@technotalim-org/console-cli 1.3.0 → 1.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (5) hide show
  1. package/dist/browser.js +19 -0
  2. package/dist/commands/login.js +3 -3
  3. package/dist/commands/open.js +2 -2
  4. package/dist/config.js +1 -1
  5. package/package.json +1 -1
package/dist/browser.js ADDED
@@ -0,0 +1,19 @@
1
+ import open from 'open';
2
+ /**
3
+ * Open a URL in the user's browser — but ONLY if it's a real http(s) URL.
4
+ * Some values handed to this (the device verification URL, a site's live URL)
5
+ * come from the server; a non-URL string could otherwise be interpreted by the
6
+ * OS opener as a local file or application. This guard makes that impossible.
7
+ */
8
+ export async function safeOpen(target) {
9
+ let u;
10
+ try {
11
+ u = new URL(target);
12
+ }
13
+ catch {
14
+ return; // not a URL — refuse to open
15
+ }
16
+ if (u.protocol !== 'https:' && u.protocol !== 'http:')
17
+ return;
18
+ await open(u.toString());
19
+ }
package/dist/commands/login.js CHANGED
@@ -4,8 +4,8 @@
4
4
  // the PKCE verifier) for the long-lived cli_token.
5
5
  import http from 'http';
6
6
  import os from 'os';
7
- import open from 'open';
8
7
  import pc from 'picocolors';
8
+ import { safeOpen } from '../browser.js';
9
9
  import { CONFIG } from '../config.js';
10
10
  import { genVerifier, challengeFor, genState } from '../pkce.js';
11
11
  import { saveCredentials, credentialsPath } from '../credentials.js';
@@ -84,7 +84,7 @@ export async function loginCommand(opts = {}) {
84
84
  log.info('\nOpening your browser to authorize…');
85
85
  log.dim(`If it doesn't open, visit:\n${authorizeUrl.toString()}\n`);
86
86
  try {
87
- await open(authorizeUrl.toString());
87
+ await safeOpen(authorizeUrl.toString());
88
88
  }
89
89
  catch {
90
90
  /* the user can copy the URL above */
@@ -136,7 +136,7 @@ async function deviceLogin() {
136
136
  log.info(`and enter the code: ${pc.bold(start.user_code)}\n`);
137
137
  try {
138
138
  if (start.verification_uri_complete)
139
- await open(start.verification_uri_complete);
139
+ await safeOpen(start.verification_uri_complete);
140
140
  }
141
141
  catch {
142
142
  /* user can navigate manually */
package/dist/commands/open.js CHANGED
@@ -1,5 +1,5 @@
1
1
  // `technotalim open` — open the linked site's live URL in the browser.
2
- import open from 'open';
2
+ import { safeOpen } from '../browser.js';
3
3
  import { apiGet } from '../api.js';
4
4
  import { loadProject } from '../projectconfig.js';
5
5
  import { log, fail } from '../util.js';
@@ -16,5 +16,5 @@ export async function openCommand(opts) {
16
16
  return fail('Could not resolve a live URL for this site yet.');
17
17
  const url = `https://${site.domain}`;
18
18
  log.info(`Opening ${url}`);
19
- await open(url);
19
+ await safeOpen(url);
20
20
  }
package/dist/config.js CHANGED
@@ -7,5 +7,5 @@ export const CONFIG = {
7
7
  scope: 'hosting.deploy',
8
8
  // Env var used to pass a CI token in headless environments.
9
9
  ciTokenEnv: 'TECHNOTALIM_TOKEN',
10
- version: '1.3.0',
10
+ version: '1.3.1',
11
11
  };
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@technotalim-org/console-cli",
3
- "version": "1.3.0",
3
+ "version": "1.3.1",
4
4
  "description": "Deploy your TechnoTaLim-hosted websites from the command line.",
5
5
  "type": "module",
6
6
  "bin": {