@pixelbyte-software/pixcode 1.54.1 → 1.54.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@pixelbyte-software/pixcode",
3
- "version": "1.54.1",
3
+ "version": "1.54.2",
4
4
  "description": "Self-hosted AI coding agent control room for Claude Code, Cursor CLI, OpenAI Codex, Gemini CLI, Qwen Code, and OpenCode with chat, files, shell, Git, orchestration, API keys, Telegram, MCP, plugins, themes, and desktop/server deployment.",
5
5
  "type": "module",
6
6
  "main": "dist-server/server/index.js",
package/server/index.js CHANGED
@@ -1738,28 +1738,11 @@ app.disable('x-powered-by');
1738
1738
  // in resolvePublicBaseUrl and for rate-limiting middleware if added later).
1739
1739
  app.set('trust proxy', 1);
1740
1740
 
1741
- // Restrict CORS to known origins instead of reflecting any requester.
1742
- // In production the frontend is same-origin; in dev it's the Vite server.
1743
- const ALLOWED_CORS_ORIGINS = (() => {
1744
- const envOrigins = process.env.CORS_ALLOWED_ORIGINS;
1745
- if (envOrigins) {
1746
- return envOrigins.split(',').map((o) => o.trim()).filter(Boolean);
1747
- }
1748
- const devPort = process.env.VITE_PORT || 5173;
1749
- return [
1750
- `http://localhost:${devPort}`,
1751
- `http://127.0.0.1:${devPort}`,
1752
- ];
1753
- })();
1754
-
1741
+ // CORS: self-hosted tool accessed from various IPs/hostnames.
1742
+ // Reflect the requesting origin so IP-based access (e.g. http://85.235.74.198:3001)
1743
+ // works without configuration. Credentials needed for auth header passthrough.
1755
1744
  app.use(cors({
1756
- origin(origin, callback) {
1757
- // Allow same-origin requests (no Origin header) and allowlisted origins.
1758
- if (!origin || ALLOWED_CORS_ORIGINS.includes(origin)) {
1759
- return callback(null, true);
1760
- }
1761
- return callback(null, false);
1762
- },
1745
+ origin: true,
1763
1746
  credentials: true,
1764
1747
  exposedHeaders: ['X-Refreshed-Token'],
1765
1748
  }));
@@ -1776,16 +1759,16 @@ app.use((req, res, next) => {
1776
1759
  if (req.secure || req.headers['x-forwarded-proto'] === 'https') {
1777
1760
  res.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
1778
1761
  }
1779
- // CSP for the SPA shell — API responses are JSON so this mainly guards
1780
- // the served index.html. 'unsafe-inline' is needed for Vite's inline
1781
- // module preload polyfill; style-src unsafe-inline for Tailwind injected styles.
1762
+ // CSP for the SPA shell — relaxed for self-hosted tool accessed from
1763
+ // various IPs/hostnames. 'unsafe-inline' + 'unsafe-eval' needed for Vite.
1764
+ // ws:/wss: in connect-src allows WebSocket from any origin (IP access).
1782
1765
  res.setHeader('Content-Security-Policy', [
1783
1766
  "default-src 'self'",
1784
1767
  "script-src 'self' 'unsafe-inline' 'unsafe-eval'",
1785
1768
  "style-src 'self' 'unsafe-inline'",
1786
1769
  "img-src 'self' data: blob: https:",
1787
1770
  "font-src 'self' data:",
1788
- "connect-src 'self' ws: wss:",
1771
+ "connect-src 'self' ws: wss: http: https:",
1789
1772
  "frame-ancestors 'self'",
1790
1773
  "base-uri 'self'",
1791
1774
  "form-action 'self'",