From 0aa6c96765f8f55a55a801ad74a22b406d930fc8 Mon Sep 17 00:00:00 2001 From: moothz Date: Tue, 9 Sep 2025 14:56:11 -0300 Subject: [PATCH] Customizable Websockets Security Enables the option to specify safe remote addresses using WEBSOCKET_ALLOWED_HOSTS enviroment variables. Defaults to the secure only localhost. --- .env.example | 1 + .../integrations/event/websocket/websocket.controller.ts | 9 +++++---- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/.env.example b/.env.example index 679d15f6..eaac1e5f 100644 --- a/.env.example +++ b/.env.example @@ -99,6 +99,7 @@ SQS_REGION= # Websocket - Environment variables WEBSOCKET_ENABLED=false WEBSOCKET_GLOBAL_EVENTS=false +WEBSOCKET_ALLOWED_HOSTS=127.0.0.1,::1,::ffff:127.0.0.1 # Pusher - Environment variables PUSHER_ENABLED=false diff --git a/src/api/integrations/event/websocket/websocket.controller.ts b/src/api/integrations/event/websocket/websocket.controller.ts index 3f4afd9b..046682a9 100644 --- a/src/api/integrations/event/websocket/websocket.controller.ts +++ b/src/api/integrations/event/websocket/websocket.controller.ts @@ -31,11 +31,12 @@ export class WebsocketController extends EventController implements EventControl const params = new URLSearchParams(url.search); const { remoteAddress } = req.socket; - const isLocalhost = - remoteAddress === '127.0.0.1' || remoteAddress === '::1' || remoteAddress === '::ffff:127.0.0.1'; + const isAllowedHost = (process.env.WEBSOCKET_ALLOWED_HOSTS || '127.0.0.1,::1,::ffff:127.0.0.1') + .split(',') + .map(h => h.trim()) + .includes(remoteAddress); - // Permite conexões internas do Socket.IO (EIO=4 é o Engine.IO v4) - if (params.has('EIO') && isLocalhost) { + if (params.has('EIO') && isAllowedHost) { return callback(null, true); }