External/ignis
1
0
Fork 0
mirror of https://github.com/Nystik-gh/ignis.git synced 2026-06-17 04:35:53 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
c22ecb5fefed16b72d0a83b5f2da6cfe8661218f
ignis/apps/ignis-server/server/demo/demo-ws.js
Nystik 62d87af7dd harden demo sessions
2026-06-08 15:43:15 +02:00

57 lines
1.6 KiB
JavaScript
Raw Blame History

// Vault prefix translation for WebSocket upgrades.
//
// ws.js validates the upgrade's `?vault=` against config.vaults.
// We translate to the storage-prefixed name before it sees the request, otherwise the handshake fails and the client reconnect-loops.
const url = require("url");
const {
COOKIE_NAME,
sessions,
parseCookies,
makeStorageName,
tryParseUserVaultName,
touchSession,
} = require("./demo-sessions");
function wireWebSocket(server) {
const origEmit = server.emit.bind(server);
server.emit = function (event, req, ...rest) {
if (event === "upgrade") {
const cookies = parseCookies(req);
const sessionId = cookies[COOKIE_NAME];
if (sessionId && sessions.has(sessionId)) {
const u = new url.URL(req.url, "http://localhost");
const userVault = u.searchParams.get("vault");
if (userVault && !userVault.startsWith("demo-")) {
u.searchParams.set("vault", makeStorageName(sessionId, userVault));
req.url = u.pathname + u.search;
} else if (
userVault &&
userVault.startsWith("demo-") &&
tryParseUserVaultName(sessionId, userVault) === null
) {
// An already-prefixed vault that isn't this session's: refuse the upgrade.
const socket = rest[0];
if (socket && socket.writable) {
socket.write("HTTP/1.1 403 Forbidden\r\n\r\n");
socket.destroy();
}
return;
}
touchSession(sessionId);
}
}
return origEmit(event, req, ...rest);
};
}
module.exports = { wireWebSocket };
Reference in New Issue View Git Blame Copy Permalink