Skip to content

fix(kimi-code): encode server token fragments#1403

Open
VectorPeak wants to merge 1 commit into
MoonshotAI:mainfrom
VectorPeak:fix-token-fragment-encoding
Open

fix(kimi-code): encode server token fragments#1403
VectorPeak wants to merge 1 commit into
MoonshotAI:mainfrom
VectorPeak:fix-token-fragment-encoding

Conversation

@VectorPeak

Copy link
Copy Markdown

Related Issue

No linked issue; this is a focused, reproducible Web UI token-fragment URL bug fix.

Problem

The server Web UI URLs carry the persistent server token in a client-side fragment:

#token=<token>

That keeps the token out of HTTP requests and server logs, but the token value still has to be URL-encoded before it is inserted into the fragment. The Web UI reads the fragment with new URLSearchParams(hash.slice(1)), which treats & as a parameter separator and decodes percent-encoded sequences while parsing.

Today, the CLI and TUI /web deep-link helpers append the raw token value:

`#token=${token}`

That means tokens containing URL parameter delimiters or percent-like sequences can be read back incorrectly by the Web UI. For example:

a&b   | raw=a   | encoded=a&b
a%20b | raw=a b | encoded=a%20b
a%26b | raw=a&b | encoded=a%26b

The desktop entry point already encodes this same #token= fragment, so the CLI and TUI URL builders should follow the same boundary: put an encoded fragment value in the URL, then let the Web UI's existing URLSearchParams parser decode it back to the original token.

What changed

  • Encoded token fragment values in server openable URLs built by buildOpenableUrl().
  • Encoded token fragment values in /web session deep links built by webSessionUrl().
  • Preserved existing output for simple ASCII tokens such as tok-1.
  • Added regression tests proving special-character tokens round-trip through URLSearchParams.
  • Added a patch changeset for @moonshot-ai/kimi-code.

Validation run locally:

node -e "const parse=(url)=>new URLSearchParams(new URL(url).hash.slice(1)).get('token'); for (const token of ['a&b','a%20b','a%26b','abc#def']) { const raw=`http://localhost:58627/#token=${token}`; const encoded=`http://localhost:58627/#token=${encodeURIComponent(token)}`; console.log(`${token} | raw=${parse(raw)} | encoded=${parse(encoded)}`); }"
corepack pnpm --filter @moonshot-ai/kimi-code exec vitest run test/cli/server/server.test.ts -t "token fragment"
corepack pnpm --filter @moonshot-ai/kimi-code exec vitest run test/tui/commands/web.test.ts
corepack pnpm --filter @moonshot-ai/kimi-code exec vitest run test/cli/server/server.test.ts
git diff --check

Results:

targeted server token tests: 1 file passed, 4 tests passed, 85 skipped
TUI web tests: 1 file passed, 9 tests passed
full server test: 1 file passed, 89 tests passed
git diff --check: passed

Note: local validation used ELECTRON_SKIP_BINARY_DOWNLOAD=1 / ELECTRON_SKIP_DOWNLOAD=1; these CLI/TUI URL tests do not require the Electron binary.

Checklist

  • I have read the CONTRIBUTING document.
  • I have linked a related issue, or explained the problem above.
  • I have added tests that prove my feature works.
  • Ran gen-changesets skill, or this PR needs no changeset.
  • Ran gen-docs skill, or this PR needs no doc update.

@changeset-bot

changeset-bot Bot commented Jul 5, 2026

Copy link
Copy Markdown

🦋 Changeset detected

Latest commit: 72461b0

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package
Name Type
@moonshot-ai/kimi-code Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant