET' && $method !== 'HEAD') {
send_text(405, 'method not allowed');
}
require_valid_proxy_session($sessionCheckUrl);
require_valid_proxy_session($sessionCheckUrl, $allowedOrigin);
$rawUrl = isset($_GET['url']) ? trim((string) $_GET['url']) : '';
if ($rawUrl === '') {

2
server/config.example.toml
View File

@@ -15,9 +15,11 @@ allow_insecure_ws = false
[tls]
# Required when allow_insecure_ws = false.
cert_file = ""
# Private key paired with tls.cert_file.
key_file = ""
[logging]
# Python logging level for the signaling server.
level = "INFO"
[storage]