npm - bloby-bot - Versions diffs - 0.53.0 → 0.53.2 - Mend

bloby-bot 0.53.0 → 0.53.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/package.json +1 -1
package/supervisor/index.ts +10 -2

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "bloby-bot",
-  "version": "0.53.0",
+  "version": "0.53.2",
   "releaseNotes": [
     "1. New Morphy animation system: config-driven sprites loaded from /morphy/*.json",
     "2. Swapped teleporting (splash) and headphones (bubble + chat) to the new format",

package/supervisor/index.ts CHANGED Viewed

@@ -395,7 +395,9 @@ export async function startSupervisor() {
     'GET /api/portal/validate-token',
     'GET /api/onboard/status',
     'GET /api/health',
-    'POST /api/onboard',
+    // NOTE: 'POST /api/onboard' is intentionally NOT blanket-exempt. It is gated in the
+    // request handler below: open on genuine first run (no portal_pass yet), token-required
+    // afterward. Re-onboard from the dashboard uses the internal x-internal WS path.
     'GET /api/push/vapid-public-key',
     'GET /api/push/status',
     'POST /api/auth/claude/start',
@@ -1596,7 +1598,13 @@ mint();
         // Auth check for mutation routes (POST/PUT/DELETE) — GET/HEAD are read-only, skip auth
         const method = req.method || 'GET';
         if (method !== 'GET' && method !== 'HEAD' && !isExemptRoute(method, req.url || '')) {
-          const needsAuth = await isAuthRequired();
+          // POST /api/onboard is open only on genuine first run (no portal_pass yet). Read the
+          // setting DIRECTLY rather than the 30s-cached isAuthRequired() so the gate closes the
+          // instant onboarding sets a password — no stale-cache window for a takeover. The
+          // dashboard's own re-onboard goes through the internal x-internal WS path (isInternal
+          // above), so it never reaches here. All other routes keep using the cached check.
+          const isOnboard = method === 'POST' && (req.url || '').split('?')[0] === '/api/onboard';
+          const needsAuth = isOnboard ? !!getSetting('portal_pass') : await isAuthRequired();
           if (needsAuth) {
             const authHeader = req.headers['authorization'];
             const token = authHeader?.startsWith('Bearer ') ? authHeader.slice(7) : null;