Skip to content

security: add authentication and origin validation to WebSocket #414

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
cfsmp3 wants to merge 2 commits into
base: main
Choose a base branch
from
Open

security: add authentication and origin validation to WebSocket #414

cfsmp3 wants to merge 2 commits into from

Conversation

@cfsmp3
Copy link
Collaborator

@cfsmp3 cfsmp3 commented Jan 19, 2026

Summary

  • Add session authentication to WebSocket endpoint
  • Add Origin header validation to prevent unauthorized connections

Security Issue Addressed

WebSocket Without Authentication (Low) - Previously, the /ws WebSocket endpoint:

  1. Accepted connections from any origin (CheckOrigin: func(r *http.Request) bool { return true })
  2. Did not verify user authentication

Changes

  • backend/controllers/websocket.go:

    • Add checkWebSocketOrigin() for Origin header validation
    • Add AuthenticatedWebSocketHandler() that requires valid session
    • Keep original WebSocketHandler for backward compatibility (deprecated)
    • Support ALLOWED_ORIGIN and FRONTEND_ORIGIN_DEV env vars
    • Allow localhost origins in development mode
    • Log rejected connections for security monitoring

  • backend/main.go:

    • Use AuthenticatedWebSocketHandler(store) instead of WebSocketHandler

WebSocket Security Layers

With this PR:

  1. Origin validation - Rejects connections from disallowed origins
  2. Session authentication - Requires valid user session
  3. Secure upgrade - Only authenticated users can upgrade to WebSocket

Test plan

  • Verify authenticated users can establish WebSocket connections
  • Verify unauthenticated users are rejected (401)
  • Verify connections from disallowed origins are rejected
  • Verify localhost works in development mode

🤖 Generated with Claude Code

@cfsmp3 @claude
security: add authentication and origin validation to WebSocket
b791e7a 
Add session authentication and origin header validation to the
WebSocket endpoint to prevent unauthorized access.

- Add checkWebSocketOrigin() for origin header validation
- Add AuthenticatedWebSocketHandler() requiring valid session
- Update main.go to use authenticated handler
- Support ALLOWED_ORIGIN and FRONTEND_ORIGIN_DEV env vars
- Allow localhost in development mode
- Log rejected connections for security monitoring

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@github-actions
Copy link

github-actions bot commented Jan 19, 2026

Thank you for opening this PR!

Before a maintainer takes a look, it would be really helpful if you could walk through your changes using GitHub's review tools.

Please take a moment to:

  • Check the "Files changed" tab
  • Leave comments on any lines for functions, comments, etc. that are important, non-obvious, or may need attention
  • Clarify decisions you made or areas you might be unsure about and/or any future updates being considered.
  • Finally, submit all the comments!

More information on how to conduct a self review:
https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/reviewing-proposed-changes-in-a-pull-request

This helps make the review process smoother and gives us a clearer understanding of your thought process.

Once you've added your self-review, we'll continue from our side. Thank you!

its-me-abhishek
its-me-abhishek requested changes Jan 19, 2026
View reviewed changes
backend/controllers/websocket.go Outdated

// If no ALLOWED_ORIGIN configured, check if origin matches the request host
host := r.Host
if strings.Contains(origin, host) {
Copy link
Collaborator

@its-me-abhishek its-me-abhishek Jan 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

might be insecure,can parse the origin somehow and then compare hostname equality, not substrings.

backend/controllers/websocket.go Outdated
}

// In development, allow localhost origins
if os.Getenv("ENV") != "production" {
Copy link
Collaborator

@its-me-abhishek its-me-abhishek Jan 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think by default we should get the ENV var at the top, as a string, which should be set to "development" by default. This check might break and is harder to read in general

@cfsmp3 @claude
Fix origin comparison security issue and improve ENV handling
89cabbe 
Addresses review feedback:

1. Security fix: Replace insecure substring check with proper hostname
   comparison. Previously `strings.Contains(origin, host)` could be
   bypassed by an attacker using "malicious-example.com" to match
   "example.com". Now parses the origin URL and compares hostnames
   exactly.

2. Add getEnv() helper that returns "development" by default, making
   the environment check clearer and more maintainable.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@its-me-abhishek its-me-abhishek its-me-abhishek approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@cfsmp3 @its-me-abhishek