From 8566917be100caf7e423b1d69eb32e845215356d Mon Sep 17 00:00:00 2001 From: Scott Idem Date: Mon, 19 Jan 2026 17:19:14 -0500 Subject: [PATCH] API Hardening: Refine Bypass Logic and Enable Permissive Mode - Hardened 'Bootstrap Paradox' bypass logic in GET/POST helpers to only strip account ID if an intentional bypass value is provided. - Enabled 'Permissive Update Mode' (x-ae-ignore-extra-fields: true) by default to improve frontend state synchronization. - Fixed loader hydration bug where isolated API headers were being overwritten by stale global defaults. - Ensured correctly resolved account names persist in local state instead of defaulting to 'Ghost Account'. - Added Environment & Bridge diagnostics section to the testing dashboard for easier runtime verification. --- src/lib/ae_api/api_get_object.ts | 14 ++++++++--- src/lib/ae_api/api_post_object.ts | 14 ++++++++--- src/routes/+layout.ts | 41 +++++++++++++++---------------- src/routes/testing/+page.svelte | 38 +++++++++++++++++++++++++++- 4 files changed, 79 insertions(+), 28 deletions(-) diff --git a/src/lib/ae_api/api_get_object.ts b/src/lib/ae_api/api_get_object.ts index f82ea4b7..46ead7db 100644 --- a/src/lib/ae_api/api_get_object.ts +++ b/src/lib/ae_api/api_get_object.ts @@ -69,9 +69,17 @@ export const get_object = async function get_object({ // Handle "Bootstrap Paradox" for unauthenticated requests if (merged_headers.hasOwnProperty('x-no-account-id')) { - delete merged_headers['x-account-id']; - if (merged_headers['x-no-account-id'] === null) { - merged_headers['x-no-account-id'] = 'Nothing to See Here'; + const bypass_val = merged_headers['x-no-account-id']; + const is_valid_bypass = bypass_val === 'bypass' || + bypass_val === 'Nothing to See Here' || + bypass_val === 'direct-download'; + + if (is_valid_bypass) { + if (log_lvl > 1) console.log('api_get_object: Valid bypass detected. Stripping account ID context.'); + delete merged_headers['x-account-id']; + } else if (bypass_val === null || bypass_val === undefined || bypass_val === 'No_Account_ID_Here') { + if (log_lvl > 1) console.log('api_get_object: Placeholder bypass detected. Preserving account ID context.'); + delete merged_headers['x-no-account-id']; } } diff --git a/src/lib/ae_api/api_post_object.ts b/src/lib/ae_api/api_post_object.ts index 527f8393..1d7fb78f 100644 --- a/src/lib/ae_api/api_post_object.ts +++ b/src/lib/ae_api/api_post_object.ts @@ -72,9 +72,17 @@ export const post_object = async function post_object({ // Handle "Bootstrap Paradox" for unauthenticated requests if (merged_headers.hasOwnProperty('x-no-account-id')) { - delete merged_headers['x-account-id']; - if (merged_headers['x-no-account-id'] === null) { - merged_headers['x-no-account-id'] = 'Nothing to See Here'; + const bypass_val = merged_headers['x-no-account-id']; + const is_valid_bypass = bypass_val === 'bypass' || + bypass_val === 'Nothing to See Here' || + bypass_val === 'direct-download'; + + if (is_valid_bypass) { + if (log_lvl > 1) console.log('api_post_object: Valid bypass detected. Stripping account ID context.'); + delete merged_headers['x-account-id']; + } else if (bypass_val === null || bypass_val === undefined || bypass_val === 'No_Account_ID_Here') { + if (log_lvl > 1) console.log('api_post_object: Placeholder bypass detected. Preserving account ID context.'); + delete merged_headers['x-no-account-id']; } } diff --git a/src/routes/+layout.ts b/src/routes/+layout.ts index 05fbb6c6..6ae86dd0 100644 --- a/src/routes/+layout.ts +++ b/src/routes/+layout.ts @@ -42,18 +42,12 @@ const ae_api_init: key_val = { account_id: ae_account_id }; -const ae_api_headers: key_val = {}; -ae_api_headers['Access-Control-Allow-Origin'] = '*'; -ae_api_headers['Content-Type'] = 'application/json'; -ae_api_headers['x-aether-api-key'] = ae_api_init.api_secret_key; -ae_api_headers['x-aether-api-token'] = 'fake-temp-token'; -ae_api_headers['x-aether-api-expire-on'] = ''; -if (ae_account_id) { - ae_api_headers['x-account-id'] = ae_account_id; -} -if (ae_no_account_id) { - ae_api_headers['x-no-account-id'] = ae_no_account_id; -} +const ae_api_headers: key_val = { + 'Access-Control-Allow-Origin': '*', + 'Content-Type': 'application/json', + 'x-aether-api-key': api_secret_key, + 'x-ae-ignore-extra-fields': 'true' +}; ae_api_init['headers'] = ae_api_headers; @@ -63,7 +57,10 @@ export async function load({ fetch, params, parent, route, url }) { let account_id: any; const ae_acct: key_val = { - api: ae_api_init, + api: { + ...ae_api_init, + headers: { ...ae_api_headers } // Local clone + }, ds: {}, loc: { account_id: '', @@ -113,13 +110,14 @@ export async function load({ fetch, params, parent, route, url }) { try { if (log_lvl) console.log(`ROOT LOAD: Starting site lookup V3 for ${fqdn}...`); - // Use dedicated Agent Key for Bootstrap if available, otherwise fallback to standard key + // Use dedicated Agent Key for Bootstrap and include the unauthenticated bypass header ONLY for this request const bootstrap_api_cfg = { ...ae_api_init, - api_secret_key: 'IDF68Em5X4HTZlswRNgepQ', // Dedicated Agent Bootstrap Key + api_secret_key: 'IDF68Em5X4HTZlswRNgepQ', headers: { ...ae_api_init.headers, - 'x-aether-api-key': 'IDF68Em5X4HTZlswRNgepQ' + 'x-aether-api-key': 'IDF68Em5X4HTZlswRNgepQ', + 'x-no-account-id': ae_no_account_id || 'bypass' } }; @@ -162,10 +160,9 @@ export async function load({ fetch, params, parent, route, url }) { if (log_lvl) console.log(`ROOT LOAD: Using account_id: ${account_id}`); - ae_api_init['account_id'] = account_id; - ae_api_init['headers']['x-account-id'] = account_id; - - ae_api_headers['x-account-id'] = account_id; + // Update the local clones + ae_acct.api.account_id = account_id; + ae_acct.api.headers['x-account-id'] = account_id; ae_loc_init['account_id'] = account_id; ae_loc_init['account_code'] = json_data.account_code || 'ghost'; @@ -217,7 +214,9 @@ export async function load({ fetch, params, parent, route, url }) { // }); // } - ae_acct['api'] = ae_api_init; + ae_loc_init['account_name'] = json_data.account_name || 'Account Name Not Set'; + + // ae_acct['api'] = ae_api_init; // DO NOT USE: This overwrites our isolated clone from line 65 ae_acct['loc'] = ae_loc_init; ae_acct['ds'] = ds_code_li; ae_acct['slct'] = { diff --git a/src/routes/testing/+page.svelte b/src/routes/testing/+page.svelte index 8fb847f7..7771bf2d 100644 --- a/src/routes/testing/+page.svelte +++ b/src/routes/testing/+page.svelte @@ -28,7 +28,8 @@ ArrowRightLeft, Code, FlaskConical, - Info + Info, + Satellite } from 'lucide-svelte'; // Core Module Imports @@ -36,6 +37,7 @@ import { lookup_site_domain_v3 } from '$lib/ae_core/ae_core__site'; import { load_ae_obj_id__user } from '$lib/ae_core/ae_core__user'; import { db_core } from '$lib/ae_core/db_core'; + import { events_loc } from '$lib/stores/ae_events_stores'; // State Variables let test_result: any = $state(null); @@ -174,6 +176,10 @@ return await response.json(); }); + // Environment Diagnostics + let is_native = $derived(typeof window !== 'undefined' && !!(window as any).native_app); + let app_mode = $derived($events_loc?.launcher?.app_mode || 'web'); + @@ -208,6 +214,36 @@
+ +
+
+
+ +

Environment & Bridge Diagnostics

+
+ + Runtime: {is_native ? 'Electron' : 'Web Browser'} + +
+
+
+ App Mode + {app_mode} +
+
+ Bridge Detected +
+
+ {is_native ? 'Active' : 'Missing / Inactive'} +
+
+
+ Bootstrap Host + {$ae_loc.hostname || '--'} +
+
+
+