程序员阿江(Relakkes) fbce0225f2 Publish open H5 access recovery release
This release packages the emergency H5 token pause so upgraded users can resume desktop and browser chat without generating or carrying a token. The release notes document the temporary open-access behavior and the verification run used before tagging.

Constraint: v0.2.4 restored startup but token auth can still break chat flows for upgraded users

Rejected: Wait for a full token-auth redesign | users are actively blocked and H5 auth is not critical right now

Confidence: high

Scope-risk: narrow

Directive: Restore H5 token controls only with migration coverage and browser chat E2E

Tested: bun run scripts/release.ts 0.2.5 --dry

Tested: bun run scripts/release.ts 0.2.5

Tested: bun test src/server/__tests__/h5-access-auth.test.ts src/server/middleware/cors.test.ts

Tested: bun run check:server

Tested: bun run check:desktop
2026-05-11 17:59:55 +08:00

31 lines
1.3 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Claude Code Haha v0.2.5
这是一个紧急修复版本,用于临时放行 H5 访问,避免 token 鉴权继续影响聊天使用。
## Highlight
- **临时关闭 H5 token 鉴权**H5/LAN 访问默认不再要求 `Authorization` header避免升级后因 token 状态不一致导致聊天或启动失败。
## 问题修复
- 服务端不再因为绑定 `0.0.0.0` 自动开启鉴权;只有显式传入 `--auth-required``SERVER_AUTH_REQUIRED=1` 时才要求鉴权。
- 浏览器 H5 启动不再主动读取或校验 H5 token远程 URL 也会按开放访问路径连接。
- 设置页先隐藏 H5 启用开关、token 预览/重新生成、允许来源配置,只保留公开 URL 配置和复制入口。
- CORS 在 H5 token 鉴权暂停期间放行浏览器来源,避免跨来源请求继续卡在预检阶段。
## 验证
- 已新增和更新服务端回归测试,覆盖 REST、WebSocket、CORS 默认无 token 可访问,以及显式鉴权 opt-in 仍然有效。
- 已更新桌面 H5 启动和设置页测试,覆盖远程 H5 URL 不再要求 token以及设置页不再展示 token 控件。
- 已通过 `bun run check:server``bun run check:desktop`
## 安装说明
### macOS
首次打开如果提示"已损坏"或"无法验证开发者",请执行:
```bash
xattr -cr /Applications/Claude\ Code\ Haha.app
```