fix: improve error handling for workspace switch and support --host 0.0.0.0

- Add safeParseJson() helper with content-type validation and proxy error detection - Allow token acquisition from any interface when server binds to 0.0.0.0 or :: - Provide clear error messages when proxy intercepts localhost requests
2026-03-07 16:41:06 +08:00 · 2026-03-04 13:59:56 +08:00
parent 91fa594578
commit fb0f56bfc0
3 changed files with 76 additions and 6 deletions
--- a/ccw/src/core/server.ts
+++ b/ccw/src/core/server.ts
@@ -51,7 +51,7 @@ import { handleSpecRoutes } from './routes/spec-routes.js';
 import { handleWebSocketUpgrade, broadcastToClients, extractSessionIdFromPath } from './websocket.js';

 import { getTokenManager } from './auth/token-manager.js';
-import { authMiddleware, isLocalhostRequest, setAuthCookie } from './auth/middleware.js';
+import { authMiddleware, isLocalhostRequest, isWildcardHost, setAuthCookie } from './auth/middleware.js';
 import { getCorsOrigin } from './cors.js';
 import { csrfValidation } from './auth/csrf-middleware.js';
 import { getCsrfTokenManager } from './auth/csrf-manager.js';
@@ -418,9 +418,11 @@ export async function startServer(options: ServerOptions = {}): Promise<http.Ser
        server
      };

-      // Token acquisition endpoint (localhost-only)
+      // Token acquisition endpoint (localhost-only, or any interface when bound to 0.0.0.0)
      if (pathname === '/api/auth/token') {
-        if (!isLocalhostRequest(req)) {
+        // Allow from any interface when server is bound to 0.0.0.0 or ::
+        const allowAllInterfaces = isWildcardHost(host);
+        if (!isLocalhostRequest(req, allowAllInterfaces)) {
          res.writeHead(403, { 'Content-Type': 'application/json; charset=utf-8' });
          res.end(JSON.stringify({ error: 'Forbidden' }));
          return;