@geminilight/mindos 0.5.37 → 0.5.39

package/app/app/api/auth/route.ts

@@ -5,33 +5,85 @@ import { signJwt } from '@/lib/jwt';
 const COOKIE_NAME = 'mindos-session';
 const COOKIE_MAX_AGE = 60 * 60 * 24 * 7; // 7 days
 
+// Allowed CORS origins for cross-origin auth (Capacitor, Electron remote).
+// Localhost variants are always allowed; custom origins can be added here.
+const ALLOWED_ORIGIN_PATTERNS = [
+  /^https?:\/\/localhost(:\d+)?$/,
+  /^https?:\/\/127\.0\.0\.1(:\d+)?$/,
+  /^https?:\/\/\[::1\](:\d+)?$/,
+  /^capacitor:\/\//,
+  /^file:\/\//,
+];
+
+function isAllowedOrigin(origin: string): boolean {
+  return ALLOWED_ORIGIN_PATTERNS.some((p) => p.test(origin));
+}
+
+/** CORS headers — validate origin against allowlist */
+function getAuthCors(req: NextRequest): Record<string, string> {
+  const origin = req.headers.get('origin');
+  // No origin header (same-origin browser request or non-browser client) → no CORS needed
+  if (!origin) return {};
+  // Validate origin
+  if (!isAllowedOrigin(origin)) return {};
+  return {
+    'Access-Control-Allow-Origin': origin,
+    'Access-Control-Allow-Methods': 'POST, DELETE, OPTIONS',
+    'Access-Control-Allow-Headers': 'Content-Type, Authorization',
+    'Access-Control-Allow-Credentials': 'true',
+  };
+}
+
+function withCors(res: NextResponse, req: NextRequest): NextResponse {
+  for (const [k, v] of Object.entries(getAuthCors(req))) res.headers.set(k, v);
+  return res;
+}
+
+// OPTIONS /api/auth — CORS preflight
+export async function OPTIONS(req: NextRequest) {
+  const headers = getAuthCors(req);
+  if (Object.keys(headers).length === 0) {
+    return new Response(null, { status: 204 });
+  }
+  return new Response(null, { status: 204, headers });
+}
+
 // POST /api/auth — validate password and set JWT session cookie
 export async function POST(req: NextRequest) {
   const webPassword = process.env.WEB_PASSWORD;
-  if (!webPassword) return NextResponse.json({ ok: false }, { status: 401 });
+  if (!webPassword) return withCors(NextResponse.json({ ok: false }, { status: 401 }), req);
 
-  const body = await req.json().catch(() => ({})) as { password?: string };
-  if (body.password !== webPassword) return NextResponse.json({ ok: false }, { status: 401 });
+  const body = await req.json().catch(() => null);
+  if (!body || typeof body !== 'object') {
+    return withCors(NextResponse.json({ error: 'Invalid request body' }, { status: 400 }), req);
+  }
+  const { password } = body as { password?: string };
+  if (password !== webPassword) return withCors(NextResponse.json({ ok: false }, { status: 401 }), req);
 
   const token = await signJwt(
     { sub: 'user', exp: Math.floor(Date.now() / 1000) + COOKIE_MAX_AGE },
     webPassword,
   );
 
-  // Only set Secure flag when served over HTTPS (x-forwarded-proto set by reverse proxy)
   const isHttps = req.headers.get('x-forwarded-proto') === 'https';
+  const origin = req.headers.get('origin');
+  // Cross-origin requests need SameSite=None + Secure (HTTPS required by spec).
+  // Same-origin or no-origin → use Lax (works over HTTP).
+  const isCrossOrigin = !!origin && isAllowedOrigin(origin);
+  const sameSite = isCrossOrigin && isHttps ? 'None' : 'Lax';
   const secure = isHttps ? '; Secure' : '';
+
   const res = NextResponse.json({ ok: true });
   res.headers.set(
     'Set-Cookie',
-    `${COOKIE_NAME}=${token}; HttpOnly; SameSite=Strict; Max-Age=${COOKIE_MAX_AGE}; Path=/${secure}`,
+    `${COOKIE_NAME}=${token}; HttpOnly; SameSite=${sameSite}; Max-Age=${COOKIE_MAX_AGE}; Path=/${secure}`,
   );
-  return res;
+  return withCors(res, req);
 }
 
 // DELETE /api/auth — clear session cookie (logout)
-export async function DELETE() {
+export async function DELETE(req: NextRequest) {
   const res = NextResponse.json({ ok: true });
-  res.headers.set('Set-Cookie', `${COOKIE_NAME}=; HttpOnly; SameSite=Strict; Max-Age=0; Path=/`);
-  return res;
+  res.headers.set('Set-Cookie', `${COOKIE_NAME}=; HttpOnly; SameSite=Lax; Max-Age=0; Path=/`);
+  return withCors(res, req);
 }

package/app/app/api/health/route.ts

@@ -1,6 +1,51 @@
 export const dynamic = 'force-dynamic';
 import { NextResponse } from 'next/server';
+import { readFileSync } from 'fs';
+import { join, dirname } from 'path';
+
+/**
+ * Read version from root package.json.
+ * Tries multiple paths to handle dev, production, and standalone builds.
+ */
+function readVersion(): string {
+  // 1. Env var set by CLI (most reliable)
+  if (process.env.npm_package_version) return process.env.npm_package_version;
+
+  // 2. Try known relative paths from Next.js app directory
+  const candidates = [
+    join(process.cwd(), '..', 'package.json'),    // dev: app/ → root
+    join(process.cwd(), 'package.json'),           // if cwd is root
+    join(dirname(process.cwd()), 'package.json'),  // standalone edge case
+  ];
+
+  for (const p of candidates) {
+    try {
+      const pkg = JSON.parse(readFileSync(p, 'utf-8'));
+      if (pkg.name === '@geminilight/mindos' && pkg.version) return pkg.version;
+    } catch { /* try next */ }
+  }
+  return '0.0.0';
+}
+
+const version = readVersion();
+
+const CORS_HEADERS: Record<string, string> = {
+  'Access-Control-Allow-Origin': '*',
+  'Access-Control-Allow-Methods': 'GET, OPTIONS',
+  'Access-Control-Allow-Headers': 'Content-Type',
+};
 
 export async function GET() {
-  return NextResponse.json({ ok: true, service: 'mindos' });
+  const res = NextResponse.json({
+    ok: true,
+    service: 'mindos',
+    version,
+    authRequired: !!process.env.WEB_PASSWORD,
+  });
+  for (const [k, v] of Object.entries(CORS_HEADERS)) res.headers.set(k, v);
+  return res;
+}
+
+export async function OPTIONS() {
+  return new Response(null, { status: 204, headers: CORS_HEADERS });
 }

package/app/app/globals.css

@@ -303,7 +303,6 @@ body {
 .dark .modal-backdrop {
   background: rgba(0, 0, 0, 0.65);
 }
-}
 
 /* Micro type scale: text-2xs = 10px (between nothing and text-xs 12px) */
 @layer utilities {

package/app/app/page.tsx

@@ -1,12 +1,56 @@
 import { redirect } from 'next/navigation';
 import { readSettings } from '@/lib/settings';
-import { getRecentlyModified, getFileContent } from '@/lib/fs';
+import { getRecentlyModified, getFileContent, getFileTree } from '@/lib/fs';
 import { getAllRenderers } from '@/lib/renderers/registry';
 import '@/lib/renderers/index'; // registers all renderers
 import HomeContent from '@/components/HomeContent';
+import type { FileNode } from '@/lib/core/types';
 
 export const dynamic = 'force-dynamic';
 
+export interface SpaceInfo {
+  name: string;
+  path: string;
+  fileCount: number;
+  description: string;  // first paragraph from README.md (after title)
+}
+
+function countFiles(node: FileNode): number {
+  if (node.type === 'file') return 1;
+  return (node.children ?? []).reduce((sum, c) => sum + countFiles(c), 0);
+}
+
+/** Extract the first non-empty paragraph after the title from a README.md */
+function extractDescription(spacePath: string): string {
+  try {
+    const content = getFileContent(spacePath + 'README.md');
+    const lines = content.split('\n');
+    // Skip title line (# ...) and blank lines, return first non-empty non-heading line
+    for (const line of lines) {
+      const trimmed = line.trim();
+      if (!trimmed || trimmed.startsWith('#')) continue;
+      return trimmed;
+    }
+  } catch { /* README.md doesn't exist */ }
+  return '';
+}
+
+function getTopLevelDirs(): SpaceInfo[] {
+  try {
+    const tree = getFileTree();
+    return tree
+      .filter(n => n.type === 'directory' && !n.name.startsWith('.'))
+      .map(n => ({
+        name: n.name,
+        path: n.path + '/',
+        fileCount: countFiles(n),
+        description: extractDescription(n.path + '/'),
+      }));
+  } catch {
+    return [];
+  }
+}
+
 function getExistingFiles(paths: string[]): string[] {
   return paths.filter(p => {
     try { getFileContent(p); return true; } catch { return false; }
@@ -30,5 +74,7 @@ export default function HomePage() {
     .filter((p): p is string => !!p);
   const existingFiles = getExistingFiles(entryPaths);
 
-  return <HomeContent recent={recent} existingFiles={existingFiles} />;
+  const spaces = getTopLevelDirs();
+
+  return <HomeContent recent={recent} existingFiles={existingFiles} spaces={spaces} />;
 }