CalvinBackup/gstack
1
0
Fork 0
mirror of https://github.com/garrytan/gstack.git synced 2026-05-05 05:05:08 +02:00
Code Issues Packages Projects Releases Wiki Activity

fix: restore token in /health for localhost extension auth

Browse Source 
The CSO security fix stripped the token from /health to prevent leaking
when tunneled. But the extension needs it to authenticate on localhost.
Now returns token only when not tunneled (safe: localhost-only path).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Garry Tan
2026-04-05 17:58:24 -07:00
parent 7b60c0bbe6
commit 52226dafe2
1 changed files with 2 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
browse/src/server.ts
+2
View File
@@ -1290,7 +1290,9 @@ async function start() {
};
// Sensitive fields only served on localhost (not through tunnel).
// currentUrl reveals internal URLs, currentMessage reveals user intent.
// token needed by extension to authenticate subsequent requests.
if (!tunnelActive) {
healthResponse.token = AUTH_TOKEN;
healthResponse.currentUrl = browserManager.getCurrentUrl();
healthResponse.chatEnabled = true;
healthResponse.agent = {