fix(kimi-code): encode server token fragments#1403
Open
VectorPeak wants to merge 1 commit into
Open
Conversation
🦋 Changeset detectedLatest commit: 72461b0 The changes in this PR will be included in the next version bump. This PR includes changesets to release 1 package
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Related Issue
No linked issue; this is a focused, reproducible Web UI token-fragment URL bug fix.
Problem
The server Web UI URLs carry the persistent server token in a client-side fragment:
That keeps the token out of HTTP requests and server logs, but the token value still has to be URL-encoded before it is inserted into the fragment. The Web UI reads the fragment with
new URLSearchParams(hash.slice(1)), which treats&as a parameter separator and decodes percent-encoded sequences while parsing.Today, the CLI and TUI
/webdeep-link helpers append the raw token value:`#token=${token}`That means tokens containing URL parameter delimiters or percent-like sequences can be read back incorrectly by the Web UI. For example:
The desktop entry point already encodes this same
#token=fragment, so the CLI and TUI URL builders should follow the same boundary: put an encoded fragment value in the URL, then let the Web UI's existingURLSearchParamsparser decode it back to the original token.What changed
buildOpenableUrl()./websession deep links built bywebSessionUrl().tok-1.URLSearchParams.@moonshot-ai/kimi-code.Validation run locally:
Results:
Note: local validation used
ELECTRON_SKIP_BINARY_DOWNLOAD=1/ELECTRON_SKIP_DOWNLOAD=1; these CLI/TUI URL tests do not require the Electron binary.Checklist
gen-changesetsskill, or this PR needs no changeset.gen-docsskill, or this PR needs no doc update.