From f3a980bb2e2ce6c6fe05bc68c1757135ad654d26 Mon Sep 17 00:00:00 2001 From: ekko Date: Mon, 20 Apr 2026 15:21:47 +0800 Subject: [PATCH] fix: patch auth bypass via case-sensitive path matching (#77) - Normalize request path to lowercase before auth check to prevent bypassing authentication with uppercase paths like /API/hermes/sessions - Auto-restart server after in-page update via detached hermes-web-ui restart Closes #77 Co-Authored-By: Claude Opus 4.6 --- packages/server/src/index.ts | 11 ++++++++++- packages/server/src/services/auth.ts | 2 +- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/packages/server/src/index.ts b/packages/server/src/index.ts index d883d574..2bdb6ff5 100644 --- a/packages/server/src/index.ts +++ b/packages/server/src/index.ts @@ -99,7 +99,16 @@ export async function bootstrap() { }) ctx.body = { success: true, message: output.trim() } // Restart the server after response is sent - setTimeout(() => process.exit(0), 1000) + setTimeout(() => { + const { spawn } = require('child_process') + const isWin = process.platform === 'win32' + spawn(isWin ? 'cmd' : 'sh', isWin ? ['/c', 'hermes-web-ui restart'] : ['-c', 'hermes-web-ui restart'], { + detached: true, + stdio: 'ignore', + windowsHide: true, + }).unref() + process.exit(0) + }, 2000) } catch (err: any) { ctx.status = 500 ctx.body = { success: false, message: err.stderr || err.message } diff --git a/packages/server/src/services/auth.ts b/packages/server/src/services/auth.ts index 4db4b2f2..55f66eee 100644 --- a/packages/server/src/services/auth.ts +++ b/packages/server/src/services/auth.ts @@ -48,7 +48,7 @@ export async function authMiddleware(token: string | null) { } // Skip non-API paths (static files, health check, SPA) - const path = ctx.path + const path = ctx.path.toLowerCase() if ( path === '/health' || (!path.startsWith('/api') && !path.startsWith('/v1') && path !== '/webhook')