Merge commit from fork

* fix(security): prevent shell injection in WebSocket handler and harden auth - Replace hardcoded JWT secret with auto-generated per-installation secret - Add database validation to WebSocket authentication - Add token expiration (7d) with auto-refresh - Validate projectPath and sessionId in shell handler - Use cwd instead of shell string interpolation for project paths - Add CORS exposedHeaders for token refresh * fix: small fix on languages
2026-04-13 09:01:30 +00:00 · 2026-03-10 17:23:55 +01:00
parent e52e1a2b58
commit 12e7f074d9
10 changed files with 144 additions and 77 deletions
--- a/src/utils/api.js
+++ b/src/utils/api.js
@@ -21,6 +21,12 @@ export const authenticatedFetch = (url, options = {}) => {
      ...defaultHeaders,
      ...options.headers,
    },
+  }).then((response) => {
+    const refreshedToken = response.headers.get('X-Refreshed-Token');
+    if (refreshedToken) {
+      localStorage.setItem('auth-token', refreshedToken);
+    }
+    return response;
  });
 };