Talon/chat_grid
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Make websocket transport secure by default

Browse Source
This commit is contained in:
Jage9
2026-02-28 03:52:05 -05:00
parent 46fd9fe46f
commit cf54132c25
6 changed files with 14 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
server/README.md
View File

@@ -16,6 +16,7 @@ Key options:
- `tls.cert_file`, `tls.key_file`
If `network.allow_insecure_ws = false`, TLS cert/key are required and server runs as `wss://`.
For local/dev without TLS, either set `network.allow_insecure_ws = true` or pass `--allow-insecure-ws`.
## Run
@@ -31,5 +32,6 @@ python main.py --config config.toml
```bash
python main.py --config config.toml --host 127.0.0.1 --port 8765
python main.py --config config.toml --allow-insecure-ws
python main.py --config config.toml --ssl-cert /path/cert.pem --ssl-key /path/key.pem
```

2
server/app/config.py
View File

@@ -19,7 +19,7 @@ class NetworkConfigSection(BaseModel):
"""Network transport and safety limits."""
max_message_bytes: int = Field(default=2_000_000, gt=0)
allow_insecure_ws: bool = True
allow_insecure_ws: bool = False
class TlsConfigSection(BaseModel):

4
server/config.example.toml
View File

@@ -7,8 +7,8 @@ port = 8765
[network]
# Maximum inbound websocket message size in bytes.
max_message_bytes = 2000000
# If false, TLS cert and key are required and server runs as wss:// only.
allow_insecure_ws = true
# Secure-by-default: TLS is required unless you explicitly set this to true for local/dev.
allow_insecure_ws = false
[tls]
# Required when allow_insecure_ws = false.

5
server/tests/test_config.py
View File

@@ -8,7 +8,7 @@ from app.config import load_config
def test_load_config_defaults_when_path_none() -> None:
cfg = load_config(None)
assert cfg.server.bind_ip == "127.0.0.1"
assert cfg.network.allow_insecure_ws is True
assert cfg.network.allow_insecure_ws is False
assert cfg.storage.state_file == "runtime/items.json"
assert cfg.storage.state_save_debounce_ms == 200
assert cfg.storage.state_save_max_delay_ms == 1000
@@ -31,6 +31,9 @@ def test_load_config_reads_state_save_timing(tmp_path: Path) -> None:
config_path = tmp_path / "config.toml"
config_path.write_text(
"""
[network]
allow_insecure_ws = true
[storage]
state_file = "runtime/items.json"
state_save_debounce_ms = 150