fix(security): WS https self-origins + prod origin warning (WS-001)

getGatewaySelfOrigins() only emitted http:// origins, so a gateway served over
TLS on its own port rejected its own same-origin WebSocket upgrades. Add the
https:// localhost/127.0.0.1 self-origins, and warn at startup when running in
production with no WS_ALLOWED_ORIGINS/CORS_ORIGINS configured (the localhost-only
fallback otherwise rejects all WS connections from a real domain).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Author: ersinkoc

packages/gateway/src/ws/server.test.ts

@@ -422,6 +422,29 @@ describe('WSGateway', () => {
       expect(socket.close).not.toHaveBeenCalled();
     });
 
+    it('allows the gateway https self-origin over TLS (WS-001)', async () => {
+      const prevPort = process.env.PORT;
+      process.env.PORT = '9443'; // self-origin derives from PORT
+      try {
+        const gw = new WSGateway({ allowedOrigins: [] });
+        gw.start();
+
+        const handler = getConnectionHandler();
+        const socket = createMockSocket();
+        const request = createMockRequest('/', {
+          origin: 'https://localhost:9443',
+        });
+
+        await handler(socket, request);
+
+        expect(mockSessionManager.create).toHaveBeenCalled();
+        expect(socket.close).not.toHaveBeenCalled();
+      } finally {
+        if (prevPort === undefined) delete process.env.PORT;
+        else process.env.PORT = prevPort;
+      }
+    });
+
     it('rejects when no origin header even with empty allowlist (CSWSH defense)', async () => {
       const gw = new WSGateway({ allowedOrigins: [] });
       gw.start();

packages/gateway/src/ws/server.ts

@@ -174,16 +174,36 @@ const DEFAULT_LOCALHOST_WS_ORIGINS = [
   'http://127.0.0.1:4173',
 ];
 
+/**
+ * The gateway's own origin(s), derived from PORT. A WebSocket upgrade whose
+ * Origin matches the server that served the page is same-origin and can never
+ * be a cross-site hijack, so these are always allowed — including when the
+ * gateway serves the built UI on its own port (e.g. http://127.0.0.1:8200).
+ * Production deployments behind a domain still need WS_ALLOWED_ORIGINS.
+ */
+function getGatewaySelfOrigins(): string[] {
+  const port = process.env.PORT ?? String(WS_PORT);
+  // WS-001: include https:// variants so a gateway served over TLS on its own
+  // port still recognises its same-origin (the http:// only list rejected it).
+  return [
+    `http://localhost:${port}`,
+    `http://127.0.0.1:${port}`,
+    `https://localhost:${port}`,
+    `https://127.0.0.1:${port}`,
+  ];
+}
+
 /**
  * Validate WebSocket origin against allowed origins.
  * - Always requires the browser to send an `Origin` header (CSWSH defense).
  * - Empty configured allowlist falls back to localhost-only, never allow-all.
+ * - The gateway's own same-origin is always permitted (UI served by gateway).
  */
 function isOriginAllowed(origin: string | undefined, allowedOrigins: string[]): boolean {
   const effective = allowedOrigins.length > 0 ? allowedOrigins : DEFAULT_LOCALHOST_WS_ORIGINS;
   // No origin header — reject. Browsers always send Origin on WS upgrades.
   if (!origin) return false;
-  return effective.some((allowed) => origin === allowed);
+  return effective.includes(origin) || getGatewaySelfOrigins().includes(origin);
 }
 
 /**
@@ -1348,5 +1368,13 @@ if (_rawWsOrigins && _rawWsOrigins.includes('*')) {
     '[WARN] WS: origins env contains "*" — stripped. WS connections will use the configured non-wildcard origins (or localhost defaults).'
   );
 }
+// WS-001: in production with no explicit allowlist, the gateway falls back to
+// localhost-only origins, so WS upgrades from a real domain are rejected. Warn
+// loudly rather than failing silently.
+if (process.env.NODE_ENV === 'production' && _wsAllowedOrigins.length === 0) {
+  log.warn(
+    '[WARN] WS: no WS_ALLOWED_ORIGINS/CORS_ORIGINS set in production — WebSocket connections from your domain will be rejected (localhost-only fallback). Set WS_ALLOWED_ORIGINS to your site origin(s).'
+  );
+}
 
 export const wsGateway = new WSGateway({ allowedOrigins: _wsAllowedOrigins });