@sanctuary-framework/mcp-server 0.10.4 → 0.10.6

package/dist/index.cjs

@@ -6605,6 +6605,11 @@ function generateDashboardHTML(options) {
     // SEC-038: Do NOT embed the long-lived auth token in page source.
     // Use only the session token stored in sessionStorage by the login flow.
     const AUTH_TOKEN = sessionStorage.getItem('authToken') || '';
+    // v0.10.6: server-baked flag mirroring _autoAuthLocalhost. When true,
+    // the init-time auth gate does NOT redirect to '/' on empty AUTH_TOKEN,
+    // because the server already admitted this loopback caller without a
+    // bearer token. See dashboard-html.ts generateDashboardHTML() doc.
+    const LOOPBACK_AUTH = ${JSON.stringify(options.loopbackAutoAuth === true)};
     const TIMEOUT_SECONDS = ${options.timeoutSeconds};
     const API_BASE = '';
 
@@ -7009,11 +7014,20 @@ function generateDashboardHTML(options) {
 
     // SSE Setup
     function setupSSE() {
-      const eventSource = new EventSource(API_BASE + '/api/events', {
-        headers: {
-          'Authorization': 'Bearer ' + AUTH_TOKEN,
-        },
-      });
+      // v0.10.5: the standard browser EventSource API does not support a
+      // headers option \u2014 it is silently dropped. Auth must travel as a
+      // cookie (set by /auth/session and sent automatically by the
+      // browser) or as a ?session= query parameter, both of which Stack
+      // A's checkAuth honours. Loopback callers also bypass auth via the
+      // v0.10.2 _autoAuthLocalhost path, which is the path moltbook
+      // hits when the dashboard is auto-opened on 127.0.0.1.
+      //
+      // The endpoint itself is /events \u2014 Stack A's route table mounts it
+      // there, and the previous /api/events URL was a 404 in every real
+      // boot from v0.10.0 through v0.10.4. The retry loop that result
+      // produced is exactly the "status bar flashing blue continuously"
+      // moltbook reported on v0.10.4.
+      const eventSource = new EventSource(API_BASE + '/events');
 
       eventSource.addEventListener('init', (e) => {
         console.log('Connected to SSE');
@@ -7703,7 +7717,13 @@ function generateDashboardHTML(options) {
 
     // Initialize
     async function initialize() {
-      if (!AUTH_TOKEN) {
+      // v0.10.6: gate on BOTH sessionStorage and the server-baked loopback
+      // auto-auth mirror. Pre-fix, a fresh loopback tab had empty
+      // sessionStorage.authToken AND was admitted by the server via
+      // _autoAuthLocalhost \u2014 this single-operand gate redirected to '/'
+      // which reloaded the same page, which redirected again, infinitely.
+      // See generateDashboardHTML() header comment for full threat model.
+      if (!AUTH_TOKEN && !LOOPBACK_AUTH) {
         redirectToLogin();
         return;
       }
@@ -8729,7 +8749,11 @@ var DashboardApprovalChannel = class {
     this.sessionTTLMs = isLocalhost ? SESSION_TTL_LOCAL_MS : SESSION_TTL_REMOTE_MS;
     this.dashboardHTML = generateDashboardHTML({
       timeoutSeconds: config.timeout_seconds,
-      serverVersion: SANCTUARY_VERSION
+      serverVersion: SANCTUARY_VERSION,
+      // Construction-time default; real value is set by setAutoAuthLocalhost()
+      // below (which regenerates this HTML). Default false preserves the
+      // pre-v0.10.6 remote-deployment behavior when auto-auth is not enabled.
+      loopbackAutoAuth: this._autoAuthLocalhost
     });
     this.loginHTML = generateLoginHTML({ serverVersion: SANCTUARY_VERSION });
     this.sessionCleanupTimer = setInterval(() => this.cleanupSessions(), 6e4);
@@ -8765,6 +8789,11 @@ var DashboardApprovalChannel = class {
    */
   setAutoAuthLocalhost(enabled) {
     this._autoAuthLocalhost = enabled;
+    this.dashboardHTML = generateDashboardHTML({
+      timeoutSeconds: this.config.timeout_seconds,
+      serverVersion: SANCTUARY_VERSION,
+      loopbackAutoAuth: this._autoAuthLocalhost
+    });
   }
   /**
    * v0.10.2: is this request from a loopback interface? We treat the