crewx 0.8.8-rc.13 → 0.8.8-rc.15
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
|
@@ -47,14 +47,17 @@ let BaseAuthGuard = class BaseAuthGuard {
|
|
|
47
47
|
// CSRF not required for loopback — cross-origin CSRF to localhost is blocked by the browser.
|
|
48
48
|
if (this.isLocalRequest(req))
|
|
49
49
|
return true;
|
|
50
|
-
// External
|
|
51
|
-
|
|
52
|
-
|
|
53
|
-
if (
|
|
54
|
-
|
|
50
|
+
// External access → session first (throws 401 if missing/invalid)
|
|
51
|
+
this.validateWebSession(req);
|
|
52
|
+
// CSRF Double Submit only on unsafe methods (state-changing)
|
|
53
|
+
if (this.requiresCsrf(req)) {
|
|
54
|
+
const csrfHeader = req.headers['x-csrf-token'];
|
|
55
|
+
const csrfCookie = req.cookies?.['crewx_csrf'];
|
|
56
|
+
if (!csrfHeader || csrfHeader !== csrfCookie) {
|
|
57
|
+
throw new common_1.ForbiddenException('CSRF token mismatch');
|
|
58
|
+
}
|
|
55
59
|
}
|
|
56
|
-
|
|
57
|
-
return this.validateWebSession(req);
|
|
60
|
+
return true;
|
|
58
61
|
}
|
|
59
62
|
isLocalRequest(req) {
|
|
60
63
|
const ip = req.socket?.remoteAddress;
|
|
@@ -63,6 +66,10 @@ let BaseAuthGuard = class BaseAuthGuard {
|
|
|
63
66
|
const host = (req.headers['host'] ?? '').split(':')[0];
|
|
64
67
|
return host === 'localhost' || host === '127.0.0.1' || host === '[::1]';
|
|
65
68
|
}
|
|
69
|
+
requiresCsrf(req) {
|
|
70
|
+
const method = (req.method ?? 'GET').toUpperCase();
|
|
71
|
+
return !['GET', 'HEAD', 'OPTIONS'].includes(method);
|
|
72
|
+
}
|
|
66
73
|
validateWebSession(req) {
|
|
67
74
|
const cookieSessionId = req.cookies?.['crewx_token'];
|
|
68
75
|
if (cookieSessionId && (0, session_store_js_1.validateSession)(cookieSessionId)) {
|
|
@@ -0,0 +1,24 @@
|
|
|
1
|
+
{
|
|
2
|
+
"version": "1.0",
|
|
3
|
+
"registries": [
|
|
4
|
+
{
|
|
5
|
+
"id": "crewx-official",
|
|
6
|
+
"name": "crewx-templates",
|
|
7
|
+
"url": "https://github.com/sowonlabs/crewx-templates",
|
|
8
|
+
"trust": "verified",
|
|
9
|
+
"type": "crewx",
|
|
10
|
+
"default": true
|
|
11
|
+
},
|
|
12
|
+
{
|
|
13
|
+
"id": "anthropic-skills",
|
|
14
|
+
"name": "anthropic-skills",
|
|
15
|
+
"url": "https://github.com/anthropics/skills",
|
|
16
|
+
"trust": "verified",
|
|
17
|
+
"type": "claude",
|
|
18
|
+
"default": false
|
|
19
|
+
}
|
|
20
|
+
],
|
|
21
|
+
"deny": [],
|
|
22
|
+
"forceDisabled": [],
|
|
23
|
+
"forceEnabled": []
|
|
24
|
+
}
|
package/dist-server/main.js
CHANGED
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "crewx",
|
|
3
|
-
"version": "0.8.8-rc.
|
|
3
|
+
"version": "0.8.8-rc.15",
|
|
4
4
|
"description": "CrewX — AI agent team dashboard with Electron UI and CLI (Web + Electron + Global CLI)",
|
|
5
5
|
"main": "server.js",
|
|
6
6
|
"bin": {
|
|
@@ -76,17 +76,17 @@
|
|
|
76
76
|
"wink-nlp-utils": "2.1.0",
|
|
77
77
|
"yargs": "17.7.0",
|
|
78
78
|
"zod": "3.25.76",
|
|
79
|
-
"@crewx/
|
|
79
|
+
"@crewx/cli": "0.8.8-rc.15",
|
|
80
|
+
"@crewx/cron": "0.1.10-rc.13",
|
|
80
81
|
"@crewx/knowledge-core": "0.1.17",
|
|
81
|
-
"@crewx/cli": "0.8.8-rc.13",
|
|
82
|
-
"@crewx/memory": "0.1.22-rc.8",
|
|
83
|
-
"@crewx/sdk": "0.8.8-rc.13",
|
|
84
82
|
"@crewx/doc": "0.1.8",
|
|
85
|
-
"@crewx/
|
|
86
|
-
"@crewx/
|
|
83
|
+
"@crewx/memory": "0.1.22-rc.10",
|
|
84
|
+
"@crewx/sdk": "0.8.8-rc.15",
|
|
87
85
|
"@crewx/search": "0.1.9",
|
|
86
|
+
"@crewx/wbs": "0.1.10-rc.8",
|
|
87
|
+
"@crewx/skill": "0.1.20",
|
|
88
88
|
"@crewx/shared": "0.0.5",
|
|
89
|
-
"@crewx/workflow": "0.3.21-rc.
|
|
89
|
+
"@crewx/workflow": "0.3.21-rc.10"
|
|
90
90
|
},
|
|
91
91
|
"devDependencies": {
|
|
92
92
|
"@ccusage/codex": "0.0.1",
|