Merge pull request #1929 from moothz/main

Customizable Websockets Security

Author: DavidsonGomes

.env.example

@@ -99,6 +99,7 @@ SQS_REGION=
 # Websocket - Environment variables
 WEBSOCKET_ENABLED=false
 WEBSOCKET_GLOBAL_EVENTS=false
+WEBSOCKET_ALLOWED_HOSTS=127.0.0.1,::1,::ffff:127.0.0.1
 
 # Pusher - Environment variables
 PUSHER_ENABLED=false

src/api/integrations/event/websocket/websocket.controller.ts

@@ -31,11 +31,12 @@ export class WebsocketController extends EventController implements EventControl
           const params = new URLSearchParams(url.search);
 
           const { remoteAddress } = req.socket;
-          const isLocalhost =
-            remoteAddress === '127.0.0.1' || remoteAddress === '::1' || remoteAddress === '::ffff:127.0.0.1';
+          const isAllowedHost = (process.env.WEBSOCKET_ALLOWED_HOSTS || '127.0.0.1,::1,::ffff:127.0.0.1')
+            .split(',')
+            .map((h) => h.trim())
+            .includes(remoteAddress);
 
-          // Permite conexões internas do Socket.IO (EIO=4 é o Engine.IO v4)
-          if (params.has('EIO') && isLocalhost) {
+          if (params.has('EIO') && isAllowedHost) {
             return callback(null, true);
           }