@agent-native/core 0.26.3 → 0.26.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cli/skills.d.ts.map +1 -1
- package/dist/cli/skills.js +4 -1
- package/dist/cli/skills.js.map +1 -1
- package/dist/client/mcp-app-host.d.ts +1 -0
- package/dist/client/mcp-app-host.d.ts.map +1 -1
- package/dist/client/mcp-app-host.js +44 -6
- package/dist/client/mcp-app-host.js.map +1 -1
- package/dist/client/resources/ResourceTree.js +1 -1
- package/dist/client/resources/ResourceTree.js.map +1 -1
- package/dist/client/resources/ResourcesPanel.d.ts.map +1 -1
- package/dist/client/resources/ResourcesPanel.js.map +1 -1
- package/dist/client/resources/use-resources.d.ts.map +1 -1
- package/dist/client/resources/use-resources.js +1 -4
- package/dist/client/resources/use-resources.js.map +1 -1
- package/dist/client/settings/useBuilderStatus.d.ts +2 -0
- package/dist/client/settings/useBuilderStatus.d.ts.map +1 -1
- package/dist/client/settings/useBuilderStatus.js +21 -5
- package/dist/client/settings/useBuilderStatus.js.map +1 -1
- package/dist/client/settings/useBuilderStatus.spec.js +53 -1
- package/dist/client/settings/useBuilderStatus.spec.js.map +1 -1
- package/dist/deploy/build.d.ts.map +1 -1
- package/dist/deploy/build.js +44 -7
- package/dist/deploy/build.js.map +1 -1
- package/dist/mcp/build-server.d.ts.map +1 -1
- package/dist/mcp/build-server.js +95 -8
- package/dist/mcp/build-server.js.map +1 -1
- package/dist/mcp/embed-app.d.ts.map +1 -1
- package/dist/mcp/embed-app.js +247 -30
- package/dist/mcp/embed-app.js.map +1 -1
- package/dist/mcp/server.d.ts +5 -7
- package/dist/mcp/server.d.ts.map +1 -1
- package/dist/mcp/server.js +16 -12
- package/dist/mcp/server.js.map +1 -1
- package/dist/mcp-client/builtin-capabilities.d.ts +2 -0
- package/dist/mcp-client/builtin-capabilities.d.ts.map +1 -1
- package/dist/mcp-client/builtin-capabilities.js +20 -0
- package/dist/mcp-client/builtin-capabilities.js.map +1 -1
- package/dist/mcp-client/index.d.ts +1 -1
- package/dist/mcp-client/index.d.ts.map +1 -1
- package/dist/mcp-client/index.js +1 -1
- package/dist/mcp-client/index.js.map +1 -1
- package/dist/mcp-client/routes.d.ts.map +1 -1
- package/dist/mcp-client/routes.js +41 -29
- package/dist/mcp-client/routes.js.map +1 -1
- package/dist/onboarding/default-steps.d.ts.map +1 -1
- package/dist/onboarding/default-steps.js +4 -3
- package/dist/onboarding/default-steps.js.map +1 -1
- package/dist/secrets/storage.d.ts.map +1 -1
- package/dist/secrets/storage.js +4 -1
- package/dist/secrets/storage.js.map +1 -1
- package/dist/server/action-routes.d.ts.map +1 -1
- package/dist/server/action-routes.js +23 -7
- package/dist/server/action-routes.js.map +1 -1
- package/dist/server/agent-chat-plugin.d.ts.map +1 -1
- package/dist/server/agent-chat-plugin.js +10 -5
- package/dist/server/agent-chat-plugin.js.map +1 -1
- package/dist/server/auth.d.ts.map +1 -1
- package/dist/server/auth.js +69 -38
- package/dist/server/auth.js.map +1 -1
- package/dist/server/core-routes-plugin.d.ts +12 -1
- package/dist/server/core-routes-plugin.d.ts.map +1 -1
- package/dist/server/core-routes-plugin.js +48 -44
- package/dist/server/core-routes-plugin.js.map +1 -1
- package/dist/server/create-server.d.ts.map +1 -1
- package/dist/server/create-server.js +3 -1
- package/dist/server/create-server.js.map +1 -1
- package/dist/server/credential-provider.d.ts +6 -0
- package/dist/server/credential-provider.d.ts.map +1 -1
- package/dist/server/credential-provider.js +23 -4
- package/dist/server/credential-provider.js.map +1 -1
- package/dist/server/embed-route.d.ts.map +1 -1
- package/dist/server/embed-route.js +28 -2
- package/dist/server/embed-route.js.map +1 -1
- package/dist/server/embed-session.d.ts.map +1 -1
- package/dist/server/embed-session.js +26 -7
- package/dist/server/embed-session.js.map +1 -1
- package/dist/server/index.d.ts +1 -1
- package/dist/server/index.d.ts.map +1 -1
- package/dist/server/index.js +1 -1
- package/dist/server/index.js.map +1 -1
- package/dist/server/onboarding-html.d.ts.map +1 -1
- package/dist/server/onboarding-html.js +52 -5
- package/dist/server/onboarding-html.js.map +1 -1
- package/dist/server/ssr-handler.d.ts +1 -1
- package/dist/server/ssr-handler.d.ts.map +1 -1
- package/dist/server/ssr-handler.js +23 -10
- package/dist/server/ssr-handler.js.map +1 -1
- package/dist/shared/cache-control.d.ts +2 -0
- package/dist/shared/cache-control.d.ts.map +1 -0
- package/dist/shared/cache-control.js +2 -0
- package/dist/shared/cache-control.js.map +1 -0
- package/dist/shared/mcp-embed-headers.d.ts +2 -1
- package/dist/shared/mcp-embed-headers.d.ts.map +1 -1
- package/dist/shared/mcp-embed-headers.js +3 -1
- package/dist/shared/mcp-embed-headers.js.map +1 -1
- package/dist/templates/workspace-root/package.json +5 -0
- package/docs/content/mcp-clients.md +16 -4
- package/docs/content/mcp-protocol.md +0 -1
- package/docs/content/template-assets.md +5 -0
- package/package.json +2 -2
- package/src/templates/workspace-root/package.json +5 -0
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/server/auth.ts"],"names":[],"mappings":"AAaA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,IAAI,CAAC;AAClC,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,gCAAgC,CAAC;
|
|
1
|
+
{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/server/auth.ts"],"names":[],"mappings":"AAaA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,IAAI,CAAC;AAClC,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,gCAAgC,CAAC;AAkDhE,KAAK,KAAK,GAAG,SAAS,CAAC;AAQvB,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,2BAA2B,CAAC;AAUlE,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AAwB5D,OAAO,EAIL,KAAK,oBAAoB,EAC1B,MAAM,qCAAqC,CAAC;AAe7C;;;GAGG;AACH,wBAAgB,gBAAgB,IAAI,MAAM,CAEzC;AAMD,MAAM,WAAW,WAAW;IAC1B,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,mFAAmF;IACnF,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,oEAAoE;IACpE,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,kEAAkE;IAClE,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,WAAW;IAC1B,mDAAmD;IACnD,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB;;;OAGG;IACH,UAAU,CAAC,EAAE,CAAC,KAAK,EAAE,OAAO,KAAK,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAAC;IAC7D;;;;OAIG;IACH,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB;;;;;;;;OAQG;IACH,oBAAoB,CAAC,EAAE,oBAAoB,CAAC;IAC5C;;;;OAIG;IACH,uBAAuB,CAAC,EAAE,MAAM,EAAE,CAAC;IACnC;;;OAGG;IACH,0BAA0B,CAAC,EAAE,MAAM,EAAE,CAAC;IACtC;;;;OAIG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB;;;;;OAKG;IACH,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB;;;;;;OAMG;IACH,sBAAsB,CAAC,EAAE,OAAO,CAAC;IACjC;;;;;;;;;;;;;;;;;;;OAmBG;IACH,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB;;;;OAIG;IACH,SAAS,CAAC,EAAE;QACV,OAAO,EAAE,MAAM,CAAC;QAChB,OAAO,EAAE,MAAM,CAAC;QAChB,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;QACpB,eAAe,CAAC,EAAE,MAAM,CAAC;KAC1B,CAAC;IACF;;;OAGG;IACH,kBAAkB,CAAC,EAAE;QACnB,IAAI,CAAC,EAAE,MAAM,CAAC;QACd,KAAK,EAAE,MAAM,CAAC;QACd,IAAI,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;QACxB,aAAa,CAAC,EAAE,MAAM,CAAC;QACvB,WAAW,CAAC,EAAE,MAAM,CAAC;KACtB,CAAC;IACF;;;;;;;;;OASG;IACH,cAAc,CAAC,EAAE,cAAc,CAAC;IAChC;;OAEG;IACH,UAAU,CAAC,EAAE,gBAAgB,CAAC;CAC/B;AAoCD;;;;GAIG;AACH,wBAAgB,eAAe,IAAI,MAAM,GAAG,SAAS,CAEpD;AAED,eAAO,MAAM,WAAW,QAA4C,CAAC;AACrE,eAAO,MAAM,yBAAyB,QACQ,CAAC;AAE/C;;;;GAIG;AACH,wBAAgB,iBAAiB,IAAI;IAAE,MAAM,CAAC,EAAE,MAAM,CAAA;CAAE,CAGvD;AAmCD,wBAAgB,+BAA+B,CAAC,KAAK,EAAE,OAAO,GAAG,MAAM,EAAE,CAExE;AAgCD,wBAAgB,4BAA4B,CAAC,KAAK,EAAE,OAAO,GAAG,IAAI,CAIjE;AAkGD;;;GAGG;AACH,wBAAgB,gBAAgB,IAAI,OAAO,CAG1C;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,cAAc,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,GAAG,MAAM,CAUrE;AAED;;;;;;;GAOG;AACH,wBAAgB,sBAAsB,CAAC,KAAK,EAAE,OAAO,GAAG,MAAM,GAAG,IAAI,CAOpE;AAED;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,iBAAiB,CAAC,EAAE,EAAE,MAAM,GAAG,SAAS,GAAG,OAAO,CASjE;AAED;;;;;;GAMG;AACH,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAQzD;AAqID,wBAAgB,qBAAqB,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAI7D;AAyDD;;;GAGG;AACH,wBAAsB,UAAU,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAW7E;AAED,uDAAuD;AACvD,wBAAsB,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAShE;AAED;;;GAGG;AACH,wBAAsB,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAmB3E;AAgHD,MAAM,WAAW,2BAA2B;IAC1C,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAmBD,wBAAgB,kBAAkB,CAChC,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,MAAM,EACb,KAAK,EAAE,MAAM,QAWd;AAED,wBAAgB,uBAAuB,CACrC,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,2BAA2B,QAOnC;AAmGD;;;;;;GAMG;AACH,wBAAsB,YAAY,CAChC,KAAK,EAAE,OAAO,GACb,OAAO,CAAC,QAAQ,GAAG,MAAM,GAAG,MAAM,GAAG,IAAI,CAAC,CAG5C;AAqpBD;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAsB,UAAU,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAY5E;AAgID,wBAAgB,yBAAyB,CAAC,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,GAAG,IAAI,CAS7E;AAimCD;;;;;;;;;;;;;GAaG;AACH,wBAAsB,aAAa,CACjC,GAAG,EAAE,KAAK,EACV,OAAO,GAAE,WAAgB,GACxB,OAAO,CAAC,OAAO,CAAC,CAqKlB;AAMD;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,GAAG,EAAE,KAAK,EAAE,WAAW,EAAE,MAAM,GAAG,IAAI,CAMzE"}
|
package/dist/server/auth.js
CHANGED
|
@@ -2,7 +2,8 @@ import crypto from "node:crypto";
|
|
|
2
2
|
import { defineEventHandler, getMethod, getQuery, getRequestIP, setResponseHeader, setResponseStatus, getCookie, setCookie, deleteCookie, getHeader, } from "h3";
|
|
3
3
|
import { EMBED_START_PATH } from "../shared/embed-auth.js";
|
|
4
4
|
import { EMBED_TARGET_HEADER } from "../shared/embed-auth.js";
|
|
5
|
-
import { resolveEmbedSessionFromRequest } from "./embed-session.js";
|
|
5
|
+
import { resolveEmbedSessionFromRequest, requestHasEmbedAuthMarker, } from "./embed-session.js";
|
|
6
|
+
import { EMBED_TRANSPLANT_HEADER, isMcpEmbedCorsOrigin, MCP_EMBED_CORS_ALLOW_HEADERS, shouldAllowMcpEmbedCredentials, } from "../shared/mcp-embed-headers.js";
|
|
6
7
|
// In h3 v2, `event.req` IS the web Request — but in Nitro's dev server (srvx
|
|
7
8
|
// runtime), event.url and event.req share the same underlying URL object.
|
|
8
9
|
// When registerMiddleware strips the mount prefix from event.url.pathname, it
|
|
@@ -49,6 +50,7 @@ import { captureAuthError } from "./sentry.js";
|
|
|
49
50
|
import { extractOAuthStateAppId } from "../shared/oauth-state.js";
|
|
50
51
|
import { isValidWorkspaceAppIdFormat } from "../shared/workspace-app-id.js";
|
|
51
52
|
import { normalizeWorkspaceAppAudience, workspaceAppAudienceFromEnv, workspaceAppRouteAccessFromEnv, } from "../shared/workspace-app-audience.js";
|
|
53
|
+
import { DEFAULT_SSR_CACHE_CONTROL } from "../shared/cache-control.js";
|
|
52
54
|
import { resolveAuthCookieNamespace } from "./cookie-namespace.js";
|
|
53
55
|
import { BUILDER_CONNECT_OWNER_COOKIE, BUILDER_CONNECT_PARAM, BUILDER_STATE_PARAM, verifyBuilderCallbackStateAndGetOwner, verifyBuilderConnectTokenAndGetOwner, } from "./builder-browser.js";
|
|
54
56
|
// Pure env-read feature switch from a leaf module (no dependency back on
|
|
@@ -770,24 +772,41 @@ function applyCorsHeaders(event) {
|
|
|
770
772
|
const origin = getHeader(event, "origin");
|
|
771
773
|
if (!origin)
|
|
772
774
|
return { hasOrigin: false, allowed: true };
|
|
775
|
+
const requestedHeaders = String(getHeader(event, "access-control-request-headers") ?? "")
|
|
776
|
+
.toLowerCase()
|
|
777
|
+
.split(",")
|
|
778
|
+
.map((header) => header.trim());
|
|
779
|
+
const mcpEmbedCorsRequest = isMcpEmbedCorsOrigin(origin) &&
|
|
780
|
+
(requestHasEmbedAuthMarker(event) ||
|
|
781
|
+
requestedHeaders.includes(EMBED_TARGET_HEADER.toLowerCase()) ||
|
|
782
|
+
requestedHeaders.includes(EMBED_TRANSPLANT_HEADER) ||
|
|
783
|
+
Boolean(getHeader(event, EMBED_TARGET_HEADER)) ||
|
|
784
|
+
Boolean(getHeader(event, EMBED_TRANSPLANT_HEADER)) ||
|
|
785
|
+
Boolean(getHeader(event, "authorization")));
|
|
773
786
|
const allowedOrigin = getAllowedCorsOrigin(origin, {
|
|
774
787
|
allowedOrigins: readCorsAllowedOrigins(),
|
|
775
788
|
allowLocalhostWhenNoAllowlist: true,
|
|
776
789
|
});
|
|
777
|
-
|
|
790
|
+
const responseOrigin = mcpEmbedCorsRequest ? origin : allowedOrigin;
|
|
791
|
+
if (!responseOrigin)
|
|
778
792
|
return { hasOrigin: true, allowed: false };
|
|
779
|
-
setResponseHeader(event, "Access-Control-Allow-Origin",
|
|
793
|
+
setResponseHeader(event, "Access-Control-Allow-Origin", responseOrigin);
|
|
780
794
|
setResponseHeader(event, "Vary", "Origin");
|
|
781
|
-
|
|
795
|
+
if (!mcpEmbedCorsRequest || shouldAllowMcpEmbedCredentials(responseOrigin)) {
|
|
796
|
+
setResponseHeader(event, "Access-Control-Allow-Credentials", "true");
|
|
797
|
+
}
|
|
782
798
|
setResponseHeader(event, "Access-Control-Allow-Methods", "GET,HEAD,POST,PUT,PATCH,DELETE,OPTIONS");
|
|
783
|
-
setResponseHeader(event, "Access-Control-Allow-Headers",
|
|
784
|
-
|
|
785
|
-
|
|
786
|
-
|
|
787
|
-
|
|
788
|
-
|
|
789
|
-
|
|
790
|
-
|
|
799
|
+
setResponseHeader(event, "Access-Control-Allow-Headers", mcpEmbedCorsRequest
|
|
800
|
+
? MCP_EMBED_CORS_ALLOW_HEADERS
|
|
801
|
+
: [
|
|
802
|
+
"Content-Type",
|
|
803
|
+
"Authorization",
|
|
804
|
+
"X-Requested-With",
|
|
805
|
+
"X-Request-Source",
|
|
806
|
+
"X-Agent-Native-CSRF",
|
|
807
|
+
"X-User-Timezone",
|
|
808
|
+
EMBED_TARGET_HEADER,
|
|
809
|
+
].join(","));
|
|
791
810
|
return { hasOrigin: true, allowed: true };
|
|
792
811
|
}
|
|
793
812
|
function createAuthCorsHandler() {
|
|
@@ -869,22 +888,43 @@ function shouldBypassAuthForBuilderConnect(event, p) {
|
|
|
869
888
|
const state = queryStart >= 0
|
|
870
889
|
? new URLSearchParams(url.slice(queryStart + 1)).get(BUILDER_STATE_PARAM)
|
|
871
890
|
: null;
|
|
872
|
-
// The signed `_an_state`
|
|
873
|
-
//
|
|
874
|
-
//
|
|
875
|
-
//
|
|
876
|
-
// the
|
|
877
|
-
|
|
878
|
-
|
|
879
|
-
//
|
|
891
|
+
// The signed `_an_state` authenticates this specific Builder callback
|
|
892
|
+
// flow back to our app. A stale localhost session cookie can otherwise
|
|
893
|
+
// make the global guard reject the callback before the handler gets to
|
|
894
|
+
// validate the state and owner. This only bypasses to the callback route;
|
|
895
|
+
// the callback handler still verifies the signed owner / pending flow.
|
|
896
|
+
if (verifyBuilderCallbackStateAndGetOwner(state))
|
|
897
|
+
return true;
|
|
898
|
+
// The legacy owner cookie is broader and can be stale across shared
|
|
899
|
+
// browser sessions, so keep it limited to the session-lost popup case.
|
|
880
900
|
const hasSession = getFrameworkSessionCookieValues(event).length > 0;
|
|
881
901
|
if (hasSession)
|
|
882
902
|
return false;
|
|
883
|
-
return Boolean(
|
|
884
|
-
verifyBuilderConnectTokenAndGetOwner(getCookie(event, BUILDER_CONNECT_OWNER_COOKIE)));
|
|
903
|
+
return Boolean(verifyBuilderConnectTokenAndGetOwner(getCookie(event, BUILDER_CONNECT_OWNER_COOKIE)));
|
|
885
904
|
}
|
|
886
905
|
return false;
|
|
887
906
|
}
|
|
907
|
+
function loginHtmlResponse(loginHtml) {
|
|
908
|
+
return new Response(loginHtml, {
|
|
909
|
+
status: 200,
|
|
910
|
+
headers: {
|
|
911
|
+
"Content-Type": "text/html; charset=utf-8",
|
|
912
|
+
"Cache-Control": DEFAULT_SSR_CACHE_CONTROL,
|
|
913
|
+
"X-Robots-Tag": "noindex, nofollow",
|
|
914
|
+
},
|
|
915
|
+
});
|
|
916
|
+
}
|
|
917
|
+
function isHtmlDocumentRequest(event, pathname) {
|
|
918
|
+
if (!isReadMethod(event))
|
|
919
|
+
return false;
|
|
920
|
+
if (pathname.endsWith(".data"))
|
|
921
|
+
return false;
|
|
922
|
+
const fetchDest = getHeader(event, "sec-fetch-dest")?.toLowerCase();
|
|
923
|
+
if (fetchDest === "document" || fetchDest === "iframe")
|
|
924
|
+
return true;
|
|
925
|
+
const accept = getHeader(event, "accept")?.toLowerCase();
|
|
926
|
+
return !accept || accept.includes("text/html") || accept.includes("*/*");
|
|
927
|
+
}
|
|
888
928
|
function createAuthGuardFn() {
|
|
889
929
|
return async (event) => {
|
|
890
930
|
const config = _authGuardConfig;
|
|
@@ -1049,10 +1089,7 @@ function createAuthGuardFn() {
|
|
|
1049
1089
|
headers: { Location: safeReturn },
|
|
1050
1090
|
});
|
|
1051
1091
|
}
|
|
1052
|
-
return
|
|
1053
|
-
status: 200,
|
|
1054
|
-
headers: { "Content-Type": "text/html; charset=utf-8" },
|
|
1055
|
-
});
|
|
1092
|
+
return loginHtmlResponse(loginHtml);
|
|
1056
1093
|
}
|
|
1057
1094
|
// Auth entry pages are framework-owned pages, not app routes. When a user
|
|
1058
1095
|
// already has a session, redirect them back to the mounted app instead of
|
|
@@ -1065,10 +1102,7 @@ function createAuthGuardFn() {
|
|
|
1065
1102
|
headers: { Location: getAppBasePath() || "/" },
|
|
1066
1103
|
});
|
|
1067
1104
|
}
|
|
1068
|
-
return
|
|
1069
|
-
status: 200,
|
|
1070
|
-
headers: { "Content-Type": "text/html; charset=utf-8" },
|
|
1071
|
-
});
|
|
1105
|
+
return loginHtmlResponse(loginHtml);
|
|
1072
1106
|
}
|
|
1073
1107
|
// Skip static assets (Vite chunks, fonts, images, etc.)
|
|
1074
1108
|
if (p.startsWith("/assets/") ||
|
|
@@ -1106,6 +1140,10 @@ function createAuthGuardFn() {
|
|
|
1106
1140
|
setResponseStatus(event, 401);
|
|
1107
1141
|
return { error: "Unauthorized" };
|
|
1108
1142
|
}
|
|
1143
|
+
if (!isHtmlDocumentRequest(event, p)) {
|
|
1144
|
+
setResponseStatus(event, 401);
|
|
1145
|
+
return { error: "Unauthorized" };
|
|
1146
|
+
}
|
|
1109
1147
|
// Local-dev convenience: on the first page GET of a freshly-scaffolded
|
|
1110
1148
|
// app, transparently create + sign in `dev@local.test` instead of
|
|
1111
1149
|
// showing the sign-up form. Gated on NODE_ENV=development AND no real users in the
|
|
@@ -1116,14 +1154,7 @@ function createAuthGuardFn() {
|
|
|
1116
1154
|
if (autoSession)
|
|
1117
1155
|
return autoSession;
|
|
1118
1156
|
}
|
|
1119
|
-
return
|
|
1120
|
-
status: 401,
|
|
1121
|
-
headers: {
|
|
1122
|
-
"Content-Type": "text/html; charset=utf-8",
|
|
1123
|
-
"Cache-Control": "no-store",
|
|
1124
|
-
"X-Robots-Tag": "noindex, nofollow",
|
|
1125
|
-
},
|
|
1126
|
-
});
|
|
1157
|
+
return loginHtmlResponse(loginHtml);
|
|
1127
1158
|
};
|
|
1128
1159
|
}
|
|
1129
1160
|
// `.test` is an RFC 6761 reserved TLD that never resolves, so this stays a
|