fix: update CORS whitelist to mimo.xiaomi.com (#139), strip stack traces from error responses (#154), redact MCP access tokens (#156)#798
Open
MrRealORG wants to merge 1 commit into
Conversation
… stack traces from error responses (XiaomiMiMo#154), redact MCP access tokens (XiaomiMiMo#156) - CORS middleware: regex whitelist changed from opencode.ai to mimo.xiaomi.com so the web UI and desktop app can make cross-origin requests after the rebrand. - Error handler: use err.message instead of err.stack in 500 responses, preventing internal file paths, dependency versions, and code structure from leaking to clients. - MCP auth status: replace partial access token display (first 20 chars) with 'present'/'missing' to prevent token leakage via screen recordings, terminal logs, or shoulder-surfing.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Three security/correctness fixes in 2 files:
Fix #139 — CORS whitelist still allows opencode.ai
The CORS origin regex in
middleware.tsstill whitelisted*.opencode.ai. After the rebrand to MiMo Code, the web UI and desktop app originate frommimo.xiaomi.com, so cross-origin requests were blocked.Fix: Update regex from
opencode.aitomimo.xiaomi.com.Fix #154 — Stack traces leaked in 500 error responses
The error handler sent
err.stack(full stack trace with file paths, line numbers, dependency versions) to the client in JSON error responses.Fix: Use
err.messageinstead, which gives the error description without internal details.Fix #156 — MCP access token partially visible in auth status
mcp auth statusdisplayed the first 20 characters of the OAuth access token. This could be captured via screen recordings, terminal logs, or shoulder-surfing.Fix: Replace with
"present"/"missing"indicator.