RomanNum3ral
/
gstack
mirror of https://github.com/garrytan/gstack.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

fix: restore token in /health for localhost extension auth 

The CSO security fix stripped the token from /health to prevent leaking
when tunneled. But the extension needs it to authenticate on localhost.
Now returns token only when not tunneled (safe: localhost-only path).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Garry Tan 2026-04-05 17:58:24 -07:00
parent 7b60c0bbe6
commit 52226dafe2
No known key found for this signature in database
GPG Key ID: C1F69E85C74EFE1D
1 changed files with 2 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
browse/src/server.ts
View File

@ -1290,7 +1290,9 @@ async function start() {
};
// Sensitive fields only served on localhost (not through tunnel).
// currentUrl reveals internal URLs, currentMessage reveals user intent.
// token needed by extension to authenticate subsequent requests.
if (!tunnelActive) {
healthResponse.token = AUTH_TOKEN;
healthResponse.currentUrl = browserManager.getCurrentUrl();
healthResponse.chatEnabled = true;
healthResponse.agent = {