@nsxbet/admin-sdk 0.9.0 → 0.9.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (5) hide show
  1. package/README.md +6 -4
  2. package/dist/router/url-allowlist.d.ts +6 -2
  3. package/dist/router/url-allowlist.js +9 -3
  4. package/dist/sdk-version.js +1 -1
  5. package/package.json +1 -1
package/README.md CHANGED
@@ -454,7 +454,7 @@ TypeScript declarations for environment variables and platform API:
454
454
 
455
455
  declare global {
456
456
  interface ImportMetaEnv {
457
- readonly VITE_ALLOWED_MODULE_ORIGINS?: string;
457
+ readonly VITE_ALLOWED_MODULE_ORIGINS?: string; // legacy build-time fallback
458
458
  }
459
459
 
460
460
  interface ImportMeta {
@@ -501,7 +501,7 @@ MOCK_AUTH=true
501
501
  # Module URL allowlist (shell mode only). Comma-separated patterns.
502
502
  # Supports *.domain wildcard (e.g. *.nsx.dev matches modules.nsx.dev, nsx.dev).
503
503
  # In dev mode, localhost and 127.0.0.1 are always allowed.
504
- # VITE_ALLOWED_MODULE_ORIGINS=*.nsx.dev,*.nsx.services
504
+ # ALLOWED_MODULE_ORIGINS=*.nsx.dev,*.nsx.services
505
505
  ```
506
506
 
507
507
  ## Manifest Schema (`admin.module.json`)
@@ -1129,13 +1129,15 @@ ADMIN_GATEWAY_URL=https://admin-bff-stg.nsx.dev
1129
1129
 
1130
1130
  ## Module URL Allowlist (Shell Mode)
1131
1131
 
1132
- When the shell loads modules dynamically from URLs, it validates each URL against `VITE_ALLOWED_MODULE_ORIGINS` before `import()` or `loadScript()`.
1132
+ When the shell loads modules dynamically from URLs, it validates each URL against `ALLOWED_MODULE_ORIGINS` before `import()` or `loadScript()`.
1133
+
1134
+ **Resolution order:** `window.__ENV__.ALLOWED_MODULE_ORIGINS` (runtime) → `import.meta.env.VITE_ALLOWED_MODULE_ORIGINS` (build-time fallback).
1133
1135
 
1134
1136
  **Format:** Comma-separated patterns supporting `*.domain` wildcard (e.g. `*.nsx.dev` matches `modules.nsx.dev`, `cdn.nsx.dev`, and apex `nsx.dev`).
1135
1137
 
1136
1138
  **Dev mode:** `localhost` and `127.0.0.1` are always allowed regardless of the allowlist, so local dev servers work without configuration.
1137
1139
 
1138
- **Production:** Set `VITE_ALLOWED_MODULE_ORIGINS` in your build environment. If unset or empty, all module loads fail with a clear error.
1140
+ **Production:** Set `ALLOWED_MODULE_ORIGINS` in your environment (K8s `envs`, Docker `-e`, or `.env` locally). If unset or empty, all module loads fail with a clear error.
1139
1141
 
1140
1142
  ## BFF / Okta cookie auth (recommended)
1141
1143
 
package/dist/router/url-allowlist.d.ts CHANGED
@@ -1,12 +1,16 @@
1
1
  /**
2
2
  * Module URL allowlist validation
3
3
  *
4
- * Validates module URLs against VITE_ALLOWED_MODULE_ORIGINS before
4
+ * Validates module URLs against ALLOWED_MODULE_ORIGINS before
5
5
  * import() or loadScript() to prevent loading code from untrusted origins.
6
+ *
7
+ * Resolution order:
8
+ * 1. window.__ENV__.ALLOWED_MODULE_ORIGINS (runtime — Docker/K8s)
9
+ * 2. import.meta.env.VITE_ALLOWED_MODULE_ORIGINS (build-time — local dev)
6
10
  */
7
11
  /** Options for validateModuleUrl (used by tests to override env) */
8
12
  export interface ValidateModuleUrlOptions {
9
- /** Override allowlist (comma-separated patterns). Default: VITE_ALLOWED_MODULE_ORIGINS */
13
+ /** Override allowlist (comma-separated patterns). Default: ALLOWED_MODULE_ORIGINS */
10
14
  allowlist?: string;
11
15
  /** Override dev mode. Default: import.meta.env.DEV */
12
16
  isDev?: boolean;
package/dist/router/url-allowlist.js CHANGED
@@ -1,8 +1,12 @@
1
1
  /**
2
2
  * Module URL allowlist validation
3
3
  *
4
- * Validates module URLs against VITE_ALLOWED_MODULE_ORIGINS before
4
+ * Validates module URLs against ALLOWED_MODULE_ORIGINS before
5
5
  * import() or loadScript() to prevent loading code from untrusted origins.
6
+ *
7
+ * Resolution order:
8
+ * 1. window.__ENV__.ALLOWED_MODULE_ORIGINS (runtime — Docker/K8s)
9
+ * 2. import.meta.env.VITE_ALLOWED_MODULE_ORIGINS (build-time — local dev)
6
10
  */
7
11
  /**
8
12
  * Parse allowlist patterns from comma-separated string.
@@ -48,14 +52,16 @@ export function validateModuleUrl(url, options) {
48
52
  }
49
53
  const hostname = parsed.hostname;
50
54
  const isDev = options?.isDev ?? import.meta.env.DEV === true;
51
- const rawAllowlist = options?.allowlist ?? import.meta.env.VITE_ALLOWED_MODULE_ORIGINS;
55
+ const rawAllowlist = options?.allowlist
56
+ ?? (typeof window !== 'undefined' ? window.__ENV__?.ALLOWED_MODULE_ORIGINS : undefined)
57
+ ?? import.meta.env.VITE_ALLOWED_MODULE_ORIGINS;
52
58
  // Dev mode: always allow localhost and 127.0.0.1
53
59
  if (isDev && (hostname === 'localhost' || hostname === '127.0.0.1')) {
54
60
  return;
55
61
  }
56
62
  const patterns = getAllowlistPatterns(rawAllowlist);
57
63
  if (patterns.length === 0) {
58
- throw new Error(`[DynamicModule] Module URL "${url}" rejected: VITE_ALLOWED_MODULE_ORIGINS is not set or empty. ` +
64
+ throw new Error(`[DynamicModule] Module URL "${url}" rejected: ALLOWED_MODULE_ORIGINS is not set or empty. ` +
59
65
  'Configure trusted origins (e.g. *.nsx.dev,*.nsx.services) in your environment.');
60
66
  }
61
67
  const allowed = patterns.some((p) => hostnameMatchesPattern(hostname, p));
package/dist/sdk-version.js CHANGED
@@ -2,4 +2,4 @@
2
2
  * Semver of @nsxbet/admin-sdk (synced from package.json by scripts/write-sdk-version.mjs).
3
3
  * Do not edit manually — run `node scripts/write-sdk-version.mjs` after version bumps.
4
4
  */
5
- export const SDK_PACKAGE_VERSION = "0.9.0";
5
+ export const SDK_PACKAGE_VERSION = "0.9.1";
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@nsxbet/admin-sdk",
3
- "version": "0.9.0",
3
+ "version": "0.9.1",
4
4
  "description": "SDK for building NSX Admin modules with integrated shell",
5
5
  "type": "module",
6
6
  "main": "./dist/index.js",