Skip to content

fix(ocap-kernel): allow plain ws:// connections for relay dialing#855

Merged
sirtimid merged 1 commit intomainfrom
sirtimid/ws-relay-filter
Feb 27, 2026
Merged

fix(ocap-kernel): allow plain ws:// connections for relay dialing#855
sirtimid merged 1 commit intomainfrom
sirtimid/ws-relay-filter

Conversation

@sirtimid
Copy link
Contributor

@sirtimid sirtimid commented Feb 26, 2026
edited by cursor bot
Loading

Summary

  • Import @libp2p/websockets/filters and use the all filter for the WebSocket transport
  • The default libp2p WebSocket filter only permits wss:// (TLS) connections, which blocks relays on private networks or behind a reverse proxy that expose plain ws:// endpoints

Test plan

  • Relay dialing over ws:// multiaddrs succeeds (previously rejected)
  • wss:// relay connections continue to work

🤖 Generated with Claude Code

Note

Medium Risk
Changes libp2p transport configuration to permit non-TLS ws:// connections, which can affect connectivity/security expectations when dialing relays. Scope is small but impacts network transport behavior across environments.

Overview
Updates the libp2p WebSocket transport configuration in connection-factory.ts to use @libp2p/websockets/filters.all, allowing relay dialing over plain ws:// multiaddrs in addition to wss://.

This removes the previous implicit restriction to secure WebSockets, improving compatibility with private-network/reverse-proxy relays that only expose ws:// endpoints.

Written by Cursor Bugbot for commit 73f8293. This will update automatically on new commits. Configure here.

@sirtimid @claude
fix(ocap-kernel): allow plain ws:// connections for relay dialing
73f8293 
The default libp2p WebSocket filter only permits wss:// (TLS)
connections. Relays on private networks or behind a reverse proxy
often expose plain ws:// endpoints. Use the "all" filter so both
ws:// and wss:// multiaddrs are accepted.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@sirtimid sirtimid requested a review from a team as a code owner February 26, 2026 11:47
@sirtimid sirtimid enabled auto-merge February 26, 2026 11:50
@github-actions
Copy link
Contributor

github-actions bot commented Feb 26, 2026

Coverage Report

Status Category Percentage Covered / Total
🔵 Lines 76.02%
🟰 ±0%		 6567 / 8638
🔵 Statements 75.91%
🟰 ±0%		 6672 / 8789
🔵 Functions 73.83%
🟰 ±0%		 1642 / 2224
🔵 Branches 75.43%
🟰 ±0%		 2426 / 3216
File Coverage
File Stmts Branches Functions Lines Uncovered Lines
Changed Files
packages/ocap-kernel/src/remotes/platform/connection-factory.ts 97.27%
🟰 ±0%		 90%
🟰 ±0%		 96.29%
🟰 ±0%		 97.22%
🟰 ±0%		 262, 407, 441
Generated in workflow #3819 for commit 73f8293 by the Vitest Coverage Report Action

rekmarks
rekmarks approved these changes Feb 27, 2026
View reviewed changes
Copy link
Member

@rekmarks rekmarks left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approving, but we shouldn't be able to use ws:// outside of the use cases mentioned in the PR description. We can keep webSockets({ filter: wsFilters.all }) so the transport handles
ws://, but replace denyDialMultiaddr: async () => false with a function that:

  • Allows any wss:// (secure)
  • Allows ws:// to RFC 1918 / loopback addresses
  • Allows ws:// to any hostname in a configurable allowedWsHosts list
  • Denies everything else

@sirtimid sirtimid added this pull request to the merge queue Feb 27, 2026
Merged via the queue into main with commit 17f947e Feb 27, 2026
29 checks passed
@sirtimid sirtimid deleted the sirtimid/ws-relay-filter branch February 27, 2026 01:05
@rekmarks rekmarks mentioned this pull request Feb 27, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rekmarks rekmarks rekmarks approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sirtimid @rekmarks