faral/pokerface
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Fix Socket.IO origin check and force WebSocket-only transport
All checks were successful
Build & Push Container Image / build (push) Successful in 8s
Details

Browse source 
Same-origin requests omit the Origin header, which was rejected in
production. Also restrict to WebSocket transport on both client and
server to eliminate need for sticky sessions with multiple replicas.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Jan Willem Mannaerts 2026-02-28 12:28:07 +01:00
parent 31fbc3a1a7
commit 45dbd341a3
2 changed files with 4 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

3
backend/src/index.js
View file

@ -43,7 +43,7 @@ const frontendUrl = process.env.FRONTEND_URL || 'http://localhost:5174';
const corsOptions = { origin: frontendUrl, credentials: true }; const corsOptions = { origin: frontendUrl, credentials: true };
function isAllowedOrigin(origin) { function isAllowedOrigin(origin) {
if (!origin) return !isProd; if (!origin) return true; // same-origin requests omit the Origin header
return origin === frontendUrl; return origin === frontendUrl;
} }
@ -81,6 +81,7 @@ if (isProd) {
} }
const io = new Server(httpServer, { const io = new Server(httpServer, {
transports: ['websocket'],
cors: corsOptions, cors: corsOptions,
allowRequest: (req, callback) => { allowRequest: (req, callback) => {
if (isAllowedOrigin(req.headers.origin)) { if (isAllowedOrigin(req.headers.origin)) {

3
frontend/src/services/socket.js
View file

@ -9,7 +9,8 @@ export function getSocket() {
autoConnect: true, autoConnect: true,
reconnection: true, reconnection: true,
reconnectionAttempts: 10, reconnectionAttempts: 10,
reconnectionDelay: 750 reconnectionDelay: 750,
transports: ['websocket']
}; };
if (socketBaseUrl) { if (socketBaseUrl) {