Skip to content
Permalink
Browse files Browse the repository at this point in the history
Add origin whitelist
To prevent CSRF attack.
  • Loading branch information
jtojnar committed Nov 2, 2020
1 parent 6ccc64f commit aea66f1
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 2 deletions.
1 change: 1 addition & 0 deletions README.md
Expand Up @@ -35,6 +35,7 @@ pengu uses the following environment variables for configuration:
* `DATABASE_URL` – [Connection string](https://node-postgres.com/features/connecting/#connection-uri) for the PostgreSQL database. If omitted, persistence will be missing.
* `NODE_ENV` – Can be set to `production` for less verbose logs. Defaults to `development`.
* `OPENID_PROVIDER` – If this is set, pengu will use OpenID to log-in. Though it only supports using a hardcoded identity specified by this variable. User will be redirected to the provider, where they will confirm their credentials, and then be redirected back to Pengu with an access code. Pengu will then verify the access code against the OpenID verification URL and realm specified by `OPENID_VERIFY`, `OPENID_REALM` environment variables.
* `ACCEPTED_ORIGINS` – comma-separated list of domain names that are allowed to access the WebSockets server. This is necessary to prevent [cross-site request forgery](https://en.wikipedia.org/wiki/WebSocket#Security_considerations). When the environment variable is not set, only `localhost` and `127.0.0.1` will be allowed to connect.

## Development

Expand Down
7 changes: 5 additions & 2 deletions src/index.js
Expand Up @@ -28,6 +28,8 @@ function findById(arr, id) {
return null;
}

const acceptedOrigins = process.env.ACCEPTED_ORIGINS ? process.env.ACCEPTED_ORIGINS.split(',') : ['localhost', '127.0.0.1'];

async function runApp() {
let app = express();

Expand Down Expand Up @@ -68,8 +70,9 @@ async function runApp() {
autoAcceptConnections: false
});

function originIsAllowed() {
return true;
function originIsAllowed(origin) {
const url = new URL(origin);
return acceptedOrigins.includes(url.hostname);
}

let clients = [];
Expand Down

0 comments on commit aea66f1

Please sign in to comment.