Fix : noAuth support for providers and adjusted MITM restart settings.

2026-04-14 10:14:50 +07:00 · 2026-04-14 10:14:50 +07:00 · 6a6e2fcd77
commit 6a6e2fcd77
parent 7959fd37ad
9 changed files with 23 additions and 14 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,3 +1,8 @@
+# v0.3.89 (2026-04-13)
+
+## Improvements
+- Improved dashboard access control by blocking tunnel/Tailscale access when disabled
+
 # v0.3.87 (2026-04-13)

 ## Fixes
--- a/open-sse/config/providers.js
+++ b/open-sse/config/providers.js
@ -335,6 +335,7 @@ export const PROVIDERS = {
  opencode: {
    baseUrl: "https://opencode.ai",
    format: "openai",
-    headers: { "x-opencode-client": "desktop" }
+    headers: { "x-opencode-client": "desktop" },
+    noAuth: true
  },
 };
--- a/open-sse/executors/base.js
+++ b/open-sse/executors/base.js
@ -8,6 +8,7 @@ export class BaseExecutor {
  constructor(provider, config) {
    this.provider = provider;
    this.config = config;
+    this.noAuth = config?.noAuth || false;
  }

  getProvider() {
--- a/open-sse/handlers/chatCore.js
+++ b/open-sse/handlers/chatCore.js
@ -172,8 +172,8 @@ export async function handleChatCore({ body, modelInfo, credentials, log, onCred
    return createErrorResult(HTTP_STATUS.BAD_GATEWAY, errMsg);
  }

-  // Handle 401/403 - try token refresh
-  if (providerResponse.status === HTTP_STATUS.UNAUTHORIZED || providerResponse.status === HTTP_STATUS.FORBIDDEN) {
+  // Handle 401/403 - try token refresh (skip for noAuth providers)
+  if (!executor.noAuth && (providerResponse.status === HTTP_STATUS.UNAUTHORIZED || providerResponse.status === HTTP_STATUS.FORBIDDEN)) {
    try {
      const newCredentials = await refreshWithRetry(() => executor.refreshCredentials(credentials, log), 3, log);
      if (newCredentials?.accessToken || newCredentials?.copilotToken) {
--- a/open-sse/handlers/embeddingsCore.js
+++ b/open-sse/handlers/embeddingsCore.js
@ -228,12 +228,13 @@ export async function handleEmbeddingsCore({
    return createErrorResult(HTTP_STATUS.BAD_GATEWAY, errMsg);
  }

-  // Handle 401/403 — try token refresh
+  // Handle 401/403 — try token refresh (skip for noAuth providers)
+  const executor = getExecutor(provider);
  if (
-    providerResponse.status === HTTP_STATUS.UNAUTHORIZED ||
-    providerResponse.status === HTTP_STATUS.FORBIDDEN
+    !executor.noAuth &&
+    (providerResponse.status === HTTP_STATUS.UNAUTHORIZED ||
+    providerResponse.status === HTTP_STATUS.FORBIDDEN)
  ) {
-    const executor = getExecutor(provider);
    const newCredentials = await refreshWithRetry(
      () => executor.refreshCredentials(credentials, log),
      3,
--- a/src/app/(dashboard)/dashboard/providers/[id]/page.js
+++ b/src/app/(dashboard)/dashboard/providers/[id]/page.js
@ -865,7 +865,7 @@ export default function ProviderDetailPage() {
            <h2 className="text-lg font-semibold">Connections</h2>
            <div className="flex items-center gap-4">
              {/* Thinking config */}
-              {/* {thinkingConfig && (
+              {thinkingConfig && (
                <div className="flex items-center gap-2">
                  <span className="text-xs text-text-muted font-medium">Thinking</span>
                  <select
@ -878,7 +878,7 @@ export default function ProviderDetailPage() {
                    ))}
                  </select>
                </div>
-              )} */}
+              )}
              {/* Round Robin toggle */}
              <div className="flex items-center gap-2">
                <span className="text-xs text-text-muted font-medium">Round Robin</span>
--- a/src/app/api/settings/require-login/route.js
+++ b/src/app/api/settings/require-login/route.js
@ -5,7 +5,7 @@ export async function GET() {
  try {
    const settings = await getSettings();
    const requireLogin = settings.requireLogin !== false;
-    const tunnelDashboardAccess = settings.tunnelDashboardAccess === true;
+    const tunnelDashboardAccess = settings.tunnelDashboardAccess !== false;
    const tunnelUrl = settings.tunnelUrl || "";
    const tailscaleUrl = settings.tailscaleUrl || "";
    return NextResponse.json({ requireLogin, tunnelDashboardAccess, tunnelUrl, tailscaleUrl });
--- a/src/dashboardGuard.js
+++ b/src/dashboardGuard.js
@ -74,7 +74,7 @@ export async function proxy(request) {
  if (pathname.startsWith("/dashboard")) {
    const origin = request.nextUrl.origin;
    let requireLogin = true;
-    let tunnelDashboardAccess = false;
+    let tunnelDashboardAccess = true;

    try {
      const res = await fetch(`${origin}/api/settings/require-login`);
--- a/src/mitm/manager.js
+++ b/src/mitm/manager.js
@ -40,8 +40,8 @@ const MITM_PORT = 443;
 const MITM_WIN_NODE_PORT = 8443;
 const PID_FILE = path.join(MITM_DIR, ".mitm.pid");

-const MITM_MAX_RESTARTS = 5;
-const MITM_RESTART_DELAYS_MS = [5000, 10000, 20000, 30000, 60000];
+const MITM_MAX_RESTARTS = 2;
+const MITM_RESTART_DELAYS_MS = [5000, 10000];
 const MITM_RESTART_RESET_MS = 60000;

 let mitmRestartCount = 0;
@ -323,7 +323,8 @@ async function scheduleMitmRestart(apiKey) {
  if (aliveMs >= MITM_RESTART_RESET_MS) mitmRestartCount = 0;

  if (mitmRestartCount >= MITM_MAX_RESTARTS) {
-    err("Max restart attempts reached. Giving up.");
+    err("Max restart attempts reached. Auto-disabling MITM.");
+    await saveMitmSettings(false, null);
    return;
  }