agent-relay-server 0.4.19 → 0.4.21

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "agent-relay-server",
-  "version": "0.4.19",
+  "version": "0.4.21",
   "description": "Lightweight HTTP message relay for inter-agent communication across machines",
   "module": "src/index.ts",
   "type": "module",

package/public/dashboard.js

@@ -95,7 +95,7 @@
 
   function upsertById(list, item) {
     const idx = list.findIndex((existing) => existing.id === item.id);
-    if (idx >= 0) list[idx] = item;
+    if (idx >= 0) list.splice(idx, 1, item);
     else list.push(item);
   }
 
@@ -126,11 +126,18 @@
   function createLifecycleMethods() {
     return {
       async init() {
+        this.startClock();
+        watchPersistedPrefs(this);
+
+        try {
+          this.stats = await this.api("GET", "/stats");
+        } catch {
+          if (this.authNeeded) return;
+        }
+
         await this.refresh();
         this.connectSSE();
-        this.startClock();
         this.startAutoRefresh();
-        watchPersistedPrefs(this);
       },
 
       save(key, value) {
@@ -192,8 +199,13 @@
     registerTaskEvents(this, es);
   }
 
+  function baseUrl() {
+    const href = window.location.href.split("?")[0].split("#")[0];
+    return href.endsWith("/") ? href : href + "/";
+  }
+
   function buildEventsUrl(authToken) {
-    const eventUrl = new URL(window.location.origin + "/api/events");
+    const eventUrl = new URL("api/events", baseUrl());
     if (authToken) eventUrl.searchParams.set("token", authToken);
     return eventUrl.toString();
   }
@@ -258,7 +270,7 @@
           opts.body = JSON.stringify(body);
         }
 
-        const response = await fetch(window.location.origin + "/api" + path, opts);
+        const response = await fetch(new URL("api" + path, baseUrl()), opts);
         if (!response.ok) {
           if (response.status === 401) this.authNeeded = true;
           const text = await response.text();

package/public/index.html

@@ -102,7 +102,7 @@
     <div class="ar-sidebar-footer">
       <div class="d-flex align-items-center gap-2 mb-2">
         <span class="status-dot" :class="connected ? 'online' : 'offline'"></span>
-        <span class="small" x-text="connected ? 'Live' : 'Reconnecting…'"></span>
+        <span class="small" x-text="authNeeded ? 'Auth required' : connected ? 'Live' : 'Reconnecting…'"></span>
       </div>
       <div class="d-flex align-items-center gap-2 mb-2">
         <label class="form-check form-switch mb-0">
@@ -855,7 +855,7 @@
 <script src="https://cdn.jsdelivr.net/npm/@tabler/core@latest/dist/js/tabler.min.js"></script>
 <script src="https://cdn.jsdelivr.net/npm/apexcharts@latest/dist/apexcharts.min.js"></script>
 <script defer src="https://cdn.jsdelivr.net/npm/alpinejs@3/dist/cdn.min.js"></script>
-<script src="/dashboard.js"></script>
+<script src="dashboard.js"></script>
 
 </body>
 </html>

package/src/security.ts

@@ -19,10 +19,21 @@ export function isOriginAllowed(req: Request): boolean {
   if (!origin) return true;
   const origins = corsOrigins();
   if (origins.includes("*")) return true;
+  if (origins.includes(origin)) return true;
 
   const url = new URL(req.url);
   const sameOrigin = `${url.protocol}//${url.host}`;
-  return origin === sameOrigin || origins.includes(origin);
+  if (origin === sameOrigin) return true;
+
+  // Behind a reverse proxy, req.url is the backend address (e.g. http://127.0.0.1:4850)
+  // while the browser sends the public origin. Check forwarded headers.
+  try {
+    const originHost = new URL(origin).host;
+    const fwdHost = req.headers.get("x-forwarded-host");
+    if (fwdHost && originHost === fwdHost) return true;
+  } catch {}
+
+  return false;
 }
 
 export function applyCors(req: Request, response: Response): Response {
@@ -117,7 +128,7 @@ export function unauthorized(req: Request): Response {
 }
 
 function authToken(): string {
-  return process.env.AGENT_RELAY_TOKEN || AUTH_TOKEN;
+  return process.env.AGENT_RELAY_TOKEN ?? AUTH_TOKEN;
 }
 
 function extractToken(req: Request): string | null {