npm - @wopr-network/defcon - Versions diffs - 1.2.2 → 1.3.0 - Mend

@wopr-network/defcon 1.2.2 → 1.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/dist/src/api/server.d.ts CHANGED Viewed

@@ -7,7 +7,7 @@ export interface HttpServerDeps {
     mcpDeps: McpServerDeps;
     adminToken?: string;
     workerToken?: string;
-    corsOrigin?: string;
+    corsOrigins?: string[];
     logger?: Logger;
 }
 export declare function createHttpServer(deps: HttpServerDeps): http.Server;

package/dist/src/api/server.js CHANGED Viewed

@@ -282,8 +282,8 @@ export function createHttpServer(deps) {
             const isLoopbackOrigin = /^https?:\/\/localhost(:\d+)?$/.test(origin) ||
                 /^https?:\/\/127\.0\.0\.1(:\d+)?$/.test(origin) ||
                 /^https?:\/\/\[::1\](:\d+)?$/.test(origin);
-            const corsAllowed = deps.corsOrigin
-                ? origin === deps.corsOrigin // explicit origin: exact match only
+            const corsAllowed = deps.corsOrigins
+                ? deps.corsOrigins.includes(origin) // explicit origins: set membership check
                 : isLoopbackOrigin; // loopback mode: only reflect loopback origins
             if (corsAllowed) {
                 res.setHeader("Vary", "Origin");

package/dist/src/cors.d.ts CHANGED Viewed

@@ -1,6 +1,6 @@
 export interface CorsOriginResult {
-    /** Explicit allowed origin, or null meaning "loopback-only default pattern" */
-    origin: string | null;
+    /** Explicit allowed origins, or null meaning "loopback-only default pattern" */
+    origins: string[] | null;
 }
 export declare function resolveCorsOrigin(opts: {
     host: string;

package/dist/src/cors.js CHANGED Viewed

@@ -2,20 +2,27 @@ const LOOPBACK_HOSTS = new Set(["127.0.0.1", "localhost", "::1"]);
 export function resolveCorsOrigin(opts) {
     const corsValue = opts.corsEnv?.trim() || undefined;
     const isLoopback = LOOPBACK_HOSTS.has(opts.host);
-    // If explicit origin provided, validate and use it
+    // If explicit origins provided, validate each and use them
     if (corsValue) {
-        if (!/^https?:\/\/[^/]+$/.test(corsValue)) {
-            throw new Error(`DEFCON_CORS_ORIGIN must be a bare origin like https://app.example.com, not ${corsValue}. ` +
-                "Remove any path component or trailing slash.");
+        const entries = corsValue
+            .split(",")
+            .map((s) => s.trim())
+            .filter(Boolean);
+        for (const entry of entries) {
+            if (!/^https?:\/\/[^/]+$/.test(entry)) {
+                throw new Error(`DEFCON_CORS_ORIGIN must be bare origins like https://app.example.com (comma-separated for multiple), not ${entry}. ` +
+                    "Remove any path component or trailing slash.");
+            }
         }
-        return { origin: corsValue };
+        return { origins: entries };
     }
     // Non-loopback without explicit origin — refuse to start
     if (!isLoopback) {
         throw new Error(`DEFCON_CORS_ORIGIN must be set when binding to non-loopback address "${opts.host}". ` +
             "Without an explicit CORS origin, any website on the network can make cross-origin requests to this server. " +
-            'Set DEFCON_CORS_ORIGIN to the allowed origin (e.g. "https://my-app.example.com") or use a loopback address.');
+            'Set DEFCON_CORS_ORIGIN to the allowed origin (e.g. "https://my-app.example.com") or use a loopback address. ' +
+            "Multiple origins can be separated by commas.");
     }
     // Loopback without explicit origin — use default pattern
-    return { origin: null };
+    return { origins: null };
 }

package/dist/src/execution/cli.js CHANGED Viewed

@@ -243,7 +243,7 @@ program
             mcpDeps: deps,
             adminToken,
             workerToken,
-            corsOrigin: restCorsResult.origin ?? undefined,
+            corsOrigins: restCorsResult.origins ?? undefined,
         });
         if (adminToken) {
             const wsBroadcaster = new WebSocketBroadcaster({
@@ -278,16 +278,13 @@ program
             sqlite.close();
             process.exit(1);
         }
-        const allowedOriginPattern = corsResult.origin
-            ? corsResult.origin // exact string match
-            : /^https?:\/\/(localhost|127\.0\.0\.1|\[::1\])(:\d+)?$/; // loopback default
+        const allowedOriginSet = corsResult.origins ? new Set(corsResult.origins) : null;
+        const loopbackPattern = /^https?:\/\/(localhost|127\.0\.0\.1|\[::1\])(:\d+)?$/;
         const httpServer = http.createServer(async (req, res) => {
             // CORS: restrict to localhost origins when bound to loopback; require DEFCON_CORS_ORIGIN when bound to non-loopback
             const origin = req.headers.origin;
             if (origin) {
-                const originAllowed = typeof allowedOriginPattern === "string"
-                    ? origin === allowedOriginPattern
-                    : allowedOriginPattern.test(origin);
+                const originAllowed = allowedOriginSet ? allowedOriginSet.has(origin) : loopbackPattern.test(origin);
                 if (originAllowed) {
                     res.setHeader("Vary", "Origin");
                     res.setHeader("Access-Control-Allow-Origin", origin);

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@wopr-network/defcon",
-  "version": "1.2.2",
+  "version": "1.3.0",
   "type": "module",
   "packageManager": "pnpm@9.15.4",
   "engines": {