From 1af005ff475ef5732fab8db6d735dbd372c0567e Mon Sep 17 00:00:00 2001
From: James Estevez <jestevez@salesforce.com>
Date: Wed, 28 Feb 2024 15:13:02 -0800
Subject: [PATCH] Validate websocket origin
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

WebSockets can be initiated from any site on the internet and still have
the user’s cookies and session. This pull request restricts the sites
which are allowed to open sockets to the app.

See W-14666443
---
 metecho/routing.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/metecho/routing.py b/metecho/routing.py
index 4402c30f9..e06b16fb2 100644
--- a/metecho/routing.py
+++ b/metecho/routing.py
@@ -1,5 +1,6 @@
 from channels.auth import AuthMiddlewareStack
 from channels.routing import ProtocolTypeRouter, URLRouter
+from channels.security.websocket import AllowedHostsOriginValidator
 from django.core.asgi import get_asgi_application
 from django.urls import path
 
@@ -17,5 +18,8 @@
 
 
 application = ProtocolTypeRouter(
-    {"http": get_asgi_application(), "websocket": AuthMiddlewareStack(websockets)}
+    {
+        "http": get_asgi_application(),
+        "websocket": AllowedHostsOriginValidator(AuthMiddlewareStack(websockets)),
+    }
 )