@thingd/cli 0.44.2 → 0.44.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -1 +1 @@
1
- {"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../../src/dashboard/server.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAqErD,wBAAsB,oBAAoB,CACxC,iBAAiB,EAAE,iBAAiB,EACpC,IAAI,EAAE,MAAM,GACX,OAAO,CAAC;IAAE,MAAM,EAAE,OAAO,WAAW,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAA;CAAE,CAAC,CA6b7E"}
1
+ {"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../../src/dashboard/server.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAqErD,wBAAsB,oBAAoB,CACxC,iBAAiB,EAAE,iBAAiB,EACpC,IAAI,EAAE,MAAM,GACX,OAAO,CAAC;IAAE,MAAM,EAAE,OAAO,WAAW,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAA;CAAE,CAAC,CAsc7E"}
@@ -81,7 +81,7 @@ export async function startDashboardServer(connectionOptions, port) {
81
81
  const url = new URL(req.url || "", `http://${req.headers.host || "localhost"}`);
82
82
  const pathname = url.pathname;
83
83
  // Handle CORS for ease of developer integrations
84
- const allowedOrigins = ["http://localhost:8757", "http://localhost:8758"];
84
+ const allowedOrigins = ["http://localhost:8757", "http://localhost:8758", "http://127.0.0.1:8757", "http://127.0.0.1:8758"];
85
85
  const origin = req.headers.origin;
86
86
  if (origin && allowedOrigins.includes(origin)) {
87
87
  res.setHeader("Access-Control-Allow-Origin", origin);
@@ -96,6 +96,14 @@ export async function startDashboardServer(connectionOptions, port) {
96
96
  res.end();
97
97
  return;
98
98
  }
99
+ // CSRF protection: state-changing requests must come from a known origin
100
+ if (req.method !== "GET" && req.method !== "OPTIONS" && req.method !== "HEAD") {
101
+ const requestOrigin = req.headers.origin;
102
+ if (requestOrigin && !allowedOrigins.includes(requestOrigin)) {
103
+ sendError(res, 403, "Cross-origin state-changing requests are not allowed");
104
+ return;
105
+ }
106
+ }
99
107
  // Security Gate middleware for API endpoints
100
108
  const isApiRoute = pathname.startsWith("/api/");
101
109
  const isConnectRoute = pathname === "/api/connect";
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@thingd/cli",
3
- "version": "0.44.2",
3
+ "version": "0.44.3",
4
4
  "description": "CLI, Interactive TUI Dashboard, and MCP server for thingd — a fast object-first data engine for applications and AI agents.",
5
5
  "type": "module",
6
6
  "homepage": "https://engine.thingd.cloud",
@@ -45,7 +45,7 @@
45
45
  "cli-table3": "^0.6.5",
46
46
  "picocolors": "^1.1.1",
47
47
  "zod": "^4.4.3",
48
- "@thingd/sdk": "0.44.2"
48
+ "@thingd/sdk": "0.44.3"
49
49
  },
50
50
  "engines": {
51
51
  "node": ">=24.0.0"