@pixelbyte-software/pixcode 1.54.1 → 1.54.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@pixelbyte-software/pixcode",
|
|
3
|
-
"version": "1.54.
|
|
3
|
+
"version": "1.54.2",
|
|
4
4
|
"description": "Self-hosted AI coding agent control room for Claude Code, Cursor CLI, OpenAI Codex, Gemini CLI, Qwen Code, and OpenCode with chat, files, shell, Git, orchestration, API keys, Telegram, MCP, plugins, themes, and desktop/server deployment.",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"main": "dist-server/server/index.js",
|
package/server/index.js
CHANGED
|
@@ -1738,28 +1738,11 @@ app.disable('x-powered-by');
|
|
|
1738
1738
|
// in resolvePublicBaseUrl and for rate-limiting middleware if added later).
|
|
1739
1739
|
app.set('trust proxy', 1);
|
|
1740
1740
|
|
|
1741
|
-
//
|
|
1742
|
-
//
|
|
1743
|
-
|
|
1744
|
-
const envOrigins = process.env.CORS_ALLOWED_ORIGINS;
|
|
1745
|
-
if (envOrigins) {
|
|
1746
|
-
return envOrigins.split(',').map((o) => o.trim()).filter(Boolean);
|
|
1747
|
-
}
|
|
1748
|
-
const devPort = process.env.VITE_PORT || 5173;
|
|
1749
|
-
return [
|
|
1750
|
-
`http://localhost:${devPort}`,
|
|
1751
|
-
`http://127.0.0.1:${devPort}`,
|
|
1752
|
-
];
|
|
1753
|
-
})();
|
|
1754
|
-
|
|
1741
|
+
// CORS: self-hosted tool accessed from various IPs/hostnames.
|
|
1742
|
+
// Reflect the requesting origin so IP-based access (e.g. http://85.235.74.198:3001)
|
|
1743
|
+
// works without configuration. Credentials needed for auth header passthrough.
|
|
1755
1744
|
app.use(cors({
|
|
1756
|
-
origin
|
|
1757
|
-
// Allow same-origin requests (no Origin header) and allowlisted origins.
|
|
1758
|
-
if (!origin || ALLOWED_CORS_ORIGINS.includes(origin)) {
|
|
1759
|
-
return callback(null, true);
|
|
1760
|
-
}
|
|
1761
|
-
return callback(null, false);
|
|
1762
|
-
},
|
|
1745
|
+
origin: true,
|
|
1763
1746
|
credentials: true,
|
|
1764
1747
|
exposedHeaders: ['X-Refreshed-Token'],
|
|
1765
1748
|
}));
|
|
@@ -1776,16 +1759,16 @@ app.use((req, res, next) => {
|
|
|
1776
1759
|
if (req.secure || req.headers['x-forwarded-proto'] === 'https') {
|
|
1777
1760
|
res.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
|
|
1778
1761
|
}
|
|
1779
|
-
// CSP for the SPA shell —
|
|
1780
|
-
//
|
|
1781
|
-
//
|
|
1762
|
+
// CSP for the SPA shell — relaxed for self-hosted tool accessed from
|
|
1763
|
+
// various IPs/hostnames. 'unsafe-inline' + 'unsafe-eval' needed for Vite.
|
|
1764
|
+
// ws:/wss: in connect-src allows WebSocket from any origin (IP access).
|
|
1782
1765
|
res.setHeader('Content-Security-Policy', [
|
|
1783
1766
|
"default-src 'self'",
|
|
1784
1767
|
"script-src 'self' 'unsafe-inline' 'unsafe-eval'",
|
|
1785
1768
|
"style-src 'self' 'unsafe-inline'",
|
|
1786
1769
|
"img-src 'self' data: blob: https:",
|
|
1787
1770
|
"font-src 'self' data:",
|
|
1788
|
-
"connect-src 'self' ws: wss:",
|
|
1771
|
+
"connect-src 'self' ws: wss: http: https:",
|
|
1789
1772
|
"frame-ancestors 'self'",
|
|
1790
1773
|
"base-uri 'self'",
|
|
1791
1774
|
"form-action 'self'",
|