adamf/web_server
1
1
Fork 0
Code Issues 5 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
de803dea9f0b19fb60ddf35f79ef1c96ee79920a
web_server/backend/services/websocket.go
Adam French b56f8253d9
All checks were successful
Deploy with Docker Compose / deploy (push) Successful in 3m51s
Details
Harden backend against critical and high security vulnerabilities 
- Fix WebSocket CheckOrigin to use proper url.Parse instead of string stripping
- Add admin auth checks to Users/User GraphQL queries
- Remove GraphQL GET transport to prevent CSRF via cross-site links
- Add application-level IP-based login rate limiting (5 attempts/min)
- Add path traversal bounds check on radio file upload
- Require DEV_MODE for GraphQL introspection and playground
- Move notes backend endpoint behind admin middleware
- Add dedicated Nginx rate limit zone for GraphQL (10r/s)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-14 13:27:33 +01:00

112 lines
1.9 KiB
Go
Raw Blame History

package services
import (
"net/http"
"net/url"
"sync"
"time"
"adam-french.co.uk/backend/models"
"gorm.io/gorm"
"github.com/gorilla/websocket"
)
const maxMessages = 50
var allowedDomain string
var Upgrader = websocket.Upgrader{
ReadBufferSize: 1024,
WriteBufferSize: 1024,
CheckOrigin: func(r *http.Request) bool {
origin := r.Header.Get("Origin")
if origin == "" {
return false
}
u, err := url.Parse(origin)
if err != nil {
return false
}
host := u.Hostname()
return host == allowedDomain || host == "www."+allowedDomain || host == "localhost"
},
}
var (
clients = make(map[*websocket.Conn]bool)
mu sync.Mutex
wsDB *gorm.DB
nextAuthorID uint
)
const (
rateLimitWindow = time.Second
rateLimitMaxMsgs = 10
)
func InitWebSocket(database *gorm.DB, domain string) {
wsDB = database
allowedDomain = domain
}
func HandleWebSocket(conn *websocket.Conn) {
defer conn.Close()
mu.Lock()
clients[conn] = true
nextAuthorID++
authorID := nextAuthorID
var history []models.Message
wsDB.Order("created_at ASC").Limit(maxMessages).Find(&history)
for _, msg := range history {
if err := conn.WriteJSON(msg); err != nil {
mu.Unlock()
return
}
}
mu.Unlock()
msgCount := 0
windowStart := time.Now()
for {
var incoming models.Message
if err := conn.ReadJSON(&incoming); err != nil {
break
}
now := time.Now()
if now.Sub(windowStart) > rateLimitWindow {
msgCount = 0
windowStart = now
}
msgCount++
if msgCount > rateLimitMaxMsgs {
continue
}
incoming.AuthorID = authorID
mu.Lock()
wsDB.Create(&incoming)
wsDB.Where("id NOT IN (?)",
wsDB.Model(&models.Message{}).Select("id").Order("created_at DESC").Limit(maxMessages),
).Delete(&models.Message{})
for client := range clients {
if err := client.WriteJSON(incoming); err != nil {
client.Close()
delete(clients, client)
}
}
mu.Unlock()
}
mu.Lock()
delete(clients, conn)
mu.Unlock()
}
Reference in New Issue View Git Blame Copy Permalink