MCPcopy
hub / github.com/BuilderIO/agent-native / readDesktopSsoSafely

Function readDesktopSsoSafely

packages/core/src/server/auth.ts:269–290  ·  view source on GitHub ↗

* Read the desktop-SSO broker file, but only if the request is plausibly * from the Electron desktop app *and* coming from the local machine. * * The broker file lives in the user's home directory and trusts the local * trust boundary — a non-loopback request that pretends to be Electron * via

(
  event: H3Event,
)

Source from the content-addressed store, hash-verified

267 * Returns null when the safety checks fail or the file isn't present.
268 */
269async function readDesktopSsoSafely(
270 event: H3Event,
271): Promise<Awaited<ReturnType<typeof readDesktopSso>>> {
272 if (process.env.NODE_ENV === "production") return null;
273 if (!isElectronRequest(event)) return null;
274 // Loopback-only: 127.0.0.1, ::1, and the IPv4-mapped form.
275 let ip: string | undefined;
276 try {
277 ip = getRequestIP(event) ?? undefined;
278 } catch {
279 ip = undefined;
280 }
281 // Strip an optional zone id (e.g. "fe80::1%en0") before comparing.
282 const normalised = (ip ?? "").split("%")[0];
283 const isLoopback =
284 normalised === "127.0.0.1" ||
285 normalised === "::1" ||
286 normalised === "::ffff:127.0.0.1" ||
287 normalised.startsWith("127.");
288 if (!isLoopback) return null;
289 return await readDesktopSso();
290}
291
292/**
293 * Extract the framework session token from a Better Auth response's

Callers 1

getSessionFunction · 0.85

Calls 1

readDesktopSsoFunction · 0.85

Tested by

no test coverage detected