npm - kubeagent - Versions diffs - 0.1.8 → 0.1.9 - Mend

kubeagent 0.1.8 → 0.1.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/dist/auth.js +21 -14
package/package.json +1 -1

package/dist/auth.js CHANGED Viewed

@@ -53,13 +53,19 @@ export async function loginBrowser(serverUrl, appUrl) {
                 res.end();
                 return;
             }
-            const url = new URL(req.url, "http://localhost");
-            const receivedState = url.searchParams.get("state");
-            const token = url.searchParams.get("token");
-            const email = url.searchParams.get("email") ?? "";
-            const name = url.searchParams.get("name") ?? "";
-            res.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
-            res.end(`<!DOCTYPE html>
+            // Parse credentials from POST body (hidden form submit) to avoid
+            // leaking the JWT in URL query params, browser history, and Referer headers.
+            const chunks = [];
+            req.on("data", (chunk) => chunks.push(chunk));
+            req.on("end", () => {
+                const body = Buffer.concat(chunks).toString();
+                const params = new URLSearchParams(body);
+                const receivedState = params.get("state");
+                const token = params.get("token");
+                const email = params.get("email") ?? "";
+                const name = params.get("name") ?? "";
+                res.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
+                res.end(`<!DOCTYPE html>
 <html lang="en">
 <head>
   <meta charset="UTF-8" />
@@ -89,13 +95,14 @@ export async function loginBrowser(serverUrl, appUrl) {
   </div>
 </body>
 </html>`);
-            server.close();
-            if (receivedState !== state || !token) {
-                reject(new Error("Invalid callback — state mismatch or missing token"));
-            }
-            else {
-                resolve({ token, email, name });
-            }
+                server.close();
+                if (receivedState !== state || !token) {
+                    reject(new Error("Invalid callback — state mismatch or missing token"));
+                }
+                else {
+                    resolve({ token, email, name });
+                }
+            });
         });
         server.listen(0, "127.0.0.1", async () => {
             const port = server.address().port;

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "kubeagent",
-  "version": "0.1.8",
+  "version": "0.1.9",
   "description": "AI-powered Kubernetes management CLI",
   "license": "SEE LICENSE IN LICENSE",
   "type": "module",