Title: feat: attach short-lived app-session token to Core integration calls (BUG-438) by arosenan · Pull Request #197 · base44/javascript-sdk · GitHub
Open Graph Title: feat: attach short-lived app-session token to Core integration calls (BUG-438) by arosenan · Pull Request #197 · base44/javascript-sdk
X Title: feat: attach short-lived app-session token to Core integration calls (BUG-438) by arosenan · Pull Request #197 · base44/javascript-sdk
Description: Why Public Base44 apps (public_without_login) expose Core integration endpoints to anonymous callers by design — the app's own browser frontend invokes InvokeLLM, SendEmail, etc. with no logged-in user. The flaw tracked in BUG-438 is that nothing distinguishes a request coming from the served app from an arbitrary curl against the public endpoint, so anyone can drain the owner's integration credits, send mail from the trusted sender domain, and so on. What The backend now mints a short-lived, app-bound session token (companion backend PR). This SDK change makes the client replay it: src/utils/app-session.ts — a lazily-caching session-token provider. On the first Core integration call it GETs /apps/{appId}/integration-session, caches the token until shortly before its TTL, and de-dupes concurrent refreshes. src/modules/integrations.ts — for Core.* calls, attaches the token via the X-Base44-App-Session header. Safety / rollout Best-effort & non-breaking: if minting fails, the provider returns null and the call proceeds without the header. Nothing breaks if the endpoint is unavailable. The backend runs in observe-only mode and only enforces the token once a per-app feature flag is enabled — so already-deployed apps bundling older SDK versions keep working while we measure the token-less traffic rate. Only Core calls are touched; installable/custom integrations and authenticated calls are unchanged (the header is additive and ignored for authenticated requests). Tests tests/unit/app-session.test.ts — header attached when minted, token minted once and reused, and the best-effort path (proceeds without the header when minting fails). Full unit suite green (156 passed). npm run build + npm run lint pass. 🤖 Generated with Claude Code
Open Graph Description: Why Public Base44 apps (public_without_login) expose Core integration endpoints to anonymous callers by design — the app's own browser frontend invokes InvokeLLM, SendEmail, etc. with no logged...
X Description: Why Public Base44 apps (public_without_login) expose Core integration endpoints to anonymous callers by design — the app's own browser frontend invokes InvokeLLM, SendEmail, etc. with no lo...
Opengraph URL: https://github.com/base44/javascript-sdk/pull/197
X: @github
Domain: github.com
| route-pattern | /:user_id/:repository/pull/:id/files(.:format) |
| route-controller | pull_requests |
| route-action | files |
| fetch-nonce | v2:f8864372-c2e4-4783-93d0-9bf4de189d87 |
| current-catalog-service-hash | ae870bc5e265a340912cde392f23dad3671a0a881730ffdadd82f2f57d81641b |
| request-id | A118:1EEE:762044:9AFD68:6A4C55EA |
| html-safe-nonce | d5ad300c906ea5c30c1219da0ed26efb3f0c3140ef81648cf0db1c9c55f9469a |
| visitor-payload | eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiJBMTE4OjFFRUU6NzYyMDQ0OjlBRkQ2ODo2QTRDNTVFQSIsInZpc2l0b3JfaWQiOiI4MTk1OTE0ODEzNzM5MzkwNDQyIiwicmVnaW9uX2VkZ2UiOiJpYWQiLCJyZWdpb25fcmVuZGVyIjoiaWFkIn0= |
| visitor-hmac | 0acc35752b3ee38c45e7056a69cfdbe808a498326c86fb22aea3c4e7dffdb120 |
| hovercard-subject-tag | pull_request:3846445548 |
| github-keyboard-shortcuts | repository,pull-request-list,pull-request-conversation,pull-request-files-changed,copilot |
| google-site-verification | Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I |
| octolytics-url | https://collector.github.com/github/collect |
| analytics-location | / |
| fb:app_id | 1401488693436528 |
| apple-itunes-app | app-id=1477376905, app-argument=https://github.com/base44/javascript-sdk/pull/197/files |
| twitter:image | https://avatars.githubusercontent.com/u/5755417?s=400&v=4 |
| twitter:card | summary_large_image |
| og:image | https://avatars.githubusercontent.com/u/5755417?s=400&v=4 |
| og:image:alt | Why Public Base44 apps (public_without_login) expose Core integration endpoints to anonymous callers by design — the app's own browser frontend invokes InvokeLLM, SendEmail, etc. with no logged... |
| og:site_name | GitHub |
| og:type | object |
| hostname | github.com |
| expected-hostname | github.com |
| None | 3d11bb817438277de2a940854450e83a7d32b6aeb5014e9e6b00a6423900251c |
| turbo-cache-control | no-preview |
| diff-view | unified |
| go-import | github.com/base44/javascript-sdk git https://github.com/base44/javascript-sdk.git |
| octolytics-dimension-user_id | 234699998 |
| octolytics-dimension-user_login | base44 |
| octolytics-dimension-repository_id | 939374418 |
| octolytics-dimension-repository_nwo | base44/javascript-sdk |
| octolytics-dimension-repository_public | true |
| octolytics-dimension-repository_is_fork | false |
| octolytics-dimension-repository_network_root_id | 939374418 |
| octolytics-dimension-repository_network_root_nwo | base44/javascript-sdk |
| turbo-body-classes | logged-out env-production page-responsive full-width |
| disable-turbo | true |
| browser-stats-url | https://api.github.com/_private/browser/stats |
| browser-errors-url | https://api.github.com/_private/browser/errors |
| release | 14099438da5379150f15a2892474c7c7e6c0e55e |
| ui-target | full |
| theme-color | #1e2327 |
| color-scheme | light dark |
Links:
Viewport: width=device-width