@pixelbyte-software/pixcode 1.54.1 → 1.54.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/assets/{index-CLO8YURv.js → index-CwwdokVl.js} +1 -1
- package/dist/index.html +1 -1
- package/dist-server/server/index.js +36 -40
- package/dist-server/server/index.js.map +1 -1
- package/dist-server/server/setup-wizard.js +15 -3
- package/dist-server/server/setup-wizard.js.map +1 -1
- package/package.json +1 -1
- package/server/index.js +36 -40
- package/server/setup-wizard.js +13 -3
package/dist/index.html
CHANGED
|
@@ -35,7 +35,7 @@
|
|
|
35
35
|
|
|
36
36
|
<!-- Prevent zoom on iOS -->
|
|
37
37
|
<meta name="format-detection" content="telephone=no" />
|
|
38
|
-
<script type="module" crossorigin src="/assets/index-
|
|
38
|
+
<script type="module" crossorigin src="/assets/index-CwwdokVl.js"></script>
|
|
39
39
|
<link rel="modulepreload" crossorigin href="/assets/vendor-react-DB6V5Fl1.js">
|
|
40
40
|
<link rel="modulepreload" crossorigin href="/assets/vendor-codemirror-CIYNS698.js">
|
|
41
41
|
<link rel="modulepreload" crossorigin href="/assets/vendor-xterm-C7tpxJl7.js">
|
|
@@ -1555,27 +1555,11 @@ app.disable('x-powered-by');
|
|
|
1555
1555
|
// running behind nginx/Caddy/etc. (needed for correct protocol detection
|
|
1556
1556
|
// in resolvePublicBaseUrl and for rate-limiting middleware if added later).
|
|
1557
1557
|
app.set('trust proxy', 1);
|
|
1558
|
-
//
|
|
1559
|
-
//
|
|
1560
|
-
|
|
1561
|
-
const envOrigins = process.env.CORS_ALLOWED_ORIGINS;
|
|
1562
|
-
if (envOrigins) {
|
|
1563
|
-
return envOrigins.split(',').map((o) => o.trim()).filter(Boolean);
|
|
1564
|
-
}
|
|
1565
|
-
const devPort = process.env.VITE_PORT || 5173;
|
|
1566
|
-
return [
|
|
1567
|
-
`http://localhost:${devPort}`,
|
|
1568
|
-
`http://127.0.0.1:${devPort}`,
|
|
1569
|
-
];
|
|
1570
|
-
})();
|
|
1558
|
+
// CORS: self-hosted tool accessed from various IPs/hostnames.
|
|
1559
|
+
// Reflect the requesting origin so IP-based access (e.g. http://85.235.74.198:3001)
|
|
1560
|
+
// works without configuration. Credentials needed for auth header passthrough.
|
|
1571
1561
|
app.use(cors({
|
|
1572
|
-
origin
|
|
1573
|
-
// Allow same-origin requests (no Origin header) and allowlisted origins.
|
|
1574
|
-
if (!origin || ALLOWED_CORS_ORIGINS.includes(origin)) {
|
|
1575
|
-
return callback(null, true);
|
|
1576
|
-
}
|
|
1577
|
-
return callback(null, false);
|
|
1578
|
-
},
|
|
1562
|
+
origin: true,
|
|
1579
1563
|
credentials: true,
|
|
1580
1564
|
exposedHeaders: ['X-Refreshed-Token'],
|
|
1581
1565
|
}));
|
|
@@ -1591,16 +1575,16 @@ app.use((req, res, next) => {
|
|
|
1591
1575
|
if (req.secure || req.headers['x-forwarded-proto'] === 'https') {
|
|
1592
1576
|
res.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
|
|
1593
1577
|
}
|
|
1594
|
-
// CSP for the SPA shell —
|
|
1595
|
-
//
|
|
1596
|
-
//
|
|
1578
|
+
// CSP for the SPA shell — relaxed for self-hosted tool accessed from
|
|
1579
|
+
// various IPs/hostnames. 'unsafe-inline' + 'unsafe-eval' needed for Vite.
|
|
1580
|
+
// ws:/wss: in connect-src allows WebSocket from any origin (IP access).
|
|
1597
1581
|
res.setHeader('Content-Security-Policy', [
|
|
1598
1582
|
"default-src 'self'",
|
|
1599
1583
|
"script-src 'self' 'unsafe-inline' 'unsafe-eval'",
|
|
1600
1584
|
"style-src 'self' 'unsafe-inline'",
|
|
1601
1585
|
"img-src 'self' data: blob: https:",
|
|
1602
1586
|
"font-src 'self' data:",
|
|
1603
|
-
"connect-src 'self' ws: wss:",
|
|
1587
|
+
"connect-src 'self' ws: wss: http: https:",
|
|
1604
1588
|
"frame-ancestors 'self'",
|
|
1605
1589
|
"base-uri 'self'",
|
|
1606
1590
|
"form-action 'self'",
|
|
@@ -5057,26 +5041,38 @@ async function startServer() {
|
|
|
5057
5041
|
restoreRequestedTunnel({ port: Number(SERVER_PORT) }).catch((err) => {
|
|
5058
5042
|
console.warn('[external-access] tunnel restore failed:', err?.message || err);
|
|
5059
5043
|
});
|
|
5060
|
-
// Auto-open browser unless explicitly disabled
|
|
5044
|
+
// Auto-open browser unless explicitly disabled or headless
|
|
5061
5045
|
if (process.env.PIXCODE_NO_BROWSER !== '1') {
|
|
5062
5046
|
const openUrl = `http://${DISPLAY_HOST}:${SERVER_PORT}`;
|
|
5063
|
-
|
|
5064
|
-
|
|
5065
|
-
|
|
5066
|
-
|
|
5067
|
-
|
|
5068
|
-
const browserBin = process.platform === 'darwin' ? 'open'
|
|
5069
|
-
: process.platform === 'win32' ? 'cmd'
|
|
5070
|
-
: 'xdg-open';
|
|
5071
|
-
const browserArgs = process.platform === 'win32'
|
|
5072
|
-
? ['/c', 'start', '', openUrl]
|
|
5073
|
-
: [openUrl];
|
|
5074
|
-
spawnBrowser(browserBin, browserArgs, { stdio: 'ignore', timeout: 3000, detached: true, shell: false }).unref();
|
|
5075
|
-
console.log(`${c.ok('[OK]')} Opening browser at ${c.bright(openUrl)}`);
|
|
5076
|
-
}
|
|
5077
|
-
catch {
|
|
5047
|
+
// Skip browser opening on headless servers (no DISPLAY on Linux,
|
|
5048
|
+
// or xdg-open not installed) — common for VPS/cloud deployments.
|
|
5049
|
+
const isHeadless = process.platform === 'linux' && (!process.env.DISPLAY || process.env.DISPLAY === '' ||
|
|
5050
|
+
!fs.existsSync('/usr/bin/xdg-open') && !fs.existsSync('/usr/local/bin/xdg-open'));
|
|
5051
|
+
if (isHeadless) {
|
|
5078
5052
|
console.log(`${c.tip('[TIP]')} Open ${c.bright(openUrl)} in your browser to start using Pixcode.`);
|
|
5079
5053
|
}
|
|
5054
|
+
else {
|
|
5055
|
+
try {
|
|
5056
|
+
const { spawn: spawnBrowser } = await import('node:child_process');
|
|
5057
|
+
const browserBin = process.platform === 'darwin' ? 'open'
|
|
5058
|
+
: process.platform === 'win32' ? 'cmd'
|
|
5059
|
+
: 'xdg-open';
|
|
5060
|
+
const browserArgs = process.platform === 'win32'
|
|
5061
|
+
? ['/c', 'start', '', openUrl]
|
|
5062
|
+
: [openUrl];
|
|
5063
|
+
const child = spawnBrowser(browserBin, browserArgs, {
|
|
5064
|
+
stdio: 'ignore', timeout: 3000, detached: true, shell: false,
|
|
5065
|
+
});
|
|
5066
|
+
child.on('error', () => {
|
|
5067
|
+
// Browser binary not found or failed — non-fatal
|
|
5068
|
+
});
|
|
5069
|
+
child.unref();
|
|
5070
|
+
console.log(`${c.ok('[OK]')} Opening browser at ${c.bright(openUrl)}`);
|
|
5071
|
+
}
|
|
5072
|
+
catch {
|
|
5073
|
+
console.log(`${c.tip('[TIP]')} Open ${c.bright(openUrl)} in your browser to start using Pixcode.`);
|
|
5074
|
+
}
|
|
5075
|
+
}
|
|
5080
5076
|
}
|
|
5081
5077
|
console.log(`${c.tip('[TIP]')} Run "pixcode status" for full configuration details`);
|
|
5082
5078
|
console.log('');
|