@agent-native/core 0.23.0 → 0.24.1

package/dist/server/core-routes-plugin.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"core-routes-plugin.d.ts","sourceRoot":"","sources":["../../src/server/core-routes-plugin.ts"],"names":[],"mappings":"AAmBA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,IAAI,CAAC;AAsBlC,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AA6FvD;;;;GAIG;AACH,eAAO,MAAM,sBAAsB,mBAAmB,CAAC;AA2IvD;;;;;;;;;;;;;GAaG;AACH,wBAAgB,0BAA0B,CACxC,OAAO,EAAE,MAAM,EACf,MAAM,EAAE,MAAM,GACb,MAAM,GAAG,IAAI,CAWf;AAUD,KAAK,cAAc,GAAG,CAAC,QAAQ,EAAE,GAAG,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;AAE9D,MAAM,WAAW,uBAAuB;IACtC,wEAAwE;IACxE,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,yCAAyC;IACzC,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,oDAAoD;IACpD,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,2DAA2D;IAC3D,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,uDAAuD;IACvD,gBAAgB,CAAC,EAAE,OAAO,CAAC;IAC3B,sEAAsE;IACtE,iBAAiB,CAAC,EAAE,OAAO,CAAC;IAC5B;;;;;;;OAOG;IACH,iBAAiB,CAAC,EAAE,OAAO,CAAC;IAC5B,sEAAsE;IACtE,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,oDAAoD;IACpD,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B;wCACoC;IACpC,eAAe,CAAC,EAAE,OAAO,iBAAiB,EAAE,gBAAgB,CAAC,iBAAiB,CAAC,CAAC;IAChF,qEAAqE;IACrE,OAAO,CAAC,EAAE,YAAY,EAAE,CAAC;IACzB;;;;OAIG;IACH,cAAc,CAAC,EAAE,CAAC,KAAK,EAAE,OAAO,KAAK,MAAM,GAAG,IAAI,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;CAC7E;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAgB,sBAAsB,CACpC,OAAO,GAAE,uBAA4B,GACpC,cAAc,CAkzEhB;AAED;;;;;;;;GAQG;AACH,eAAO,MAAM,uBAAuB,EAAE,cAAyC,CAAC"}
+{"version":3,"file":"core-routes-plugin.d.ts","sourceRoot":"","sources":["../../src/server/core-routes-plugin.ts"],"names":[],"mappings":"AAoBA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,IAAI,CAAC;AAsBlC,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AA6FvD;;;;GAIG;AACH,eAAO,MAAM,sBAAsB,mBAAmB,CAAC;AA2IvD;;;;;;;;;;;;;GAaG;AACH,wBAAgB,0BAA0B,CACxC,OAAO,EAAE,MAAM,EACf,MAAM,EAAE,MAAM,GACb,MAAM,GAAG,IAAI,CAWf;AAUD,KAAK,cAAc,GAAG,CAAC,QAAQ,EAAE,GAAG,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;AAE9D,MAAM,WAAW,uBAAuB;IACtC,wEAAwE;IACxE,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,yCAAyC;IACzC,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,oDAAoD;IACpD,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,2DAA2D;IAC3D,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,uDAAuD;IACvD,gBAAgB,CAAC,EAAE,OAAO,CAAC;IAC3B,sEAAsE;IACtE,iBAAiB,CAAC,EAAE,OAAO,CAAC;IAC5B;;;;;;;OAOG;IACH,iBAAiB,CAAC,EAAE,OAAO,CAAC;IAC5B,sEAAsE;IACtE,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,oDAAoD;IACpD,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B;wCACoC;IACpC,eAAe,CAAC,EAAE,OAAO,iBAAiB,EAAE,gBAAgB,CAAC,iBAAiB,CAAC,CAAC;IAChF,qEAAqE;IACrE,OAAO,CAAC,EAAE,YAAY,EAAE,CAAC;IACzB;;;;OAIG;IACH,cAAc,CAAC,EAAE,CAAC,KAAK,EAAE,OAAO,KAAK,MAAM,GAAG,IAAI,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;CAC7E;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAgB,sBAAsB,CACpC,OAAO,GAAE,uBAA4B,GACpC,cAAc,CAkzEhB;AAED;;;;;;;;GAQG;AACH,eAAO,MAAM,uBAAuB,EAAE,cAAyC,CAAC"}

package/dist/server/core-routes-plugin.js

@@ -1,6 +1,6 @@
 import { getH3App, awaitBootstrap, markDefaultPluginProvided, } from "./framework-request-handler.js";
 import { getAllowedCorsOrigin, readCorsAllowedOrigins, } from "./cors-origins.js";
-import { defineEventHandler, setResponseStatus, setResponseHeader, getMethod, getHeader, getCookie, setCookie, deleteCookie, } from "h3";
+import { defineEventHandler, setResponseStatus, setResponseHeader, getMethod, getHeader, getCookie, setCookie, deleteCookie, getRequestURL, } from "h3";
 import path from "node:path";
 import { createPollHandler } from "./poll.js";
 import { createPollEventsHandler } from "./poll-events.js";
@@ -424,18 +424,14 @@ export function createCoreRoutesPlugin(options = {}) {
             })));
         }
         mountBrowserSessionRoutes(nitroApp, { routePrefix: P });
-        const resolveBuilderOwnerContext = async (event) => {
+        const resolveBuilderOwnerContext = async (event, mode) => {
             const session = await getSession(event).catch(() => null);
             if (session?.email) {
                 return { email: session.email, session, anonymous: false };
             }
-            const rawUrl = event.node?.req?.url ?? event.path ?? "/";
-            const queryStart = rawUrl.indexOf("?");
-            const rawPath = queryStart >= 0 ? rawUrl.slice(0, queryStart) : rawUrl;
-            const search = queryStart >= 0 ? rawUrl.slice(queryStart + 1) : "";
-            const path = stripAppBasePath(rawPath);
-            if (path === `${P}/builder/connect`) {
-                const ownerFromConnectToken = verifyBuilderConnectTokenAndGetOwner(new URLSearchParams(search).get(BUILDER_CONNECT_PARAM));
+            const searchParams = getRequestURL(event).searchParams;
+            if (mode === "connect") {
+                const ownerFromConnectToken = verifyBuilderConnectTokenAndGetOwner(searchParams.get(BUILDER_CONNECT_PARAM));
                 if (ownerFromConnectToken) {
                     return {
                         email: ownerFromConnectToken,
@@ -444,7 +440,7 @@ export function createCoreRoutesPlugin(options = {}) {
                     };
                 }
             }
-            if (path === `${P}/builder/callback`) {
+            if (mode === "callback") {
                 // Prefer the signed _an_state owner over the legacy
                 // an_builder_connect_owner cookie. The cookie can be stale on a
                 // shared browser — user A signed in earlier, user B starts a fresh
@@ -452,7 +448,7 @@ export function createCoreRoutesPlugin(options = {}) {
                 // would mis-attribute B's Builder credentials to A. The signed
                 // state is per-flow and TTL-bounded, so it's authoritative when
                 // both are present.
-                const ownerFromCallbackState = verifyBuilderCallbackStateAndGetOwner(new URLSearchParams(search).get(BUILDER_STATE_PARAM));
+                const ownerFromCallbackState = verifyBuilderCallbackStateAndGetOwner(searchParams.get(BUILDER_STATE_PARAM));
                 if (ownerFromCallbackState) {
                     return {
                         email: ownerFromCallbackState,
@@ -696,7 +692,7 @@ export function createCoreRoutesPlugin(options = {}) {
         //      with attacker-controlled p-key/api-key, hijacking the victim's
         //      account.
         getH3App(nitroApp).use(`${P}/builder/connect`, defineEventHandler(async (event) => {
-            const ownerContext = await resolveBuilderOwnerContext(event);
+            const ownerContext = await resolveBuilderOwnerContext(event, "connect");
             const ownerEmail = ownerContext.email;
             if (!ownerEmail) {
                 setResponseStatus(event, 401);
@@ -896,7 +892,7 @@ export function createCoreRoutesPlugin(options = {}) {
             // A real session or a template-approved anonymous owner is required;
             // the pending-row check below (combined with the same-origin gate on
             // /builder/connect) blocks CSRF and callback replay.
-            const ownerContext = await resolveBuilderOwnerContext(event);
+            const ownerContext = await resolveBuilderOwnerContext(event, "callback");
             const ownerEmail = ownerContext.email;
             // Diagnostic: log the resolver's inputs for debugging "No active
             // connect flow found" reports. Reveals session-vs-state owner