From 159278d4653df03d63c8c26f60070e42f12dcdab Mon Sep 17 00:00:00 2001
From: matthew-pilot <matthew@vulturelabs.io>
Date: Sat, 30 May 2026 08:18:45 +0000
Subject: [PATCH] fix(wss): add OriginPatterns to websocket.Accept to prevent
 browser slot exhaustion (PILOT-285)

The beacon WSS server accepts WebSocket upgrades without checking the
Origin header. A malicious website can open WebSocket connections to the
beacon and exhaust connection slots before the Ed25519 authentication
challenge completes. These CSRF-style WS connections are rejected at the
challenge stage but still consume a connection slot.

Adding OriginPatterns: ["pilot://*"] causes nhooyr.io/websocket to
reject browser-originated connections at upgrade time (HTTP 403).
Non-browser clients (Go/Python/Node SDKs) do not send an Origin header,
so they are unaffected by this check.

Closes PILOT-285
---
 wss/server.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/wss/server.go b/wss/server.go
index ee9fc61..1ea402a 100644
--- a/wss/server.go
+++ b/wss/server.go
@@ -334,7 +334,8 @@ func (s *Server) handleUpgrade(w http.ResponseWriter, r *http.Request) {
 	}
 
 	conn, err := websocket.Accept(w, r, &websocket.AcceptOptions{
-		Subprotocols: []string{"pilot.v1"},
+		Subprotocols:  []string{"pilot.v1"},
+		OriginPatterns: []string{"pilot://*"},
 	})
 	if err != nil {
 		s.upgradeFail.Add(1)