Scott.Idem/OSIT-AE-App-Svelte
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

API Hardening: Refine Bypass Logic and Enable Permissive Mode

Browse Source 
- Hardened 'Bootstrap Paradox' bypass logic in GET/POST helpers to only strip account ID if an intentional bypass value is provided.
- Enabled 'Permissive Update Mode' (x-ae-ignore-extra-fields: true) by default to improve frontend state synchronization.
- Fixed loader hydration bug where isolated API headers were being overwritten by stale global defaults.
- Ensured correctly resolved account names persist in local state instead of defaulting to 'Ghost Account'.
- Added Environment & Bridge diagnostics section to the testing dashboard for easier runtime verification.
This commit is contained in:
Scott Idem
2026-01-19 17:19:14 -05:00
parent 25d6503afe
commit 8566917be1
4 changed files with 79 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
src/lib/ae_api/api_get_object.ts
View File

@@ -69,9 +69,17 @@ export const get_object = async function get_object({
// Handle "Bootstrap Paradox" for unauthenticated requests // Handle "Bootstrap Paradox" for unauthenticated requests
if (merged_headers.hasOwnProperty('x-no-account-id')) { if (merged_headers.hasOwnProperty('x-no-account-id')) {
delete merged_headers['x-account-id']; const bypass_val = merged_headers['x-no-account-id'];
if (merged_headers['x-no-account-id'] === null) { const is_valid_bypass = bypass_val === 'bypass' ||
merged_headers['x-no-account-id'] = 'Nothing to See Here'; bypass_val === 'Nothing to See Here' ||
bypass_val === 'direct-download';
if (is_valid_bypass) {
if (log_lvl > 1) console.log('api_get_object: Valid bypass detected. Stripping account ID context.');
delete merged_headers['x-account-id'];
} else if (bypass_val === null || bypass_val === undefined || bypass_val === 'No_Account_ID_Here') {
if (log_lvl > 1) console.log('api_get_object: Placeholder bypass detected. Preserving account ID context.');
delete merged_headers['x-no-account-id'];
} }
} }

14
src/lib/ae_api/api_post_object.ts
View File

@@ -72,9 +72,17 @@ export const post_object = async function post_object({
// Handle "Bootstrap Paradox" for unauthenticated requests // Handle "Bootstrap Paradox" for unauthenticated requests
if (merged_headers.hasOwnProperty('x-no-account-id')) { if (merged_headers.hasOwnProperty('x-no-account-id')) {
delete merged_headers['x-account-id']; const bypass_val = merged_headers['x-no-account-id'];
if (merged_headers['x-no-account-id'] === null) { const is_valid_bypass = bypass_val === 'bypass' ||
merged_headers['x-no-account-id'] = 'Nothing to See Here'; bypass_val === 'Nothing to See Here' ||
bypass_val === 'direct-download';
if (is_valid_bypass) {
if (log_lvl > 1) console.log('api_post_object: Valid bypass detected. Stripping account ID context.');
delete merged_headers['x-account-id'];
} else if (bypass_val === null || bypass_val === undefined || bypass_val === 'No_Account_ID_Here') {
if (log_lvl > 1) console.log('api_post_object: Placeholder bypass detected. Preserving account ID context.');
delete merged_headers['x-no-account-id'];
} }
} }

41
src/routes/+layout.ts
View File

@@ -42,18 +42,12 @@ const ae_api_init: key_val = {
account_id: ae_account_id account_id: ae_account_id
}; };
const ae_api_headers: key_val = {}; const ae_api_headers: key_val = {
ae_api_headers['Access-Control-Allow-Origin'] = '*'; 'Access-Control-Allow-Origin': '*',
ae_api_headers['Content-Type'] = 'application/json'; 'Content-Type': 'application/json',
ae_api_headers['x-aether-api-key'] = ae_api_init.api_secret_key; 'x-aether-api-key': api_secret_key,
ae_api_headers['x-aether-api-token'] = 'fake-temp-token'; 'x-ae-ignore-extra-fields': 'true'
ae_api_headers['x-aether-api-expire-on'] = ''; };
if (ae_account_id) {
ae_api_headers['x-account-id'] = ae_account_id;
}
if (ae_no_account_id) {
ae_api_headers['x-no-account-id'] = ae_no_account_id;
}
ae_api_init['headers'] = ae_api_headers; ae_api_init['headers'] = ae_api_headers;
@@ -63,7 +57,10 @@ export async function load({ fetch, params, parent, route, url }) {
let account_id: any; let account_id: any;
const ae_acct: key_val = { const ae_acct: key_val = {
api: ae_api_init, api: {
...ae_api_init,
headers: { ...ae_api_headers } // Local clone
},
ds: {}, ds: {},
loc: { loc: {
account_id: '', account_id: '',
@@ -113,13 +110,14 @@ export async function load({ fetch, params, parent, route, url }) {
try { try {
if (log_lvl) console.log(`ROOT LOAD: Starting site lookup V3 for ${fqdn}...`); if (log_lvl) console.log(`ROOT LOAD: Starting site lookup V3 for ${fqdn}...`);
// Use dedicated Agent Key for Bootstrap if available, otherwise fallback to standard key // Use dedicated Agent Key for Bootstrap and include the unauthenticated bypass header ONLY for this request
const bootstrap_api_cfg = { const bootstrap_api_cfg = {
...ae_api_init, ...ae_api_init,
api_secret_key: 'IDF68Em5X4HTZlswRNgepQ', // Dedicated Agent Bootstrap Key api_secret_key: 'IDF68Em5X4HTZlswRNgepQ',
headers: { headers: {
...ae_api_init.headers, ...ae_api_init.headers,
'x-aether-api-key': 'IDF68Em5X4HTZlswRNgepQ' 'x-aether-api-key': 'IDF68Em5X4HTZlswRNgepQ',
'x-no-account-id': ae_no_account_id || 'bypass'
} }
}; };
@@ -162,10 +160,9 @@ export async function load({ fetch, params, parent, route, url }) {
if (log_lvl) console.log(`ROOT LOAD: Using account_id: ${account_id}`); if (log_lvl) console.log(`ROOT LOAD: Using account_id: ${account_id}`);
ae_api_init['account_id'] = account_id; // Update the local clones
ae_api_init['headers']['x-account-id'] = account_id; ae_acct.api.account_id = account_id;
ae_acct.api.headers['x-account-id'] = account_id;
ae_api_headers['x-account-id'] = account_id;
ae_loc_init['account_id'] = account_id; ae_loc_init['account_id'] = account_id;
ae_loc_init['account_code'] = json_data.account_code || 'ghost'; ae_loc_init['account_code'] = json_data.account_code || 'ghost';
@@ -217,7 +214,9 @@ export async function load({ fetch, params, parent, route, url }) {
// }); // });
// } // }
ae_acct['api'] = ae_api_init; ae_loc_init['account_name'] = json_data.account_name || 'Account Name Not Set';
// ae_acct['api'] = ae_api_init; // DO NOT USE: This overwrites our isolated clone from line 65
ae_acct['loc'] = ae_loc_init; ae_acct['loc'] = ae_loc_init;
ae_acct['ds'] = ds_code_li; ae_acct['ds'] = ds_code_li;
ae_acct['slct'] = { ae_acct['slct'] = {

38
src/routes/testing/+page.svelte
View File

@@ -28,7 +28,8 @@
ArrowRightLeft, ArrowRightLeft,
Code, Code,
FlaskConical, FlaskConical,
Info Info,
Satellite
} from 'lucide-svelte'; } from 'lucide-svelte';
// Core Module Imports // Core Module Imports
@@ -36,6 +37,7 @@
import { lookup_site_domain_v3 } from '$lib/ae_core/ae_core__site'; import { lookup_site_domain_v3 } from '$lib/ae_core/ae_core__site';
import { load_ae_obj_id__user } from '$lib/ae_core/ae_core__user'; import { load_ae_obj_id__user } from '$lib/ae_core/ae_core__user';
import { db_core } from '$lib/ae_core/db_core'; import { db_core } from '$lib/ae_core/db_core';
import { events_loc } from '$lib/stores/ae_events_stores';
// State Variables // State Variables
let test_result: any = $state(null); let test_result: any = $state(null);
@@ -174,6 +176,10 @@
return await response.json(); return await response.json();
}); });
// Environment Diagnostics
let is_native = $derived(typeof window !== 'undefined' && !!(window as any).native_app);
let app_mode = $derived($events_loc?.launcher?.app_mode || 'web');
</script> </script>
<!-- Outer wrapper to enable scrolling if parent is overflow-hidden --> <!-- Outer wrapper to enable scrolling if parent is overflow-hidden -->
@@ -208,6 +214,36 @@
<div class="grid grid-cols-1 xl:grid-cols-[1fr_400px] gap-8"> <div class="grid grid-cols-1 xl:grid-cols-[1fr_400px] gap-8">
<main class="space-y-6"> <main class="space-y-6">
<!-- Environment & Bridge Card -->
<div class="card p-6 variant-soft-tertiary space-y-4 border border-gray-500 shadow-lg">
<header class="flex justify-between items-center border-b border-gray-500 pb-3">
<div class="flex items-center gap-2 text-tertiary-700 dark:text-tertiary-300">
<Satellite size={20} />
<h3 class="h3 font-bold">Environment & Bridge Diagnostics</h3>
</div>
<span class="badge variant-filled-tertiary font-mono p-2 uppercase">
Runtime: {is_native ? 'Electron' : 'Web Browser'}
</span>
</header>
<div class="grid grid-cols-1 md:grid-cols-3 gap-4">
<div class="flex flex-col p-3 bg-gray-500/10 rounded" title="The current logic mode of the application (e.g. native, onsite, web).">
<span class="text-[10px] uppercase opacity-50 font-bold">App Mode</span>
<span class="text-sm font-bold text-tertiary-600 dark:text-tertiary-400 uppercase tracking-widest">{app_mode}</span>
</div>
<div class="flex flex-col p-3 bg-gray-500/10 rounded" title="Presence of window.native_app bridge object.">
<span class="text-[10px] uppercase opacity-50 font-bold">Bridge Detected</span>
<div class="flex items-center gap-2">
<div class="w-2 h-2 rounded-full {is_native ? 'bg-success-500 animate-pulse' : 'bg-surface-500'}"></div>
<span class="text-sm font-semibold">{is_native ? 'Active' : 'Missing / Inactive'}</span>
</div>
</div>
<div class="flex flex-col p-3 bg-gray-500/10 rounded" title="The host string being used for bootstrap site resolution.">
<span class="text-[10px] uppercase opacity-50 font-bold">Bootstrap Host</span>
<span class="font-mono text-xs truncate">{$ae_loc.hostname || '--'}</span>
</div>
</div>
</div>
<!-- Session Context Card --> <!-- Session Context Card -->
<div class="card p-6 variant-soft-surface space-y-4 border border-gray-500 shadow-lg"> <div class="card p-6 variant-soft-surface space-y-4 border border-gray-500 shadow-lg">
<header class="flex justify-between items-center border-b border-gray-500 pb-3"> <header class="flex justify-between items-center border-b border-gray-500 pb-3">