@sanctuary-framework/mcp-server 0.10.5 → 0.10.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cli.cjs +22 -2
- package/dist/cli.cjs.map +1 -1
- package/dist/cli.js +22 -2
- package/dist/cli.js.map +1 -1
- package/dist/index.cjs +22 -2
- package/dist/index.cjs.map +1 -1
- package/dist/index.js +22 -2
- package/dist/index.js.map +1 -1
- package/package.json +1 -1
package/dist/cli.js
CHANGED
|
@@ -6712,6 +6712,11 @@ function generateDashboardHTML(options) {
|
|
|
6712
6712
|
// SEC-038: Do NOT embed the long-lived auth token in page source.
|
|
6713
6713
|
// Use only the session token stored in sessionStorage by the login flow.
|
|
6714
6714
|
const AUTH_TOKEN = sessionStorage.getItem('authToken') || '';
|
|
6715
|
+
// v0.10.6: server-baked flag mirroring _autoAuthLocalhost. When true,
|
|
6716
|
+
// the init-time auth gate does NOT redirect to '/' on empty AUTH_TOKEN,
|
|
6717
|
+
// because the server already admitted this loopback caller without a
|
|
6718
|
+
// bearer token. See dashboard-html.ts generateDashboardHTML() doc.
|
|
6719
|
+
const LOOPBACK_AUTH = ${JSON.stringify(options.loopbackAutoAuth === true)};
|
|
6715
6720
|
const TIMEOUT_SECONDS = ${options.timeoutSeconds};
|
|
6716
6721
|
const API_BASE = '';
|
|
6717
6722
|
|
|
@@ -7819,7 +7824,13 @@ function generateDashboardHTML(options) {
|
|
|
7819
7824
|
|
|
7820
7825
|
// Initialize
|
|
7821
7826
|
async function initialize() {
|
|
7822
|
-
|
|
7827
|
+
// v0.10.6: gate on BOTH sessionStorage and the server-baked loopback
|
|
7828
|
+
// auto-auth mirror. Pre-fix, a fresh loopback tab had empty
|
|
7829
|
+
// sessionStorage.authToken AND was admitted by the server via
|
|
7830
|
+
// _autoAuthLocalhost \u2014 this single-operand gate redirected to '/'
|
|
7831
|
+
// which reloaded the same page, which redirected again, infinitely.
|
|
7832
|
+
// See generateDashboardHTML() header comment for full threat model.
|
|
7833
|
+
if (!AUTH_TOKEN && !LOOPBACK_AUTH) {
|
|
7823
7834
|
redirectToLogin();
|
|
7824
7835
|
return;
|
|
7825
7836
|
}
|
|
@@ -8864,7 +8875,11 @@ var init_dashboard = __esm({
|
|
|
8864
8875
|
this.sessionTTLMs = isLocalhost ? SESSION_TTL_LOCAL_MS : SESSION_TTL_REMOTE_MS;
|
|
8865
8876
|
this.dashboardHTML = generateDashboardHTML({
|
|
8866
8877
|
timeoutSeconds: config.timeout_seconds,
|
|
8867
|
-
serverVersion: SANCTUARY_VERSION
|
|
8878
|
+
serverVersion: SANCTUARY_VERSION,
|
|
8879
|
+
// Construction-time default; real value is set by setAutoAuthLocalhost()
|
|
8880
|
+
// below (which regenerates this HTML). Default false preserves the
|
|
8881
|
+
// pre-v0.10.6 remote-deployment behavior when auto-auth is not enabled.
|
|
8882
|
+
loopbackAutoAuth: this._autoAuthLocalhost
|
|
8868
8883
|
});
|
|
8869
8884
|
this.loginHTML = generateLoginHTML({ serverVersion: SANCTUARY_VERSION });
|
|
8870
8885
|
this.sessionCleanupTimer = setInterval(() => this.cleanupSessions(), 6e4);
|
|
@@ -8900,6 +8915,11 @@ var init_dashboard = __esm({
|
|
|
8900
8915
|
*/
|
|
8901
8916
|
setAutoAuthLocalhost(enabled) {
|
|
8902
8917
|
this._autoAuthLocalhost = enabled;
|
|
8918
|
+
this.dashboardHTML = generateDashboardHTML({
|
|
8919
|
+
timeoutSeconds: this.config.timeout_seconds,
|
|
8920
|
+
serverVersion: SANCTUARY_VERSION,
|
|
8921
|
+
loopbackAutoAuth: this._autoAuthLocalhost
|
|
8922
|
+
});
|
|
8903
8923
|
}
|
|
8904
8924
|
/**
|
|
8905
8925
|
* v0.10.2: is this request from a loopback interface? We treat the
|