@sanctuary-framework/mcp-server 0.10.5 → 0.10.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cli.cjs +22 -2
- package/dist/cli.cjs.map +1 -1
- package/dist/cli.js +22 -2
- package/dist/cli.js.map +1 -1
- package/dist/index.cjs +22 -2
- package/dist/index.cjs.map +1 -1
- package/dist/index.js +22 -2
- package/dist/index.js.map +1 -1
- package/package.json +1 -1
package/dist/cli.cjs
CHANGED
|
@@ -6715,6 +6715,11 @@ function generateDashboardHTML(options) {
|
|
|
6715
6715
|
// SEC-038: Do NOT embed the long-lived auth token in page source.
|
|
6716
6716
|
// Use only the session token stored in sessionStorage by the login flow.
|
|
6717
6717
|
const AUTH_TOKEN = sessionStorage.getItem('authToken') || '';
|
|
6718
|
+
// v0.10.6: server-baked flag mirroring _autoAuthLocalhost. When true,
|
|
6719
|
+
// the init-time auth gate does NOT redirect to '/' on empty AUTH_TOKEN,
|
|
6720
|
+
// because the server already admitted this loopback caller without a
|
|
6721
|
+
// bearer token. See dashboard-html.ts generateDashboardHTML() doc.
|
|
6722
|
+
const LOOPBACK_AUTH = ${JSON.stringify(options.loopbackAutoAuth === true)};
|
|
6718
6723
|
const TIMEOUT_SECONDS = ${options.timeoutSeconds};
|
|
6719
6724
|
const API_BASE = '';
|
|
6720
6725
|
|
|
@@ -7822,7 +7827,13 @@ function generateDashboardHTML(options) {
|
|
|
7822
7827
|
|
|
7823
7828
|
// Initialize
|
|
7824
7829
|
async function initialize() {
|
|
7825
|
-
|
|
7830
|
+
// v0.10.6: gate on BOTH sessionStorage and the server-baked loopback
|
|
7831
|
+
// auto-auth mirror. Pre-fix, a fresh loopback tab had empty
|
|
7832
|
+
// sessionStorage.authToken AND was admitted by the server via
|
|
7833
|
+
// _autoAuthLocalhost \u2014 this single-operand gate redirected to '/'
|
|
7834
|
+
// which reloaded the same page, which redirected again, infinitely.
|
|
7835
|
+
// See generateDashboardHTML() header comment for full threat model.
|
|
7836
|
+
if (!AUTH_TOKEN && !LOOPBACK_AUTH) {
|
|
7826
7837
|
redirectToLogin();
|
|
7827
7838
|
return;
|
|
7828
7839
|
}
|
|
@@ -8867,7 +8878,11 @@ var init_dashboard = __esm({
|
|
|
8867
8878
|
this.sessionTTLMs = isLocalhost ? SESSION_TTL_LOCAL_MS : SESSION_TTL_REMOTE_MS;
|
|
8868
8879
|
this.dashboardHTML = generateDashboardHTML({
|
|
8869
8880
|
timeoutSeconds: config.timeout_seconds,
|
|
8870
|
-
serverVersion: SANCTUARY_VERSION
|
|
8881
|
+
serverVersion: SANCTUARY_VERSION,
|
|
8882
|
+
// Construction-time default; real value is set by setAutoAuthLocalhost()
|
|
8883
|
+
// below (which regenerates this HTML). Default false preserves the
|
|
8884
|
+
// pre-v0.10.6 remote-deployment behavior when auto-auth is not enabled.
|
|
8885
|
+
loopbackAutoAuth: this._autoAuthLocalhost
|
|
8871
8886
|
});
|
|
8872
8887
|
this.loginHTML = generateLoginHTML({ serverVersion: SANCTUARY_VERSION });
|
|
8873
8888
|
this.sessionCleanupTimer = setInterval(() => this.cleanupSessions(), 6e4);
|
|
@@ -8903,6 +8918,11 @@ var init_dashboard = __esm({
|
|
|
8903
8918
|
*/
|
|
8904
8919
|
setAutoAuthLocalhost(enabled) {
|
|
8905
8920
|
this._autoAuthLocalhost = enabled;
|
|
8921
|
+
this.dashboardHTML = generateDashboardHTML({
|
|
8922
|
+
timeoutSeconds: this.config.timeout_seconds,
|
|
8923
|
+
serverVersion: SANCTUARY_VERSION,
|
|
8924
|
+
loopbackAutoAuth: this._autoAuthLocalhost
|
|
8925
|
+
});
|
|
8906
8926
|
}
|
|
8907
8927
|
/**
|
|
8908
8928
|
* v0.10.2: is this request from a loopback interface? We treat the
|