EverShelf

morgane/EverShelf

Fork 0

Commit Graph

Author	SHA1	Message	Date
dadaloop82	d33b0ca2fe	Harden security, modularize API bootstrap, and fix scale SSE auth. Block web access to sensitive paths, require API_TOKEN for mutations, encrypt GitHub issue credentials in .env, auto-provision tokens for same-origin clients, and pass api_token in scale relay URLs since EventSource cannot send headers. Co-authored-by: Cursor <cursoragent@cursor.com>	2026-06-03 18:04:19 +00:00
dadaloop82	099a6cc4e8	fix: HTTPS/WebSocket mixed-content — add PHP SSE relay for scale gateway The browser (HTTPS) cannot connect to ws:// directly (mixed-content block). Solution: PHP SSE relay bridges the gap server-side. - api/scale_relay.php: GET ?url=ws://ip:port PHP opens WS connection to Android gateway, streams JSON frames as Server-Sent Events to the browser over existing HTTPS connection. Includes WS handshake, masked client frames, frame decoder, keep-alive. - api/scale_ping.php: GET ?url=ws://ip:port One-shot connectivity test, returns {"ok":true} or {"ok":false,"error"}. - app.js: WebSocket -> EventSource (SSE) _scaleWs -> _scaleEs, connects to /api/scale_relay.php testScaleConnection() -> fetch /api/scale_ping.php (no more direct ws://) readScaleWeight(): removed get_weight send (scale streams continuously)	2026-04-15 20:31:54 +00:00

Author

SHA1

Message

Date

dadaloop82

d33b0ca2fe

Harden security, modularize API bootstrap, and fix scale SSE auth.

Block web access to sensitive paths, require API_TOKEN for mutations, encrypt GitHub issue credentials in .env, auto-provision tokens for same-origin clients, and pass api_token in scale relay URLs since EventSource cannot send headers.

Co-authored-by: Cursor <cursoragent@cursor.com>

2026-06-03 18:04:19 +00:00

dadaloop82

099a6cc4e8

fix: HTTPS/WebSocket mixed-content — add PHP SSE relay for scale gateway

The browser (HTTPS) cannot connect to ws:// directly (mixed-content block).
Solution: PHP SSE relay bridges the gap server-side.

- api/scale_relay.php: GET ?url=ws://ip:port
  PHP opens WS connection to Android gateway, streams JSON frames as
  Server-Sent Events to the browser over existing HTTPS connection.
  Includes WS handshake, masked client frames, frame decoder, keep-alive.

- api/scale_ping.php: GET ?url=ws://ip:port
  One-shot connectivity test, returns {"ok":true} or {"ok":false,"error"}.

- app.js: WebSocket -> EventSource (SSE)
  _scaleWs -> _scaleEs, connects to /api/scale_relay.php
  testScaleConnection() -> fetch /api/scale_ping.php (no more direct ws://)
  readScaleWeight(): removed get_weight send (scale streams continuously)

2026-04-15 20:31:54 +00:00

2 Commits