@hunsu/bridge 0.1.1 → 0.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/dist/index.js CHANGED
@@ -167,7 +167,7 @@ function createStudioServerSecurity(options, runtimeConfig) {
167
167
  allowNoOrigin: options?.allowNoOrigin ?? true
168
168
  };
169
169
  }
170
- function evaluateStudioRequestSecurity(request, url, security) {
170
+ function evaluateStudioRequestSecurity(request, url, security, options = {}) {
171
171
  const origin = requestHeader(request, "origin");
172
172
  const corsHeaders = corsHeadersForOrigin(origin, security);
173
173
  if (origin && corsHeaders === undefined) {
@@ -187,7 +187,7 @@ function evaluateStudioRequestSecurity(request, url, security) {
187
187
  };
188
188
  }
189
189
  const headers = corsHeaders ?? baseCorsHeaders();
190
- if (security.authToken && !isPublicBridgeRequest(url) && !hasValidBridgeApiToken(request, url, security.authToken)) {
190
+ if (!options.skipAuth && security.authToken && !isPublicBridgeRequest(url) && !hasValidBridgeApiToken(request, url, security.authToken)) {
191
191
  return {
192
192
  allowed: false,
193
193
  status: 401,
@@ -666,7 +666,7 @@ export function createStudioServer(options = {}) {
666
666
  try {
667
667
  const url = new URL(request.url ?? "/", "http://localhost");
668
668
  const pathname = url.pathname;
669
- const requestSecurity = evaluateStudioRequestSecurity(request, url, security);
669
+ const requestSecurity = evaluateStudioRequestSecurity(request, url, security, { skipAuth: request.method === "OPTIONS" });
670
670
  responseSecurityHeaders.set(response, requestSecurity.corsHeaders);
671
671
  if (request.method === "OPTIONS") {
672
672
  sendJson(response, requestSecurity.allowed ? 204 : requestSecurity.status ?? 403, requestSecurity.allowed ? {} : { error: requestSecurity.error ?? "Origin is not allowed." });
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@hunsu/bridge",
3
- "version": "0.1.1",
3
+ "version": "0.1.2",
4
4
  "private": false,
5
5
  "description": "Hunsu Bridge localhost runtime and Studio API server.",
6
6
  "license": "Apache-2.0",
@@ -29,9 +29,9 @@
29
29
  "dependencies": {
30
30
  "@hunsu/codex-runner": "0.1.1",
31
31
  "@hunsu/core": "0.1.1",
32
+ "@hunsu/config": "0.1.1",
32
33
  "@hunsu/protocol": "0.1.1",
33
- "@hunsu/protocol-registry": "0.1.1",
34
- "@hunsu/config": "0.1.1"
34
+ "@hunsu/protocol-registry": "0.1.1"
35
35
  },
36
36
  "scripts": {
37
37
  "dev": "node --watch src/index.ts",
package/src/index.ts CHANGED
@@ -1170,7 +1170,7 @@ function createStudioServerSecurity(options: StudioServerSecurityOptions | undef
1170
1170
  };
1171
1171
  }
1172
1172
 
1173
- function evaluateStudioRequestSecurity(request: IncomingMessage, url: URL, security: StudioServerSecurity): StudioRequestSecurity {
1173
+ function evaluateStudioRequestSecurity(request: IncomingMessage, url: URL, security: StudioServerSecurity, options: { skipAuth?: boolean } = {}): StudioRequestSecurity {
1174
1174
  const origin = requestHeader(request, "origin");
1175
1175
  const corsHeaders = corsHeadersForOrigin(origin, security);
1176
1176
  if (origin && corsHeaders === undefined) {
@@ -1190,7 +1190,7 @@ function evaluateStudioRequestSecurity(request: IncomingMessage, url: URL, secur
1190
1190
  };
1191
1191
  }
1192
1192
  const headers = corsHeaders ?? baseCorsHeaders();
1193
- if (security.authToken && !isPublicBridgeRequest(url) && !hasValidBridgeApiToken(request, url, security.authToken)) {
1193
+ if (!options.skipAuth && security.authToken && !isPublicBridgeRequest(url) && !hasValidBridgeApiToken(request, url, security.authToken)) {
1194
1194
  return {
1195
1195
  allowed: false,
1196
1196
  status: 401,
@@ -1700,7 +1700,7 @@ export function createStudioServer(options: StudioServerOptions = {}) {
1700
1700
  try {
1701
1701
  const url = new URL(request.url ?? "/", "http://localhost");
1702
1702
  const pathname = url.pathname;
1703
- const requestSecurity = evaluateStudioRequestSecurity(request, url, security);
1703
+ const requestSecurity = evaluateStudioRequestSecurity(request, url, security, { skipAuth: request.method === "OPTIONS" });
1704
1704
  responseSecurityHeaders.set(response, requestSecurity.corsHeaders);
1705
1705
  if (request.method === "OPTIONS") {
1706
1706
  sendJson(response, requestSecurity.allowed ? 204 : requestSecurity.status ?? 403, requestSecurity.allowed ? {} : { error: requestSecurity.error ?? "Origin is not allowed." });