npm - kubeagent - Versions diffs - 0.1.20 → 0.1.22 - Mend

kubeagent 0.1.20 → 0.1.22

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/dist/auth.js +13 -10
package/package.json +2 -2

package/dist/auth.js CHANGED Viewed

@@ -63,17 +63,20 @@ export async function loginBrowser(serverUrl, appUrl) {
                 res.end();
                 return;
             }
-            // Parse credentials from POST body (hidden form submit) to avoid
-            // leaking the JWT in URL query params, browser history, and Referer headers.
-            const chunks = [];
-            req.on("data", (chunk) => chunks.push(chunk));
+            // Parse credentials from the redirect URL query params.
+            // A plain HTTP redirect from the HTTPS server is not blocked as mixed content
+            // by modern browsers (unlike form submissions), so the flow works reliably.
+            // The token travels only over the loopback interface — same threat model as
+            // GitHub CLI, Tailscale, and other CLI OAuth tools.
+            const url = new URL(req.url, `http://127.0.0.1`);
+            const params = url.searchParams;
+            const receivedState = params.get("state");
+            const token = params.get("token");
+            const email = params.get("email") ?? "";
+            const name = params.get("name") ?? "";
+            // Consume any request body before replying (keeps the socket clean).
+            req.resume();
             req.on("end", () => {
-                const body = Buffer.concat(chunks).toString();
-                const params = new URLSearchParams(body);
-                const receivedState = params.get("state");
-                const token = params.get("token");
-                const email = params.get("email") ?? "";
-                const name = params.get("name") ?? "";
                 res.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
                 res.end(`<!DOCTYPE html>
 <html lang="en">

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "kubeagent",
-  "version": "0.1.20",
+  "version": "0.1.22",
   "description": "AI-powered Kubernetes management CLI",
   "license": "SEE LICENSE IN LICENSE",
   "type": "module",
@@ -19,7 +19,7 @@
     "test:watch": "vitest"
   },
   "engines": {
-    "node": ">=20"
+    "node": ">=18"
   },
   "dependencies": {
     "@anthropic-ai/sdk": "^0.81.0",