@pixelbyte-software/pixcode 1.54.1 → 1.54.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/dist/index.html CHANGED
@@ -35,7 +35,7 @@
35
35
 
36
36
  <!-- Prevent zoom on iOS -->
37
37
  <meta name="format-detection" content="telephone=no" />
38
- <script type="module" crossorigin src="/assets/index-CLO8YURv.js"></script>
38
+ <script type="module" crossorigin src="/assets/index-CwwdokVl.js"></script>
39
39
  <link rel="modulepreload" crossorigin href="/assets/vendor-react-DB6V5Fl1.js">
40
40
  <link rel="modulepreload" crossorigin href="/assets/vendor-codemirror-CIYNS698.js">
41
41
  <link rel="modulepreload" crossorigin href="/assets/vendor-xterm-C7tpxJl7.js">
@@ -1555,27 +1555,11 @@ app.disable('x-powered-by');
1555
1555
  // running behind nginx/Caddy/etc. (needed for correct protocol detection
1556
1556
  // in resolvePublicBaseUrl and for rate-limiting middleware if added later).
1557
1557
  app.set('trust proxy', 1);
1558
- // Restrict CORS to known origins instead of reflecting any requester.
1559
- // In production the frontend is same-origin; in dev it's the Vite server.
1560
- const ALLOWED_CORS_ORIGINS = (() => {
1561
- const envOrigins = process.env.CORS_ALLOWED_ORIGINS;
1562
- if (envOrigins) {
1563
- return envOrigins.split(',').map((o) => o.trim()).filter(Boolean);
1564
- }
1565
- const devPort = process.env.VITE_PORT || 5173;
1566
- return [
1567
- `http://localhost:${devPort}`,
1568
- `http://127.0.0.1:${devPort}`,
1569
- ];
1570
- })();
1558
+ // CORS: self-hosted tool accessed from various IPs/hostnames.
1559
+ // Reflect the requesting origin so IP-based access (e.g. http://85.235.74.198:3001)
1560
+ // works without configuration. Credentials needed for auth header passthrough.
1571
1561
  app.use(cors({
1572
- origin(origin, callback) {
1573
- // Allow same-origin requests (no Origin header) and allowlisted origins.
1574
- if (!origin || ALLOWED_CORS_ORIGINS.includes(origin)) {
1575
- return callback(null, true);
1576
- }
1577
- return callback(null, false);
1578
- },
1562
+ origin: true,
1579
1563
  credentials: true,
1580
1564
  exposedHeaders: ['X-Refreshed-Token'],
1581
1565
  }));
@@ -1591,16 +1575,16 @@ app.use((req, res, next) => {
1591
1575
  if (req.secure || req.headers['x-forwarded-proto'] === 'https') {
1592
1576
  res.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
1593
1577
  }
1594
- // CSP for the SPA shell — API responses are JSON so this mainly guards
1595
- // the served index.html. 'unsafe-inline' is needed for Vite's inline
1596
- // module preload polyfill; style-src unsafe-inline for Tailwind injected styles.
1578
+ // CSP for the SPA shell — relaxed for self-hosted tool accessed from
1579
+ // various IPs/hostnames. 'unsafe-inline' + 'unsafe-eval' needed for Vite.
1580
+ // ws:/wss: in connect-src allows WebSocket from any origin (IP access).
1597
1581
  res.setHeader('Content-Security-Policy', [
1598
1582
  "default-src 'self'",
1599
1583
  "script-src 'self' 'unsafe-inline' 'unsafe-eval'",
1600
1584
  "style-src 'self' 'unsafe-inline'",
1601
1585
  "img-src 'self' data: blob: https:",
1602
1586
  "font-src 'self' data:",
1603
- "connect-src 'self' ws: wss:",
1587
+ "connect-src 'self' ws: wss: http: https:",
1604
1588
  "frame-ancestors 'self'",
1605
1589
  "base-uri 'self'",
1606
1590
  "form-action 'self'",
@@ -5057,26 +5041,38 @@ async function startServer() {
5057
5041
  restoreRequestedTunnel({ port: Number(SERVER_PORT) }).catch((err) => {
5058
5042
  console.warn('[external-access] tunnel restore failed:', err?.message || err);
5059
5043
  });
5060
- // Auto-open browser unless explicitly disabled
5044
+ // Auto-open browser unless explicitly disabled or headless
5061
5045
  if (process.env.PIXCODE_NO_BROWSER !== '1') {
5062
5046
  const openUrl = `http://${DISPLAY_HOST}:${SERVER_PORT}`;
5063
- try {
5064
- // Use spawn with an argument array instead of exec with a
5065
- // shell string to prevent command injection through the
5066
- // host/port values (which come from env vars).
5067
- const { spawn: spawnBrowser } = await import('node:child_process');
5068
- const browserBin = process.platform === 'darwin' ? 'open'
5069
- : process.platform === 'win32' ? 'cmd'
5070
- : 'xdg-open';
5071
- const browserArgs = process.platform === 'win32'
5072
- ? ['/c', 'start', '', openUrl]
5073
- : [openUrl];
5074
- spawnBrowser(browserBin, browserArgs, { stdio: 'ignore', timeout: 3000, detached: true, shell: false }).unref();
5075
- console.log(`${c.ok('[OK]')} Opening browser at ${c.bright(openUrl)}`);
5076
- }
5077
- catch {
5047
+ // Skip browser opening on headless servers (no DISPLAY on Linux,
5048
+ // or xdg-open not installed) common for VPS/cloud deployments.
5049
+ const isHeadless = process.platform === 'linux' && (!process.env.DISPLAY || process.env.DISPLAY === '' ||
5050
+ !fs.existsSync('/usr/bin/xdg-open') && !fs.existsSync('/usr/local/bin/xdg-open'));
5051
+ if (isHeadless) {
5078
5052
  console.log(`${c.tip('[TIP]')} Open ${c.bright(openUrl)} in your browser to start using Pixcode.`);
5079
5053
  }
5054
+ else {
5055
+ try {
5056
+ const { spawn: spawnBrowser } = await import('node:child_process');
5057
+ const browserBin = process.platform === 'darwin' ? 'open'
5058
+ : process.platform === 'win32' ? 'cmd'
5059
+ : 'xdg-open';
5060
+ const browserArgs = process.platform === 'win32'
5061
+ ? ['/c', 'start', '', openUrl]
5062
+ : [openUrl];
5063
+ const child = spawnBrowser(browserBin, browserArgs, {
5064
+ stdio: 'ignore', timeout: 3000, detached: true, shell: false,
5065
+ });
5066
+ child.on('error', () => {
5067
+ // Browser binary not found or failed — non-fatal
5068
+ });
5069
+ child.unref();
5070
+ console.log(`${c.ok('[OK]')} Opening browser at ${c.bright(openUrl)}`);
5071
+ }
5072
+ catch {
5073
+ console.log(`${c.tip('[TIP]')} Open ${c.bright(openUrl)} in your browser to start using Pixcode.`);
5074
+ }
5075
+ }
5080
5076
  }
5081
5077
  console.log(`${c.tip('[TIP]')} Run "pixcode status" for full configuration details`);
5082
5078
  console.log('');