d8dfun/claudecodeui
1
0
Fork 0
mirror of https://github.com/siteboon/claudecodeui.git synced 2026-06-26 13:35:49 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix(voice): separate client and server backends

Browse Source 
User-selected backend URLs must remain usable without letting clients control server requests.

Call custom providers from the browser while keeping the server proxy bound to its configured host.

This restores voice controls for frontend settings without reopening the SSRF path.
This commit is contained in:
Haileyesus
2026-06-25 17:10:42 +03:00
parent 43c0cca96e
commit 0e6373305b
7 changed files with 86 additions and 40 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
server/voice-proxy.js
View File

@@ -29,7 +29,9 @@ const ENV = {
function resolveConfig(req) {
const h = req.headers;
return {
baseUrl: (String(h['x-voice-base-url'] || '') || ENV.baseUrl).replace(/\/$/, ''),
// Security: do not allow clients to control the outbound backend host.
// Always use the server-side configured base URL.
baseUrl: ENV.baseUrl,
apiKey: String(h['x-voice-api-key'] || '') || ENV.apiKey,
sttModel: String(h['x-voice-stt-model'] || '') || ENV.sttModel,
ttsModel: String(h['x-voice-tts-model'] || '') || ENV.ttsModel,