orbitchat 3.3.5 → 3.3.7
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +39 -1
- package/bin/orbitchat.js +12 -1
- package/dist/assets/ChartRenderer-CMTtwa7N.js +80 -0
- package/dist/assets/{MermaidRenderer-C7HAFShD.js → MermaidRenderer-BGfEn-8D.js} +5 -5
- package/dist/assets/{MusicRenderer-CKePwetD.js → MusicRenderer-uD3cRUDk.js} +2 -2
- package/dist/assets/{SVGRenderer-nCE3IIGK.js → SVGRenderer-DplZ-T1R.js} +1 -1
- package/dist/assets/{_basePickBy-BulxEvv-.js → _basePickBy-CuF4aLpO.js} +1 -1
- package/dist/assets/{_baseUniq-BR4RoZuC.js → _baseUniq--aFebvuG.js} +1 -1
- package/dist/assets/{architectureDiagram-VXUJARFQ-CypnZOlU.js → architectureDiagram-VXUJARFQ-CP0xy9PB.js} +1 -1
- package/dist/assets/{blockDiagram-VD42YOAC-DRF1dQy8.js → blockDiagram-VD42YOAC-DaIhCiLV.js} +1 -1
- package/dist/assets/{c4Diagram-YG6GDRKO-CSLQXNMf.js → c4Diagram-YG6GDRKO-BmluaJaJ.js} +1 -1
- package/dist/assets/channel-D122_0gd.js +1 -0
- package/dist/assets/{chunk-4BX2VUAB-2nN7NKvp.js → chunk-4BX2VUAB-DHplKZMr.js} +1 -1
- package/dist/assets/{chunk-55IACEB6-nYrmvqb_.js → chunk-55IACEB6-B987CK5e.js} +1 -1
- package/dist/assets/{chunk-B4BG7PRW-yipe0vJ0.js → chunk-B4BG7PRW-BUOgJwMo.js} +1 -1
- package/dist/assets/{chunk-DI55MBZ5-DwEbWHkS.js → chunk-DI55MBZ5-B0C8oW6f.js} +1 -1
- package/dist/assets/{chunk-FMBD7UC4-D1QJQsnh.js → chunk-FMBD7UC4-BC2UA48D.js} +1 -1
- package/dist/assets/{chunk-QN33PNHL-DWEuclDB.js → chunk-QN33PNHL-BRQejh6g.js} +1 -1
- package/dist/assets/{chunk-QZHKN3VN-DI20Pp3k.js → chunk-QZHKN3VN-CcTE2T0U.js} +1 -1
- package/dist/assets/{chunk-TZMSLE5B-CXyUkbVd.js → chunk-TZMSLE5B-D6s8s4Wd.js} +1 -1
- package/dist/assets/classDiagram-2ON5EDUG-D6BaYtGK.js +1 -0
- package/dist/assets/classDiagram-v2-WZHVMYZB-D6BaYtGK.js +1 -0
- package/dist/assets/clone-DOP8--JF.js +1 -0
- package/dist/assets/{cose-bilkent-S5V4N54A-B0nxf5mS.js → cose-bilkent-S5V4N54A-DaFuCEww.js} +1 -1
- package/dist/assets/{dagre-6UL2VRFP-DIWGfAdD.js → dagre-6UL2VRFP-P24bz3q4.js} +1 -1
- package/dist/assets/{diagram-PSM6KHXK-BFNoH3-9.js → diagram-PSM6KHXK-DcWwAWn6.js} +1 -1
- package/dist/assets/{diagram-QEK2KX5R-Bi-ikqxo.js → diagram-QEK2KX5R-C8qX_ZIc.js} +1 -1
- package/dist/assets/{diagram-S2PKOQOG-BuzuSgUD.js → diagram-S2PKOQOG-y95jPlcA.js} +1 -1
- package/dist/assets/{erDiagram-Q2GNP2WA-CPKR4OjU.js → erDiagram-Q2GNP2WA-BvR9Urxi.js} +1 -1
- package/dist/assets/{flowDiagram-NV44I4VS-WjU4Ktok.js → flowDiagram-NV44I4VS-RNumyFUb.js} +1 -1
- package/dist/assets/{ganttDiagram-JELNMOA3-BeEFeRzu.js → ganttDiagram-JELNMOA3-BVSoY-AD.js} +1 -1
- package/dist/assets/{gitGraphDiagram-V2S2FVAM-Dm1mzWSM.js → gitGraphDiagram-V2S2FVAM-AToARZ8f.js} +1 -1
- package/dist/assets/{graph-BtarHVJf.js → graph-B-xnjVJs.js} +1 -1
- package/dist/assets/{index-CiIkj2yn.js → index-B_VkYlLj.js} +1 -1
- package/dist/assets/index-Baf0NBsK.css +1 -0
- package/dist/assets/{index-DwYlYTx2.js → index-Di0lu2HX.js} +59 -48
- package/dist/assets/{infoDiagram-HS3SLOUP-BLWp2lVr.js → infoDiagram-HS3SLOUP-THYRKFe_.js} +1 -1
- package/dist/assets/{journeyDiagram-XKPGCS4Q-BTWtPUvy.js → journeyDiagram-XKPGCS4Q-BdNAwEyo.js} +1 -1
- package/dist/assets/{kanban-definition-3W4ZIXB7-Dv_UJp-s.js → kanban-definition-3W4ZIXB7-kTWYIPgb.js} +1 -1
- package/dist/assets/{layout-Ddqk3-rR.js → layout-BXrjXjwv.js} +1 -1
- package/dist/assets/{mindmap-definition-VGOIOE7T-Cvc5bKDx.js → mindmap-definition-VGOIOE7T-D96JPac9.js} +1 -1
- package/dist/assets/{pieDiagram-ADFJNKIX-CrqTnCbf.js → pieDiagram-ADFJNKIX-Bnl7fLkl.js} +1 -1
- package/dist/assets/{quadrantDiagram-AYHSOK5B-BbF95ogu.js → quadrantDiagram-AYHSOK5B-D6vKP45f.js} +1 -1
- package/dist/assets/{requirementDiagram-UZGBJVZJ-BwArsYVP.js → requirementDiagram-UZGBJVZJ-m7mIoHxU.js} +1 -1
- package/dist/assets/{sankeyDiagram-TZEHDZUN-C15ncLMv.js → sankeyDiagram-TZEHDZUN-CRN5DvQ5.js} +1 -1
- package/dist/assets/{sequenceDiagram-WL72ISMW-BgRH2AmM.js → sequenceDiagram-WL72ISMW-C30iDcKx.js} +1 -1
- package/dist/assets/{stateDiagram-FKZM4ZOC-ZJnOqPdf.js → stateDiagram-FKZM4ZOC-BDW55C7L.js} +1 -1
- package/dist/assets/stateDiagram-v2-4FDKWEC3-U8mFO6E0.js +1 -0
- package/dist/assets/{timeline-definition-IT6M3QCI-D_8-uvSS.js → timeline-definition-IT6M3QCI-DsLmL9-l.js} +1 -1
- package/dist/assets/treemap-GDKQZRPO-DpWJGyRd.js +160 -0
- package/dist/assets/{xychartDiagram-PRI3JC2R-12Y-FyTd.js → xychartDiagram-PRI3JC2R-v2U7nKNz.js} +1 -1
- package/dist/index.html +2 -2
- package/markdown-renderer/src/MarkdownStyles.css +122 -66
- package/markdown-renderer/src/renderers/ChartRenderer.tsx +115 -85
- package/package.json +1 -1
- package/dist/assets/ChartRenderer-C0BhPMQw.js +0 -80
- package/dist/assets/channel-Czdys_Nn.js +0 -1
- package/dist/assets/classDiagram-2ON5EDUG-CPxr2wRC.js +0 -1
- package/dist/assets/classDiagram-v2-WZHVMYZB-CPxr2wRC.js +0 -1
- package/dist/assets/clone-B0ShuZQ4.js +0 -1
- package/dist/assets/index-DZIq--T_.css +0 -1
- package/dist/assets/stateDiagram-v2-4FDKWEC3-CNxipTRh.js +0 -1
- package/dist/assets/treemap-GDKQZRPO-B7tMOStw.js +0 -160
package/README.md
CHANGED
|
@@ -187,6 +187,8 @@ api:
|
|
|
187
187
|
url: "http://localhost:3000"
|
|
188
188
|
features:
|
|
189
189
|
enableUpload: true
|
|
190
|
+
server:
|
|
191
|
+
trustProxy: false
|
|
190
192
|
```
|
|
191
193
|
|
|
192
194
|
Header logos (`header.logoUrl`, `header.logoUrlLight`, `header.logoUrlDark`) support:
|
|
@@ -209,6 +211,11 @@ Default logo fallback behavior:
|
|
|
209
211
|
```
|
|
210
212
|
With this config, light/dark themes automatically use the default files from `public/`.
|
|
211
213
|
|
|
214
|
+
Server/reverse proxy setting:
|
|
215
|
+
- `server.trustProxy` maps directly to Express `app.set('trust proxy', value)`.
|
|
216
|
+
- Default is `false`.
|
|
217
|
+
- Set `server.trustProxy: 1` when ORBIT Chat is behind a single trusted reverse proxy.
|
|
218
|
+
|
|
212
219
|
### Environment Variables
|
|
213
220
|
|
|
214
221
|
Adapter secrets are provided via:
|
|
@@ -262,9 +269,40 @@ If you've updated `orbitchat.yaml` but don't see changes:
|
|
|
262
269
|
1. The CLI watches the YAML file and should restart automatically.
|
|
263
270
|
2. Clear browser site data/localStorage for the app origin to ensure no stale session state is being used.
|
|
264
271
|
|
|
272
|
+
### `ERR_ERL_UNEXPECTED_X_FORWARDED_FOR` (rate limit + reverse proxy)
|
|
273
|
+
|
|
274
|
+
If you see a log like:
|
|
275
|
+
|
|
276
|
+
```txt
|
|
277
|
+
ValidationError: The 'X-Forwarded-For' header is set but the Express 'trust proxy' setting is false (default).
|
|
278
|
+
code: 'ERR_ERL_UNEXPECTED_X_FORWARDED_FOR'
|
|
279
|
+
```
|
|
280
|
+
|
|
281
|
+
this usually means ORBIT Chat is running behind a reverse proxy (Nginx, ingress controller, load balancer, Cloudflare, etc.) that adds `X-Forwarded-For`, but Express is still using the default `trust proxy = false`.
|
|
282
|
+
|
|
283
|
+
Why this matters:
|
|
284
|
+
1. The app still runs (this is a validation warning), but guest rate limiting may identify client IPs incorrectly.
|
|
285
|
+
2. In the worst case, many users can be rate-limited as if they were a single client.
|
|
286
|
+
|
|
287
|
+
How to prevent it:
|
|
288
|
+
1. If you are behind a trusted reverse proxy, set this in `orbitchat.yaml`:
|
|
289
|
+
```yaml
|
|
290
|
+
server:
|
|
291
|
+
trustProxy: 1
|
|
292
|
+
```
|
|
293
|
+
2. If you are not intentionally behind a proxy, remove unexpected `X-Forwarded-For` injection in your network path.
|
|
294
|
+
3. As a temporary workaround, disable guest rate limiting in `orbitchat.yaml`:
|
|
295
|
+
```yaml
|
|
296
|
+
guestLimits:
|
|
297
|
+
rateLimit:
|
|
298
|
+
enabled: false
|
|
299
|
+
```
|
|
300
|
+
|
|
301
|
+
Reference: https://express-rate-limit.github.io/ERR_ERL_UNEXPECTED_X_FORWARDED_FOR/
|
|
302
|
+
|
|
265
303
|
## Security
|
|
266
304
|
|
|
267
305
|
- The browser **never** sees real API keys. The Express proxy maps adapter names to keys server-side.
|
|
268
306
|
- `GET /api/adapters` only exposes non-secret metadata (name, description, notes, model) — never keys or backend URLs.
|
|
269
307
|
- Keep `VITE_ADAPTER_KEYS` out of source control.
|
|
270
|
-
- Run the proxy behind HTTPS in production.
|
|
308
|
+
- Run the proxy behind HTTPS in production.
|
package/bin/orbitchat.js
CHANGED
|
@@ -253,6 +253,12 @@ function createServer(distPath, config, serverConfig = {}) {
|
|
|
253
253
|
const adapters = loadAdaptersForProxy(config.adapters);
|
|
254
254
|
const apiOnly = serverConfig.apiOnly || false;
|
|
255
255
|
const localAssets = serverConfig.localAssets || {};
|
|
256
|
+
const trustProxy = serverConfig.trustProxy;
|
|
257
|
+
|
|
258
|
+
// For deployments behind reverse proxies, trust forwarded headers when configured.
|
|
259
|
+
if (typeof trustProxy !== 'undefined') {
|
|
260
|
+
app.set('trust proxy', trustProxy);
|
|
261
|
+
}
|
|
256
262
|
|
|
257
263
|
if (apiOnly) {
|
|
258
264
|
const allowedOrigin = serverConfig.corsOrigin || '*';
|
|
@@ -463,7 +469,12 @@ function main() {
|
|
|
463
469
|
}
|
|
464
470
|
|
|
465
471
|
const distPath = path.join(__dirname, '..', 'dist');
|
|
466
|
-
const app = createServer(distPath, config, {
|
|
472
|
+
const app = createServer(distPath, config, {
|
|
473
|
+
...serverConfig,
|
|
474
|
+
rateLimit: yamlObj?.guestLimits?.rateLimit,
|
|
475
|
+
trustProxy: yamlObj?.server?.trustProxy,
|
|
476
|
+
localAssets
|
|
477
|
+
});
|
|
467
478
|
|
|
468
479
|
const server = app.listen(serverConfig.port, serverConfig.host, () => {
|
|
469
480
|
console.debug(`🚀 ORBIT Chat is running at http://${serverConfig.host}:${serverConfig.port}`);
|