From 89c025d102e7379c12389c743162a7ac6f3caa4e Mon Sep 17 00:00:00 2001
From: Peter Jaszkowiak <p.jaszkow@gmail.com>
Date: Wed, 28 Nov 2018 20:23:42 -0700
Subject: [PATCH] feat: close #7002, console message if mismatched origins

---
 public/src/sockets.js  | 12 ++++++++++++
 src/controllers/api.js |  1 +
 src/socket.io/index.js | 22 +++++++++-------------
 3 files changed, 22 insertions(+), 13 deletions(-)

diff --git a/public/src/sockets.js b/public/src/sockets.js
index 63ef91f8cf..4407bb3b22 100644
--- a/public/src/sockets.js
+++ b/public/src/sockets.js
@@ -150,4 +150,16 @@ app.isConnected = false;
 			},
 		});
 	}
+
+	if (
+		config.socketioOrigins
+		&& config.socketioOrigins !== '*'
+		&& config.socketioOrigins.indexOf(location.hostname) === -1
+	) {
+		console.error(
+			'You are accessing the forum from an unknown origin. This will likely result in websockets failing to connect. \n'
+			+ 'To fix this, set the `"url"` value in `config.json` to the URL at which you access the site. \n'
+			+ 'For more information, see this FAQ topic: https://community.nodebb.org/topic/13388'
+		);
+	}
 }());
diff --git a/src/controllers/api.js b/src/controllers/api.js
index 3def1aff1f..b53e0d0ad1 100644
--- a/src/controllers/api.js
+++ b/src/controllers/api.js
@@ -40,6 +40,7 @@ apiController.loadConfig = function (req, callback) {
 	config.disableChatMessageEditing = meta.config.disableChatMessageEditing === 1;
 	config.maximumChatMessageLength = meta.config.maximumChatMessageLength || 1000;
 	config.socketioTransports = nconf.get('socket.io:transports') || ['polling', 'websocket'];
+	config.socketioOrigins = nconf.get('socket.io:origins');
 	config.websocketAddress = nconf.get('socket.io:address') || '';
 	config.maxReconnectionAttempts = meta.config.maxReconnectionAttempts || 5;
 	config.reconnectionDelay = meta.config.reconnectionDelay || 1500;
diff --git a/src/socket.io/index.js b/src/socket.io/index.js
index 1919fb1ad8..1ced452877 100644
--- a/src/socket.io/index.js
+++ b/src/socket.io/index.js
@@ -46,20 +46,16 @@ Sockets.init = function (server) {
 	 * Can be overridden via config (socket.io:origins)
 	 */
 	if (process.env.NODE_ENV !== 'development') {
-		var domain = nconf.get('cookieDomain');
-		var parsedUrl = url.parse(nconf.get('url'));
-		var override = nconf.get('socket.io:origins');
-		if (!domain) {
-			domain = parsedUrl.hostname;	// cookies don't provide isolation by port: http://stackoverflow.com/a/16328399/122353
-		}
+		const parsedUrl = url.parse(nconf.get('url'));
 
-		if (!override) {
-			io.origins(parsedUrl.protocol + '//' + domain + ':*');
-			winston.info('[socket.io] Restricting access to origin: ' + parsedUrl.protocol + '//' + domain + ':*');
-		} else {
-			io.origins(override);
-			winston.info('[socket.io] Restricting access to origin: ' + override);
-		}
+		// cookies don't provide isolation by port: http://stackoverflow.com/a/16328399/122353
+		const domain = nconf.get('cookieDomain') || parsedUrl.hostname;
+
+		const origins = nconf.get('socket.io:origins') || `${parsedUrl.protocol}//${domain}:*`;
+		nconf.set('socket.io:origins', origins);
+
+		io.origins(origins);
+		winston.info('[socket.io] Restricting access to origin: ' + origins);
 	}
 
 	io.listen(server, {