程序员阿江(Relakkes) 4ef9729ad6 Keep H5 control local while tightening remote CORS
Remote browser access now needs the H5 token once LAN mode is enabled, but changing that mode remains a local desktop control-plane operation even when deployment auth is explicitly enabled. CORS also no longer treats a non-local same-origin alias as trusted unless it is the configured H5 public origin or allowlisted origin.

Constraint: H5 exposes desktop control surfaces on the LAN and must not let remote browsers enable their own access.

Constraint: Desktop WebView, localhost WebUI, SDK websocket, and IM adapter loopback calls must remain tokenless.

Rejected: Allow authenticated remote control-plane writes under SERVER_AUTH_REQUIRED | violates the local opt-in boundary for H5 exposure.

Confidence: high

Scope-risk: moderate

Directive: Do not relax /api/h5-access mutating endpoints for browser origins without adding a reviewed desktop-only trust signal.

Tested: bun test src/server/__tests__/h5-access-auth.test.ts

Tested: bun test src/server/__tests__/h5-access-policy.test.ts src/server/middleware/cors.test.ts

Tested: bun run check:server
2026-05-12 14:52:02 +08:00
..
2026-05-04 16:45:24 +08:00
2026-05-04 16:45:24 +08:00
2026-04-18 20:34:56 +08:00
2026-03-31 01:55:58 -07:00
2026-04-18 20:34:56 +08:00
2026-04-18 20:34:56 +08:00
2026-03-31 01:55:58 -07:00
2026-03-31 01:55:58 -07:00
2026-03-31 01:55:58 -07:00
2026-04-03 00:30:56 +08:00
2026-03-31 01:55:58 -07:00
2026-03-31 01:55:58 -07:00
2026-03-31 01:55:58 -07:00
2026-03-31 01:55:58 -07:00
2026-03-31 01:55:58 -07:00
2026-03-31 01:55:58 -07:00
2026-03-31 01:55:58 -07:00