fix(http): require Origin header on WebSocket upgrades (SEC-88)

[aris1009]

Summary

• Reject WS upgrades that arrive without an Origin header. Browsers always send it on WS upgrades (RFC 6455 §10.2); a missing value is either a non-browser client or a forged upgrade.
• ensureOrigin is only mounted on wsRouter.ws handlers, so HTTP API clients are unaffected.

Test plan

• Existing parameterised authenticateOrigin table updated; new case asserts missing Origin throws even when the host header is valid.
• jest test/unit/node/http.test.ts — 53 passed, 0 failed.
• Smoke-test in dev: confirm the iframe still establishes WS to terminal/file-sync after deploy.

Closes SEC-88.

[lookout-on-dev]

No breaking data contract changes detected in this PR.

The changes are limited to WebSocket Origin-header enforcement (src/node/http.ts) and its unit tests — neither file touches any analytics tracking calls. The sole tracking event (ide.session_started) and its properties in src/node/rudderstack.ts are unaffected.

[lookout-on-dev]

No breaking data contract changes detected in this PR.

This change is a server-side security fix (authenticateOrigin now rejects WebSocket upgrades that lack an Origin header) and has no effect on analytics event names, properties, or types sent to any RudderStack destination.

[github-actions]

Docker Preview Images Ready

Preview Docker images have been built for this PR:

ECR (internal):

docker pull 422074288268.dkr.ecr.us-east-1.amazonaws.com/rudderstack/profiles-code-server:pr-208

Image Details:

• Tag: pr-208
• Platforms: linux/amd64, linux/arm64

Test the image:

docker run --rm -p 8080:8080 422074288268.dkr.ecr.us-east-1.amazonaws.com/rudderstack/profiles-code-server:pr-208

Note: These preview images will be overwritten on subsequent pushes to this PR.