Talon/chat_grid
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Tighten auth helper origin checks

Browse Source
This commit is contained in:
Jage9
2026-03-08 21:58:19 -04:00
parent 0fc6018ca8
commit ba34ce4e9b
5 changed files with 50 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
docs/protocol-notes.md
View File

@@ -128,7 +128,7 @@ This is a behavior guide for packet semantics beyond raw schemas.
- accepts browser sockets only when websocket `Origin` matches `CHGRID_HOST_ORIGIN`
- reads `chgrid_session_token` from websocket `Cookie` header
- attempts resume before sending `auth_required`
- exposes `GET /auth/session/clear` to expire the `HttpOnly` cookie (`X-Chgrid-Auth-Client: 1` required)
- exposes `GET /auth/session/clear` to expire the `HttpOnly` cookie (`X-Chgrid-Auth-Client: 1` and matching `Origin` required)
- Server applies auth hardening before accepting login/register/resume:
- login/register PBKDF2 work runs off the event loop in bounded worker concurrency
- repeated auth failures are rate-limited by IP and IP+identity windows