@lamalibre/portlama-agent 1.0.22 → 1.0.23

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/package.json +1 -1
  2. package/src/lib/agent-plugins.js +1 -1
  3. package/src/lib/local-plugins.js +2 -1
  4. package/src/lib/panel-server.js +8 -2
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@lamalibre/portlama-agent",
3
- "version": "1.0.22",
3
+ "version": "1.0.23",
4
4
  "description": "Tunnel agent for Portlama — manages Chisel tunnel client as a system service",
5
5
  "type": "module",
6
6
  "license": "SEE LICENSE IN LICENSE.md",
package/src/lib/agent-plugins.js CHANGED
@@ -21,7 +21,7 @@ import { agentDataDir, agentPluginsFile, agentPluginsDir } from './platform.js';
21
21
  const RESERVED_NAMES = [
22
22
  'health', 'onboarding', 'invite', 'enroll', 'tunnels', 'sites', 'system',
23
23
  'services', 'logs', 'users', 'certs', 'invitations', 'plugins', 'tickets',
24
- 'settings', 'identity', 'storage', 'agents',
24
+ 'settings', 'identity', 'storage', 'agents', 'user-access',
25
25
  ];
26
26
 
27
27
  // --- Promise-chain mutex (serialises registry modifications) ---
package/src/lib/local-plugins.js CHANGED
@@ -7,7 +7,8 @@ import { localDir, localPluginsFile, localPluginsDir } from './platform.js';
7
7
  // Reserved names that cannot be used as plugin names (matches panel-server constants).
8
8
  const RESERVED_NAMES = [
9
9
  'health', 'onboarding', 'invite', 'enroll', 'tunnels', 'sites', 'system',
10
- 'services', 'logs', 'users', 'certs', 'invitations', 'plugins', 'tickets', 'settings',
10
+ 'services', 'logs', 'users', 'certs', 'invitations', 'plugins', 'tickets',
11
+ 'settings', 'identity', 'storage', 'agents', 'user-access',
11
12
  ];
12
13
 
13
14
  // --- Promise-chain mutex (serialises registry modifications) ---
package/src/lib/panel-server.js CHANGED
@@ -67,8 +67,14 @@ export async function startPanelServer(label, { port = 9393 } = {}) {
67
67
  // Allow health check without auth
68
68
  if (request.url === '/api/health') return;
69
69
 
70
- // Static assets don't need API-level auth (nginx already verified mTLS)
71
- if (!request.url.startsWith('/api')) return;
70
+ // Plugin bundles are intentionally public (loaded via <script> tag)
71
+ if (request.url.startsWith('/plugin-bundles/')) return;
72
+
73
+ // Auth is required for /api/* routes AND plugin server routes (/<pluginName>/api/...).
74
+ // Static assets (SPA files) are served by fastify-static and don't need auth.
75
+ const needsAuth = request.url.startsWith('/api') ||
76
+ /^\/[a-z0-9-]+\/api\//.test(request.url);
77
+ if (!needsAuth) return;
72
78
 
73
79
  const verify = request.headers['x-ssl-client-verify'];
74
80
  if (verify !== 'SUCCESS') {