npm - connectbase-client - Versions diffs - 3.29.0 → 3.31.0 - Mend

connectbase-client 3.29.0 → 3.31.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -3,6 +3,30 @@
 본 SDK 의 모든 주요 변경사항을 [Keep a Changelog](https://keepachangelog.com/ko/1.1.0/) 형식으로 기록합니다.
 버전은 [Semantic Versioning](https://semver.org/lang/ko/) 을 따릅니다.
+## [3.31.0] - 2026-06-05
+### Added — OAuth 리다이렉트 콜백 **부팅 자동 소비** 안전망
+소셜 로그인(구글 등) 리다이렉트 후 "로그인했는데 자꾸 로그인 페이지로 되돌아오는" 무한 루프를
+SDK 레벨에서 차단한다. 여러 사용자가 동시에 보고한 회귀의 근본 안전망.
+- **근본 원인**: 리다이렉트 방식은 콜백 URL(`?access_token=&refresh_token=&member_id=`)에서
+  앱이 `cb.oauth.getCallbackResult()` 를 호출해야 토큰이 적재되고 cookie 가 부트스트랩된다.
+  그런데 정적 호스팅(웹 스토리지)은 SPA fallback 으로 `/auth/callback` 같은 경로에 홈
+  `index.html` 을 서빙하므로, 앱이 콜백 처리 코드를 빠뜨리면 URL 토큰이 **영영 소비되지 않아**
+  세션이 확립되지 않고 인증 가드가 다시 로그인으로 되돌린다.
+- **변경**: `new ConnectBase()` 생성자가 토큰-in-URL 리다이렉트 콜백(팝업 제외)을 감지하면
+  `oauth.consumeRedirectCallbackOnBoot()` 를 boot-restore promise 로 등록해 **자동으로 토큰을
+  적재 + cookie 부트스트랩**한다. 앱이 `getCallbackResult()` 를 호출하지 않아도 세션이 확립된다.
+  `prepareHeaders` 가 이 promise 를 await 하므로 첫 `getMe()`(인증 가드 등)가 세션 확립 후 발화.
+- **하위호환·안전성**: 앱이 이후 `getCallbackResult()` 를 호출해도 같은 promise 를 공유해 **이중
+  bootstrap/rotation 을 방지**(boot 소비 실패 시에만 직접 적재로 폴백). 팝업(`window.opener`)·
+  code-only(`?code=`)·에러(`?error=`) 콜백은 제외 — 기존 동작 유지. `autoRestoreSession: false`
+  면 자동 소비도 끈다. token rotation race(2026-05-16) 없음: 사전 re-issue 없이 URL 토큰을 직접
+  소비(=getCallbackResult 리다이렉트 경로와 동일)하기 때문.
+> 이미 배포된 앱도 CDN 번들(`connect-base.min.js`) / npm `latest` 갱신 시 코드 수정 없이 복구됩니다.
 ## [3.29.0] - 2026-06-02
 ### Added — `connectbase tunnel --token <고정값>` proxy_token 핀 (platform-issue 019e8623)

package/README.md CHANGED Viewed

@@ -1048,9 +1048,12 @@ HTTP response (for example, Discord Interactions requires a `200` with a
 JSON body within 3 seconds):
 ```javascript
-export async function handler(event, ctx) {
-  // event.method / event.path / event.query / event.headers / event.body
-  // are populated for webhook invocations.
+export async function handler(rawBody, ctx) {
+  // The first arg is the raw request body as a UTF-8 string (parse it yourself:
+  // JSON.parse(rawBody) for JSON, new URLSearchParams(rawBody) for form-encoded).
+  // ctx.method / ctx.path / ctx.query / ctx.headers / ctx.rawBody (Buffer) are
+  // populated for webhook invocations. The first arg is the body itself (a
+  // string), not a request object with a `.body` field.
   return {
     statusCode: 200,
     headers: { 'Content-Type': 'application/json' },

package/dist/cli.js CHANGED Viewed

@@ -1497,6 +1497,8 @@ var UpstreamWsFrameParser = class {
   constructor(handlers) {
     this.buffer = Buffer.alloc(0);
     this.fragmentBuffer = null;
+    // accumulated payload across FIN=0 frames
+    this.fragmentOpcode = 2;
     this.h = handlers;
   }
   feed(chunk) {
@@ -1559,16 +1561,17 @@ var UpstreamWsFrameParser = class {
           if (fin) {
             const out = this.fragmentBuffer;
             this.fragmentBuffer = null;
-            this.h.onPayload(out);
+            this.h.onPayload(out, this.fragmentOpcode);
           }
           break;
         case 1:
         // TEXT
         case 2:
           if (fin) {
-            this.h.onPayload(payloadCopy);
+            this.h.onPayload(payloadCopy, opcode);
           } else {
             this.fragmentBuffer = payloadCopy;
+            this.fragmentOpcode = opcode;
           }
           break;
         case 8:
@@ -1588,6 +1591,9 @@ var UpstreamWsFrameParser = class {
 function createUpstreamTextFrame(payload) {
   return buildClientFrame(129, payload);
 }
+function createUpstreamBinaryFrame(payload) {
+  return buildClientFrame(130, payload);
+}
 function createUpstreamPongFrame(payload) {
   return buildClientFrame(138, payload);
 }
@@ -1857,7 +1863,7 @@ async function startTunnel(port, config, tunnelOpts) {
   const tunnelServerUrl = getTunnelServerUrl(config.baseUrl);
   const parsedUrl = new URL(tunnelServerUrl);
   const isHttps = parsedUrl.protocol === "https:";
-  let wsPath = `/v2/tunnel/connect?app_id=${encodeURIComponent(appId)}&local_port=${port}`;
+  let wsPath = `/v2/tunnel/connect?app_id=${encodeURIComponent(appId)}&local_port=${port}&ws_opcode=1`;
   if (tunnelOpts?.timeout) {
     wsPath += `&timeout=${tunnelOpts.timeout}`;
   }
@@ -1874,6 +1880,7 @@ async function startTunnel(port, config, tunnelOpts) {
   const maxReconnectAttempts = 10;
   let shouldReconnect = true;
   let socket = null;
+  let negotiatedWsOpcode = false;
   let lockReleased = false;
   const releaseLock = () => {
     if (lockPath && !lockReleased) {
@@ -2147,9 +2154,13 @@ ${colors.cyan}ConnectBase Tunnel${colors.reset}`);
       });
       log(`${colors.dim}${(/* @__PURE__ */ new Date()).toLocaleTimeString()}${colors.reset} ${colors.cyan}WS${colors.reset} ${reqPath} \u2192 101`);
       const upstreamParser = new UpstreamWsFrameParser({
-        onPayload: (payload) => {
+        onPayload: (payload, opcode) => {
           if (cancelled) return;
-          sendBinary(sock, streamId, payload);
+          if (negotiatedWsOpcode) {
+            sendBinary(sock, streamId, Buffer.concat([Buffer.from([opcode & 15]), payload]));
+          } else {
+            sendBinary(sock, streamId, payload);
+          }
         },
         onPing: (payload) => {
           if (cancelled || !upstream) return;
@@ -2205,13 +2216,25 @@ ${colors.cyan}ConnectBase Tunnel${colors.reset}`);
       // Encode the v2 payload as an upstream WS frame BEFORE writing to
       // the socket. The prior implementation wrote raw payload to the
       // socket which is not a valid WS frame; upstream WS servers (e.g.
-      // ComfyUI) would error out. Default to TEXT opcode — the v2
-      // protocol does not propagate the original opcode from the client,
-      // and most WS APIs (JSON-based) use text. Binary client→upstream
-      // is a known limitation pending opcode propagation in v2.
+      // ComfyUI) would error out.
+      //
+      // When ws_opcode is negotiated, the chunk is [opcode][payload] — we
+      // re-frame with the client's original TEXT/BINARY opcode so binary
+      // subprotocols (e.g. noVNC's `binary` over websockify) work
+      // bidirectionally (platform-issue 019e86ea). Without negotiation we
+      // fall back to TEXT — the long-standing limitation that silently
+      // dropped client→upstream binary frames.
       feedBody: (chunk) => {
         if (cancelled || !upstream) return;
-        upstream.write(createUpstreamTextFrame(chunk));
+        if (negotiatedWsOpcode && chunk.length >= 1) {
+          const opcode = chunk[0] & 15;
+          const payload = chunk.subarray(1);
+          upstream.write(
+            opcode === 2 ? createUpstreamBinaryFrame(payload) : createUpstreamTextFrame(payload)
+          );
+        } else {
+          upstream.write(createUpstreamTextFrame(chunk));
+        }
       },
       endBody: () => {
       },
@@ -2231,6 +2254,8 @@ ${colors.cyan}ConnectBase Tunnel${colors.reset}`);
         const proxyToken = typeof msg.proxy_token === "string" ? msg.proxy_token : "";
         const tunnelUrl = typeof msg.url === "string" ? msg.url : "";
         const isPublic = msg.public === true;
+        const readyFeatures = Array.isArray(msg.features) ? msg.features : [];
+        negotiatedWsOpcode = readyFeatures.includes("ws_opcode");
         success(`\uD130\uB110 \uD65C\uC131\uD654!`);
         log(`${colors.green}\u2192${colors.reset} URL:   ${colors.cyan}${tunnelUrl}${colors.reset}`);
         log(`${colors.green}\u2192${colors.reset} \uB85C\uCEEC:  ${colors.cyan}http://localhost:${localPort}${colors.reset}`);