hai/gstack
1
0
Fork 0
mirror of https://github.com/garrytan/gstack.git synced 2026-05-17 01:31:26 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix: remove auth token from /health, secure extension bootstrap (CRITICAL-02 + HIGH-03)

Browse Source 
- Remove token from /health response (was leaked to any localhost process)
- Write .auth.json to extension dir for Manifest V3 bootstrap
- sidebar-agent reads token from state file via BROWSE_STATE_FILE env var
- Remove getToken handler from extension (token via health broadcast)
- Extension loads token before first health poll to prevent race condition
This commit is contained in:
Garry Tan
2026-03-27 22:13:45 -07:00
parent 11695e3aca
commit e16bf23ca0
6 changed files with 114 additions and 40 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
extension/sidepanel.js
View File

@@ -413,7 +413,7 @@ function createEntryElement(entry) {
div.innerHTML = `
<div class="entry-header">
<span class="entry-time">${formatTime(entry.timestamp)}</span>
<span class="entry-command">${entry.command || entry.type}</span>
<span class="entry-command">${escapeHtml(entry.command || entry.type)}</span>
</div>
${argsText ? `<div class="entry-args">${escapeHtml(argsText)}</div>` : ''}
${entry.type === 'command_end' ? `
@@ -469,7 +469,8 @@ function connectSSE() {
if (!serverUrl) return;
if (eventSource) { eventSource.close(); eventSource = null; }
const url = `${serverUrl}/activity/stream?after=${lastId}`;
const tokenParam = serverToken ? `&token=${serverToken}` : '';
const url = `${serverUrl}/activity/stream?after=${lastId}${tokenParam}`;
eventSource = new EventSource(url);
eventSource.addEventListener('activity', (e) => {
@@ -493,7 +494,9 @@ function connectSSE() {
async function fetchRefs() {
if (!serverUrl) return;
try {
const resp = await fetch(`${serverUrl}/refs`, { signal: AbortSignal.timeout(3000) });
const headers = {};
if (serverToken) headers['Authorization'] = `Bearer ${serverToken}`;
const resp = await fetch(`${serverUrl}/refs`, { signal: AbortSignal.timeout(3000), headers });
if (!resp.ok) return;
const data = await resp.json();
@@ -594,10 +597,8 @@ function tryConnect() {
chrome.runtime.sendMessage({ type: 'getPort' }, (resp) => {
if (resp && resp.port && resp.connected) {
const url = `http://127.0.0.1:${resp.port}`;
// Get the token from background
chrome.runtime.sendMessage({ type: 'getToken' }, (tokenResp) => {
updateConnection(url, tokenResp?.token);
});
// Token arrives via health broadcast from background.js
updateConnection(url, null);
} else {
setTimeout(tryConnect, 2000);
}