@sanctuary-framework/mcp-server 0.10.5 → 0.10.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cli.cjs +22 -2
- package/dist/cli.cjs.map +1 -1
- package/dist/cli.js +22 -2
- package/dist/cli.js.map +1 -1
- package/dist/index.cjs +22 -2
- package/dist/index.cjs.map +1 -1
- package/dist/index.js +22 -2
- package/dist/index.js.map +1 -1
- package/package.json +1 -1
package/dist/index.cjs
CHANGED
|
@@ -6605,6 +6605,11 @@ function generateDashboardHTML(options) {
|
|
|
6605
6605
|
// SEC-038: Do NOT embed the long-lived auth token in page source.
|
|
6606
6606
|
// Use only the session token stored in sessionStorage by the login flow.
|
|
6607
6607
|
const AUTH_TOKEN = sessionStorage.getItem('authToken') || '';
|
|
6608
|
+
// v0.10.6: server-baked flag mirroring _autoAuthLocalhost. When true,
|
|
6609
|
+
// the init-time auth gate does NOT redirect to '/' on empty AUTH_TOKEN,
|
|
6610
|
+
// because the server already admitted this loopback caller without a
|
|
6611
|
+
// bearer token. See dashboard-html.ts generateDashboardHTML() doc.
|
|
6612
|
+
const LOOPBACK_AUTH = ${JSON.stringify(options.loopbackAutoAuth === true)};
|
|
6608
6613
|
const TIMEOUT_SECONDS = ${options.timeoutSeconds};
|
|
6609
6614
|
const API_BASE = '';
|
|
6610
6615
|
|
|
@@ -7712,7 +7717,13 @@ function generateDashboardHTML(options) {
|
|
|
7712
7717
|
|
|
7713
7718
|
// Initialize
|
|
7714
7719
|
async function initialize() {
|
|
7715
|
-
|
|
7720
|
+
// v0.10.6: gate on BOTH sessionStorage and the server-baked loopback
|
|
7721
|
+
// auto-auth mirror. Pre-fix, a fresh loopback tab had empty
|
|
7722
|
+
// sessionStorage.authToken AND was admitted by the server via
|
|
7723
|
+
// _autoAuthLocalhost \u2014 this single-operand gate redirected to '/'
|
|
7724
|
+
// which reloaded the same page, which redirected again, infinitely.
|
|
7725
|
+
// See generateDashboardHTML() header comment for full threat model.
|
|
7726
|
+
if (!AUTH_TOKEN && !LOOPBACK_AUTH) {
|
|
7716
7727
|
redirectToLogin();
|
|
7717
7728
|
return;
|
|
7718
7729
|
}
|
|
@@ -8738,7 +8749,11 @@ var DashboardApprovalChannel = class {
|
|
|
8738
8749
|
this.sessionTTLMs = isLocalhost ? SESSION_TTL_LOCAL_MS : SESSION_TTL_REMOTE_MS;
|
|
8739
8750
|
this.dashboardHTML = generateDashboardHTML({
|
|
8740
8751
|
timeoutSeconds: config.timeout_seconds,
|
|
8741
|
-
serverVersion: SANCTUARY_VERSION
|
|
8752
|
+
serverVersion: SANCTUARY_VERSION,
|
|
8753
|
+
// Construction-time default; real value is set by setAutoAuthLocalhost()
|
|
8754
|
+
// below (which regenerates this HTML). Default false preserves the
|
|
8755
|
+
// pre-v0.10.6 remote-deployment behavior when auto-auth is not enabled.
|
|
8756
|
+
loopbackAutoAuth: this._autoAuthLocalhost
|
|
8742
8757
|
});
|
|
8743
8758
|
this.loginHTML = generateLoginHTML({ serverVersion: SANCTUARY_VERSION });
|
|
8744
8759
|
this.sessionCleanupTimer = setInterval(() => this.cleanupSessions(), 6e4);
|
|
@@ -8774,6 +8789,11 @@ var DashboardApprovalChannel = class {
|
|
|
8774
8789
|
*/
|
|
8775
8790
|
setAutoAuthLocalhost(enabled) {
|
|
8776
8791
|
this._autoAuthLocalhost = enabled;
|
|
8792
|
+
this.dashboardHTML = generateDashboardHTML({
|
|
8793
|
+
timeoutSeconds: this.config.timeout_seconds,
|
|
8794
|
+
serverVersion: SANCTUARY_VERSION,
|
|
8795
|
+
loopbackAutoAuth: this._autoAuthLocalhost
|
|
8796
|
+
});
|
|
8777
8797
|
}
|
|
8778
8798
|
/**
|
|
8779
8799
|
* v0.10.2: is this request from a loopback interface? We treat the
|