mm-math 0.0.4 → 0.0.5

package/index.html

@@ -519,7 +519,59 @@ document.getElementById('fUser').addEventListener('keydown', e => {
 });
 
 // ── Login ─────────────────────────────────────────────────────────────────────
-const API_BASE = window.location.hostname === 'calc.moshelab.com' ? '' : 'https://calc.moshelab.com';
+const _onCalc = window.location.hostname === 'calc.moshelab.com';
+const BRIDGE_ORIGIN = 'https://calc.moshelab.com';
+
+// Preload invisible auth-bridge iframe when running outside calc.moshelab.com.
+// The iframe makes a same-origin fetch to the API (no CORS), then postMessages
+// the result back. This bypasses Cloudflare's cross-origin fetch restrictions.
+let _bridge = null;
+if (!_onCalc) {
+  _bridge = document.createElement('iframe');
+  _bridge.src = BRIDGE_ORIGIN + '/login-frame.html';
+  _bridge.style.cssText = 'display:none;width:0;height:0;border:0;position:absolute;left:-9999px;top:-9999px;';
+  _bridge.setAttribute('aria-hidden', 'true');
+  document.body.appendChild(_bridge);
+}
+
+function _loginDirect(username, password) {
+  return fetch('/api/login', {
+    method:  'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body:    JSON.stringify({ username, password }),
+  }).then(function(res) {
+    return res.json().then(function(data) {
+      data.ok = res.ok; data.status = res.status; return data;
+    });
+  });
+}
+
+function _loginViaBridge(username, password) {
+  return new Promise(function(resolve, reject) {
+    const nonce = Math.random().toString(36).slice(2, 10);
+    const timer = setTimeout(function() {
+      window.removeEventListener('message', handler);
+      reject(new Error('Request timed out. Try again.'));
+    }, 15000);
+
+    function handler(event) {
+      if (event.origin !== BRIDGE_ORIGIN) return;
+      const d = event.data;
+      if (!d || d.type !== 'login_result' || d.nonce !== nonce) return;
+      clearTimeout(timer);
+      window.removeEventListener('message', handler);
+      resolve(d);
+    }
+    window.addEventListener('message', handler);
+
+    if (!_bridge || !_bridge.contentWindow) {
+      clearTimeout(timer);
+      return reject(new Error('Auth bridge unavailable'));
+    }
+    _bridge.contentWindow.postMessage({ type: 'login', username, password, nonce }, BRIDGE_ORIGIN);
+  });
+}
+
 async function doLogin() {
   const username = document.getElementById('fUser').value.trim();
   const password = document.getElementById('fPass').value;
@@ -536,15 +588,10 @@ async function doLogin() {
   errEl.textContent = '';
 
   try {
-    const res  = await fetch(API_BASE + '/api/login', {
-      method:  'POST',
-      headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
-      body:    new URLSearchParams({ username, password }),
-    });
-    const data = await res.json();
+    const data = await (_onCalc ? _loginDirect(username, password) : _loginViaBridge(username, password));
 
-    if (!res.ok || !data.success) {
-      errEl.textContent = res.status === 429
+    if (!data.ok || !data.success) {
+      errEl.textContent = data.status === 429 || (data.error || '').includes('Too many')
         ? 'Too many attempts. Wait 60 seconds.'
         : 'Invalid username or password.';
       btn.disabled = false;
@@ -568,7 +615,7 @@ async function doLogin() {
       window.location.href = './browse.html';
     }
   } catch (err) {
-    errEl.textContent = 'Error: ' + (err && err.message ? err.message : err);
+    errEl.textContent = err && err.message ? err.message : String(err);
     btn.disabled = false;
     btn.textContent = 'Sign In';
   }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mm-math",
-  "version": "0.0.4",
+  "version": "0.0.5",
   "description": "STEM educational toolkit",
   "main": "index.html",
   "files": [