npm - @1presence/bridge - Versions diffs - 0.50.0 → 0.51.0 - Mend

@1presence/bridge 0.50.0 → 0.51.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/dist/auth.js +25 -7
package/package.json +1 -1

package/dist/auth.js CHANGED Viewed

@@ -47,6 +47,30 @@ function openBrowser(url) {
 export class AuthCancelledError extends Error {
     constructor() { super('Sign-in cancelled — the browser tab was closed.'); }
 }
+/**
+ * Applies the localhost auth server's CORS headers, scoped to the legitimate
+ * PWA origin. Exported so the Private Network Access behaviour stays under test.
+ *
+ * The `Access-Control-Allow-Private-Network` reflection is load-bearing: when
+ * the HTTPS PWA (a public/secure context) fetches this 127.0.0.1 server (a
+ * private address), Chrome sends a CORS preflight carrying
+ * `Access-Control-Request-Private-Network: true`. Without the matching allow
+ * header, Chrome (PNA enforcement, ~v130+) blocks the request outright — even a
+ * plain GET, even for localhost, which is exempt from mixed-content blocking —
+ * and the PWA shows "Could not reach the bridge" though the server is up.
+ */
+export function applyAuthCorsHeaders(req, res, pwaOrigin) {
+    const reqOrigin = req.headers['origin'] ?? '';
+    if (pwaOrigin && reqOrigin === pwaOrigin) {
+        res.setHeader('Access-Control-Allow-Origin', pwaOrigin);
+    }
+    res.setHeader('Vary', 'Origin');
+    res.setHeader('Access-Control-Allow-Methods', 'GET, POST, OPTIONS');
+    res.setHeader('Access-Control-Allow-Headers', 'Content-Type');
+    if (req.headers['access-control-request-private-network'] === 'true') {
+        res.setHeader('Access-Control-Allow-Private-Network', 'true');
+    }
+}
 function runBrowserAuthFlow(gatewayUrl, pwaUrl) {
     return new Promise((resolve, reject) => {
         let resolved = false;
@@ -74,13 +98,7 @@ function runBrowserAuthFlow(gatewayUrl, pwaUrl) {
             }
         })();
         const server = createServer((req, res) => {
-            const reqOrigin = req.headers['origin'] ?? '';
-            if (pwaOrigin && reqOrigin === pwaOrigin) {
-                res.setHeader('Access-Control-Allow-Origin', pwaOrigin);
-            }
-            res.setHeader('Vary', 'Origin');
-            res.setHeader('Access-Control-Allow-Methods', 'GET, POST, OPTIONS');
-            res.setHeader('Access-Control-Allow-Headers', 'Content-Type');
+            applyAuthCorsHeaders(req, res, pwaOrigin);
             if (req.method === 'OPTIONS') {
                 res.writeHead(204);
                 res.end();

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@1presence/bridge",
-  "version": "0.50.0",
+  "version": "0.51.0",
   "description": "Run 1Presence on your Mac and use your Claude.ai Pro subscription from any device",
   "type": "module",
   "bin": {