server: Protect against cross-origin websocket requests

jvm/src/main/scala/cs214/webapp/server/web/WebServerRoutes.scala

@@ -7,6 +7,8 @@ import scala.jdk.CollectionConverters.*
 import scala.util.Try
 import cask.endpoints.JsonData
 
+import decorators.checkOriginHeader
+
 /** HTTP routes of the WebServer */
 private[server] final case class WebServerRoutes()(using cc: castor.Context, log: cask.Logger) extends cask.Routes:
   /** Paths where the static content served by the server is stored */
@@ -72,8 +74,9 @@ private[server] final case class WebServerRoutes()(using cc: castor.Context, log
         CreateInstanceResponse.Wire.encode(CreateInstanceResponse(appId))
     response
 
+  @checkOriginHeader
   @cask.websocket(f"${Endpoints.WebSocket}/:instanceId/:userId")
-  def websocket(instanceId: String, userId: String): cask.WebsocketResult =
+  def websocket(instanceId: String, userId: String, request: cask.Request): cask.WebsocketResult =
     WebServer.instances.get(instanceId) match
       case Some(app) => app.connect(userId)
       case None => cask.Response(f"Unknown instance id $instanceId", 400)