mirror of
https://github.com/NanmiCoder/cc-haha
synced 2026-07-16 13:03:31 +08:00
Remote browser access needs an explicit path that preserves localhost desktop behavior while allowing H5 tokens for REST and client websocket upgrades. This keeps the existing synchronous Anthropic auth helper intact, adds async request validation for H5 tokens, and centralizes origin handling so preflight, API, proxy, websocket, and health responses behave consistently. Constraint: Existing validateAuth(req) must stay synchronous for current tests and callers Constraint: Default localhost and Tauri desktop behavior must remain unchanged Rejected: Replacing validateAuth with an async-only API | would break existing sync tests and call sites Rejected: Allowing wildcard or fallback remote origins | violates the H5 explicit-origin security model Directive: Restore ProviderService serverPort in server integration tests that call startServer with custom ports to avoid leaking global proxy runtime state Confidence: high Scope-risk: moderate Tested: bun test src/server/__tests__/h5-access-auth.test.ts --timeout 30000 Tested: bun test src/server/__tests__/h5-access-service.test.ts src/server/__tests__/h5-access-api.test.ts src/server/__tests__/settings.test.ts --timeout 30000 Tested: bun test src/server/__tests__/h5-access-auth.test.ts src/server/__tests__/conversation-service.test.ts src/server/__tests__/cron-scheduler-launcher.test.ts --timeout 30000 Tested: bun test src/server/__tests__/e2e/full-flow.test.ts --timeout 30000 Not-tested: Full non-live server gate end-to-end; an attempted broader run was interrupted after uncovering and then fixing a test-side ProviderService port leak