@sanctuary-framework/mcp-server 0.10.5 → 0.10.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cli.cjs +22 -2
- package/dist/cli.cjs.map +1 -1
- package/dist/cli.js +22 -2
- package/dist/cli.js.map +1 -1
- package/dist/index.cjs +22 -2
- package/dist/index.cjs.map +1 -1
- package/dist/index.js +22 -2
- package/dist/index.js.map +1 -1
- package/package.json +1 -1
package/dist/index.js
CHANGED
|
@@ -6602,6 +6602,11 @@ function generateDashboardHTML(options) {
|
|
|
6602
6602
|
// SEC-038: Do NOT embed the long-lived auth token in page source.
|
|
6603
6603
|
// Use only the session token stored in sessionStorage by the login flow.
|
|
6604
6604
|
const AUTH_TOKEN = sessionStorage.getItem('authToken') || '';
|
|
6605
|
+
// v0.10.6: server-baked flag mirroring _autoAuthLocalhost. When true,
|
|
6606
|
+
// the init-time auth gate does NOT redirect to '/' on empty AUTH_TOKEN,
|
|
6607
|
+
// because the server already admitted this loopback caller without a
|
|
6608
|
+
// bearer token. See dashboard-html.ts generateDashboardHTML() doc.
|
|
6609
|
+
const LOOPBACK_AUTH = ${JSON.stringify(options.loopbackAutoAuth === true)};
|
|
6605
6610
|
const TIMEOUT_SECONDS = ${options.timeoutSeconds};
|
|
6606
6611
|
const API_BASE = '';
|
|
6607
6612
|
|
|
@@ -7709,7 +7714,13 @@ function generateDashboardHTML(options) {
|
|
|
7709
7714
|
|
|
7710
7715
|
// Initialize
|
|
7711
7716
|
async function initialize() {
|
|
7712
|
-
|
|
7717
|
+
// v0.10.6: gate on BOTH sessionStorage and the server-baked loopback
|
|
7718
|
+
// auto-auth mirror. Pre-fix, a fresh loopback tab had empty
|
|
7719
|
+
// sessionStorage.authToken AND was admitted by the server via
|
|
7720
|
+
// _autoAuthLocalhost \u2014 this single-operand gate redirected to '/'
|
|
7721
|
+
// which reloaded the same page, which redirected again, infinitely.
|
|
7722
|
+
// See generateDashboardHTML() header comment for full threat model.
|
|
7723
|
+
if (!AUTH_TOKEN && !LOOPBACK_AUTH) {
|
|
7713
7724
|
redirectToLogin();
|
|
7714
7725
|
return;
|
|
7715
7726
|
}
|
|
@@ -8735,7 +8746,11 @@ var DashboardApprovalChannel = class {
|
|
|
8735
8746
|
this.sessionTTLMs = isLocalhost ? SESSION_TTL_LOCAL_MS : SESSION_TTL_REMOTE_MS;
|
|
8736
8747
|
this.dashboardHTML = generateDashboardHTML({
|
|
8737
8748
|
timeoutSeconds: config.timeout_seconds,
|
|
8738
|
-
serverVersion: SANCTUARY_VERSION
|
|
8749
|
+
serverVersion: SANCTUARY_VERSION,
|
|
8750
|
+
// Construction-time default; real value is set by setAutoAuthLocalhost()
|
|
8751
|
+
// below (which regenerates this HTML). Default false preserves the
|
|
8752
|
+
// pre-v0.10.6 remote-deployment behavior when auto-auth is not enabled.
|
|
8753
|
+
loopbackAutoAuth: this._autoAuthLocalhost
|
|
8739
8754
|
});
|
|
8740
8755
|
this.loginHTML = generateLoginHTML({ serverVersion: SANCTUARY_VERSION });
|
|
8741
8756
|
this.sessionCleanupTimer = setInterval(() => this.cleanupSessions(), 6e4);
|
|
@@ -8771,6 +8786,11 @@ var DashboardApprovalChannel = class {
|
|
|
8771
8786
|
*/
|
|
8772
8787
|
setAutoAuthLocalhost(enabled) {
|
|
8773
8788
|
this._autoAuthLocalhost = enabled;
|
|
8789
|
+
this.dashboardHTML = generateDashboardHTML({
|
|
8790
|
+
timeoutSeconds: this.config.timeout_seconds,
|
|
8791
|
+
serverVersion: SANCTUARY_VERSION,
|
|
8792
|
+
loopbackAutoAuth: this._autoAuthLocalhost
|
|
8793
|
+
});
|
|
8774
8794
|
}
|
|
8775
8795
|
/**
|
|
8776
8796
|
* v0.10.2: is this request from a loopback interface? We treat the
|