feat: enforce device-bound connect challenge

2026-05-09 09:07:39 +00:00 · 2026-01-20 11:15:10 +00:00
parent 121ae6036b
commit dfbf6ac263
21 changed files with 953 additions and 129 deletions
--- a/src/gateway/server/ws-connection.ts
+++ b/src/gateway/server/ws-connection.ts
@@ -116,6 +116,13 @@ export function attachGatewayWsConnectionHandler(params: {
      }
    };

+    const connectNonce = randomUUID();
+    send({
+      type: "event",
+      event: "connect.challenge",
+      payload: { nonce: connectNonce, ts: Date.now() },
+    });
+
    const close = (code = 1000, reason?: string) => {
      if (closed) return;
      closed = true;
@@ -224,6 +231,7 @@ export function attachGatewayWsConnectionHandler(params: {
      requestOrigin,
      requestUserAgent,
      canvasHostUrl,
+      connectNonce,
      resolvedAuth,
      gatewayMethods,
      events,