web-manager 4.3.3 → 4.3.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/dist/index.js CHANGED
@@ -506,7 +506,9 @@ class Manager {
506
506
  || this.config.environment;
507
507
 
508
508
  if (env === 'development') {
509
- return 'http://localhost:5002';
509
+ // BEM's `mgr serve` exposes the local API over HTTPS (mkcert proxy on 5002,
510
+ // since backend-manager 5.7.0) — plain http:// cannot connect to it.
511
+ return 'https://localhost:5002';
510
512
  }
511
513
 
512
514
  const apiDomain = this._resolveFirebaseConfig()?.authDomain; // Has to be this since some projects like Clockii use ITW Universal Auth
@@ -526,6 +528,14 @@ class Manager {
526
528
  const returnUrlObject = new URL(decodeURIComponent(url));
527
529
  const currentUrlObject = new URL(window.location.href);
528
530
 
531
+ // Loopback returns (RFC 8252 §7.3) are valid while the SITE runs in development:
532
+ // native apps (Electron Manager) can't OS-register their custom scheme in dev, so
533
+ // their sign-in flow returns to an ephemeral 127.0.0.1 listener instead. Any port —
534
+ // the app binds it at flow start. Production sites never match this branch.
535
+ if (this.isDevelopment() && ['127.0.0.1', '[::1]', 'localhost'].includes(returnUrlObject.hostname)) {
536
+ return true;
537
+ }
538
+
529
539
  return returnUrlObject.host === currentUrlObject.host
530
540
  || returnUrlObject.protocol === this.config.brand?.id + ':'
531
541
  || (this.config.validRedirectHosts || []).includes(returnUrlObject.host);
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "web-manager",
3
- "version": "4.3.3",
3
+ "version": "4.3.4",
4
4
  "description": "Easily access important variables such as the query string, current domain, and current page in a single object.",
5
5
  "main": "dist/index.js",
6
6
  "files": [
package/src/index.js CHANGED
@@ -506,7 +506,9 @@ class Manager {
506
506
  || this.config.environment;
507
507
 
508
508
  if (env === 'development') {
509
- return 'http://localhost:5002';
509
+ // BEM's `mgr serve` exposes the local API over HTTPS (mkcert proxy on 5002,
510
+ // since backend-manager 5.7.0) — plain http:// cannot connect to it.
511
+ return 'https://localhost:5002';
510
512
  }
511
513
 
512
514
  const apiDomain = this._resolveFirebaseConfig()?.authDomain; // Has to be this since some projects like Clockii use ITW Universal Auth
@@ -526,6 +528,14 @@ class Manager {
526
528
  const returnUrlObject = new URL(decodeURIComponent(url));
527
529
  const currentUrlObject = new URL(window.location.href);
528
530
 
531
+ // Loopback returns (RFC 8252 §7.3) are valid while the SITE runs in development:
532
+ // native apps (Electron Manager) can't OS-register their custom scheme in dev, so
533
+ // their sign-in flow returns to an ephemeral 127.0.0.1 listener instead. Any port —
534
+ // the app binds it at flow start. Production sites never match this branch.
535
+ if (this.isDevelopment() && ['127.0.0.1', '[::1]', 'localhost'].includes(returnUrlObject.hostname)) {
536
+ return true;
537
+ }
538
+
529
539
  return returnUrlObject.host === currentUrlObject.host
530
540
  || returnUrlObject.protocol === this.config.brand?.id + ':'
531
541
  || (this.config.validRedirectHosts || []).includes(returnUrlObject.host);