修复聊天室在线名单初始化与 Reverb 来源校验

2026-04-29 11:15:24 +08:00
parent 1192fe5bdb
commit 317dfd04d7
3 changed files with 86 additions and 5 deletions
@@ -1,5 +1,42 @@
 <?php

+/**
+ * 规范化 Reverb 允许的来源域名列表，兼容完整 URL、主机名和逗号分隔写法。
+ *
+ * @param  string|null  $rawOrigins  环境变量中声明的来源列表
+ * @return array<int, string>
+ */
+function chatroom_normalize_reverb_allowed_origins(?string $rawOrigins): array
+{
+    if ($rawOrigins === null || trim($rawOrigins) === '') {
+        return ['*'];
+    }
+
+    $normalizedOrigins = [];
+
+    foreach (explode(',', $rawOrigins) as $origin) {
+        $candidate = trim($origin);
+
+        if ($candidate === '') {
+            continue;
+        }
+
+        if ($candidate === '*') {
+            return ['*'];
+        }
+
+        $host = parse_url($candidate, PHP_URL_HOST);
+
+        if (! is_string($host) || $host === '') {
+            $host = parse_url('http://'.$candidate, PHP_URL_HOST);
+        }
+
+        $normalizedOrigins[] = is_string($host) && $host !== '' ? $host : $candidate;
+    }
+
+    return array_values(array_unique($normalizedOrigins));
+}
+
 return [

    /*
@@ -82,7 +119,8 @@ return [
                    'scheme' => env('REVERB_SCHEME', 'https'),
                    'useTLS' => env('REVERB_SCHEME', 'https') === 'https',
                ],
-                'allowed_origins' => array_filter([env('REVERB_ALLOWED_ORIGIN')]),
+                // Reverb 内部按 Origin 的主机名比对，这里统一转成 host，避免把完整 URL 写进 .env 后被误拒绝。
+                'allowed_origins' => chatroom_normalize_reverb_allowed_origins(env('REVERB_ALLOWED_ORIGIN')),
                'ping_interval' => env('REVERB_APP_PING_INTERVAL', 60),
                'activity_timeout' => env('REVERB_APP_ACTIVITY_TIMEOUT', 30),
                'max_connections' => env('REVERB_APP_MAX_CONNECTIONS'),