Enforce websocket origin allowlist with secure-mode config
This commit is contained in:
Jage9
@@ -20,6 +20,7 @@ Defaults:
|
||||
- Server reads `config.toml` automatically when present.
|
||||
- Server default bind/port is `127.0.0.1:8765`.
|
||||
- Server defaults to TLS-required unless you set `network.allow_insecure_ws=true` or pass `--allow-insecure-ws` for local/dev.
|
||||
- In local/dev insecure mode (`allow_insecure_ws=true`), websocket Origin allowlist defaults to `http://localhost:5173` and `http://127.0.0.1:5173` when `network.allowed_origins` is empty.
|
||||
- Client dev default is `localhost:5173`.
|
||||
- Auth requires `CHGRID_AUTH_SECRET` in environment.
|
||||
- Saved login uses server-managed `HttpOnly` cookie (`chgrid_session_token`) via `GET /auth/session/set` and `GET /auth/session/clear` (both require `X-Chgrid-Auth-Client: 1`).
|
||||
|
||||
@@ -111,6 +111,7 @@ This is a behavior guide for packet semantics beyond raw schemas.
|
||||
|
||||
- Server is authoritative for all action validation and normalization.
|
||||
- Server is authoritative for movement acceptance (bounds + rate/delta checks).
|
||||
- Server enforces websocket Origin allowlist at handshake (`network.allowed_origins`).
|
||||
- Server persists account state (last nickname + last position) and restores spawn from that state on auth login/resume.
|
||||
- Server also supports websocket handshake cookie resume:
|
||||
- reads `chgrid_session_token` from websocket `Cookie` header
|
||||
|
||||
Reference in New Issue
Block a user