diff --git a/dashboard/backend/config.py b/dashboard/backend/config.py index fdc5dca..2cd8cc3 100644 --- a/dashboard/backend/config.py +++ b/dashboard/backend/config.py @@ -30,10 +30,10 @@ TELEGRAM_CHAT_ID = os.environ.get("TELEGRAM_CHAT_ID", "") TELEGRAM_PROXY = os.environ.get("TELEGRAM_PROXY", "") WEBAUTHN_RP_ID = os.environ.get("WEBAUTHN_RP_ID", "nas.jimmygan.com") -WEBAUTHN_ORIGIN = os.environ.get("WEBAUTHN_ORIGIN", "https://nas.jimmygan.com") +WEBAUTHN_ORIGINS = os.environ.get("WEBAUTHN_ORIGIN", "https://nas.jimmygan.com,https://nas.jimmygan.com:8443").split(",") # CORS -CORS_ORIGINS = os.environ.get("CORS_ORIGINS", "https://nas.jimmygan.com").split(",") +CORS_ORIGINS = os.environ.get("CORS_ORIGINS", "https://nas.jimmygan.com,https://nas.jimmygan.com:8443").split(",") # OpenClaw OPENCLAW_GATEWAY_TOKEN = os.environ.get("OPENCLAW_GATEWAY_TOKEN", "") diff --git a/dashboard/backend/main.py b/dashboard/backend/main.py index 43eb264..bc057fd 100644 --- a/dashboard/backend/main.py +++ b/dashboard/backend/main.py @@ -41,7 +41,7 @@ async def security_headers(request: Request, call_next): response.headers["X-Frame-Options"] = "DENY" response.headers["X-XSS-Protection"] = "1; mode=block" response.headers["Referrer-Policy"] = "strict-origin-when-cross-origin" - response.headers["Content-Security-Policy"] = "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self' wss://nas.jimmygan.com; frame-ancestors 'none'" + response.headers["Content-Security-Policy"] = "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self' wss://nas.jimmygan.com wss://nas.jimmygan.com:8443; frame-ancestors 'none'" return response # Audit logger diff --git a/dashboard/backend/routers/auth.py b/dashboard/backend/routers/auth.py index cd7346a..ac0a639 100644 --- a/dashboard/backend/routers/auth.py +++ b/dashboard/backend/routers/auth.py @@ -203,7 +203,7 @@ async def passkey_register_verify(request: Request, current_user: str = Depends( credential=body, expected_challenge=challenge, expected_rp_id=config.WEBAUTHN_RP_ID, - expected_origin=config.WEBAUTHN_ORIGIN, + expected_origin=config.WEBAUTHN_ORIGINS, ) except Exception as e: raise HTTPException(status_code=400, detail=str(e)) @@ -244,7 +244,7 @@ async def passkey_login_verify(request: Request): credential=body, expected_challenge=challenge, expected_rp_id=config.WEBAUTHN_RP_ID, - expected_origin=config.WEBAUTHN_ORIGIN, + expected_origin=config.WEBAUTHN_ORIGINS, credential_public_key=base64url_to_bytes(matched["public_key"]), credential_current_sign_count=matched["sign_count"], )