@jhizzard/termdeck 0.3.4 → 0.3.5
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@jhizzard/termdeck",
|
|
3
|
-
"version": "0.3.
|
|
3
|
+
"version": "0.3.5",
|
|
4
4
|
"description": "Browser-based terminal multiplexer with metadata overlays, panel flashback memory recall, and AI-aware session management",
|
|
5
5
|
"bin": {
|
|
6
6
|
"termdeck": "./packages/cli/src/index.js"
|
|
@@ -156,9 +156,17 @@ function verifyWebSocketUpgrade(config, req) {
|
|
|
156
156
|
return !!provided && provided === token;
|
|
157
157
|
}
|
|
158
158
|
|
|
159
|
+
// Whether a usable auth token is configured (via config.auth.token or the
|
|
160
|
+
// TERMDECK_AUTH_TOKEN env var). Used by the bind guardrail in index.js to
|
|
161
|
+
// decide whether binding to a non-localhost interface is permitted.
|
|
162
|
+
function hasAuth(config) {
|
|
163
|
+
return !!getConfiguredToken(config);
|
|
164
|
+
}
|
|
165
|
+
|
|
159
166
|
module.exports = {
|
|
160
167
|
createAuthMiddleware,
|
|
161
168
|
verifyWebSocketUpgrade,
|
|
162
169
|
getConfiguredToken,
|
|
170
|
+
hasAuth,
|
|
163
171
|
loginPage
|
|
164
172
|
};
|
|
@@ -60,7 +60,7 @@ const { TranscriptWriter } = require('./transcripts');
|
|
|
60
60
|
const { createHealthHandler } = require('./preflight');
|
|
61
61
|
const { themes, statusColors } = require('./themes');
|
|
62
62
|
const { loadConfig, addProject } = require('./config');
|
|
63
|
-
const { createAuthMiddleware, verifyWebSocketUpgrade } = require('./auth');
|
|
63
|
+
const { createAuthMiddleware, verifyWebSocketUpgrade, hasAuth } = require('./auth');
|
|
64
64
|
|
|
65
65
|
function createServer(config) {
|
|
66
66
|
const app = express();
|
|
@@ -852,10 +852,23 @@ if (require.main === module) {
|
|
|
852
852
|
config.sessionLogs = { ...(config.sessionLogs || {}), enabled: true };
|
|
853
853
|
}
|
|
854
854
|
|
|
855
|
-
const { server, transcriptWriter } = createServer(config);
|
|
856
855
|
const port = config.port || 3000;
|
|
857
856
|
const host = config.host || '127.0.0.1';
|
|
858
857
|
|
|
858
|
+
// Bind guardrail (Sprint 10 T1): refuse to start on a non-localhost
|
|
859
|
+
// interface unless an auth token is configured. Binding 0.0.0.0 without
|
|
860
|
+
// auth is equivalent to publishing a root shell on the LAN — fail closed.
|
|
861
|
+
if (host !== '127.0.0.1' && host !== 'localhost' && host !== '::1') {
|
|
862
|
+
if (!hasAuth(config)) {
|
|
863
|
+
console.error('[security] Refusing to bind to ' + host + ' without auth.token set.');
|
|
864
|
+
console.error('[security] Set auth.token in ~/.termdeck/config.yaml or TERMDECK_AUTH_TOKEN env var.');
|
|
865
|
+
console.error('[security] To bind locally only, remove the host setting or set host: 127.0.0.1');
|
|
866
|
+
process.exit(1);
|
|
867
|
+
}
|
|
868
|
+
}
|
|
869
|
+
|
|
870
|
+
const { server, transcriptWriter } = createServer(config);
|
|
871
|
+
|
|
859
872
|
// Graceful shutdown — flush transcript buffer before exit
|
|
860
873
|
let shutdownInProgress = false;
|
|
861
874
|
async function handleShutdown(signal) {
|