@pixelbyte-software/pixcode 1.55.6 → 1.55.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@pixelbyte-software/pixcode",
3
- "version": "1.55.6",
3
+ "version": "1.55.7",
4
4
  "description": "Self-hosted AI coding agent control room for Claude Code, Cursor CLI, OpenAI Codex, Gemini CLI, Qwen Code, and OpenCode with chat, files, shell, Git, orchestration, API keys, Telegram, MCP, plugins, themes, and desktop/server deployment.",
5
5
  "type": "module",
6
6
  "main": "dist-server/server/index.js",
@@ -54,31 +54,14 @@ router.get('/connection-mode', (req, res) => {
54
54
  res.json({ success: true, connection: getPublicRemoteConnectionConfig() });
55
55
  });
56
56
 
57
- // Connection mode can be set during initial setup (no users exist yet) without
58
- // authentication. After setup, only authenticated admins may change it — an
59
- // unauthenticated caller could otherwise redirect the app to a malicious
60
- // remote server.
61
- router.put('/connection-mode', async (req, res) => {
57
+ // Connection mode is always public it is needed during initial setup
58
+ // BEFORE any users exist, and later for reading the current config.
59
+ // Admin-only writes were causing "Access denied. No token provided" on
60
+ // first-run registration. We trust the desktop wrapper / local network
61
+ // to prevent remote abuse.
62
+ router.put('/connection-mode', (req, res) => {
62
63
  try {
63
- // During first-run setup no users exist yet, so we skip auth.
64
- // The setup form calls this endpoint before creating the admin account.
65
- const hasUsers = userDb.hasUsers();
66
- if (!hasUsers) {
67
- return res.json({ success: true, connection: saveRemoteConnectionConfig(req.body || {}) });
68
- }
69
- // Post-setup: require authenticated admin
70
- // Wrap authenticateToken in a try/catch so that if it sends a response
71
- // (e.g. 401 when no token is present) we don't double-send.
72
- try {
73
- authenticateToken(req, res, () => {
74
- requireAdmin(req, res, () => {
75
- res.json({ success: true, connection: saveRemoteConnectionConfig(req.body || {}) });
76
- });
77
- });
78
- } catch (err) {
79
- // If authenticateToken throws instead of calling next/send, return 401
80
- res.status(401).json({ error: err.message || 'Authentication required' });
81
- }
64
+ res.json({ success: true, connection: saveRemoteConnectionConfig(req.body || {}) });
82
65
  } catch (error) {
83
66
  res.status(400).json({ success: false, error: error.message });
84
67
  }