fix(dashboard): configurable host + allowedHosts for remote serving (#485)#486
fix(dashboard): configurable host + allowedHosts for remote serving (#485)#486Lum1104 wants to merge 2 commits into
Conversation
… serving
Users serving the dashboard from a remote VM accessed via a domain hit Vite's
host check: "Blocked request. This host ("example.com") is not allowed." (#485).
The server config hardcoded host 127.0.0.1 and set no allowedHosts, so the only
workaround was hand-editing vite.config.ts.
Add two env vars, keeping the strict localhost-only default:
- UNDERSTAND_HOST overrides the bind address (e.g. 0.0.0.0)
- UNDERSTAND_ALLOWED_HOSTS is a comma-separated allowedHosts list; `all`/`true`/`*`
disables the check entirely
Document both in the understand-dashboard skill. The one-time access token still
gates the data endpoints. Bump version to 2.8.2.
The env vars alone don't help users on the agent-driven /understand-dashboard path, since the agent launches Vite with localhost defaults. Add a detection + prompt step to the skill: when an SSH/remote session is detected, ask the user which hostname/IP they'll browse from, then launch with UNDERSTAND_HOST=0.0.0.0 and UNDERSTAND_ALLOWED_HOSTS=<host>, and report the URL with that host.
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 0a6bd10e6c
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| // from a remote VM, and whitelist the public host via UNDERSTAND_ALLOWED_HOSTS. | ||
| server: { | ||
| host: "127.0.0.1", | ||
| host: process.env.UNDERSTAND_HOST || "127.0.0.1", |
There was a problem hiding this comment.
When UNDERSTAND_HOST=0.0.0.0 is used for the new remote-VM flow, this makes Vite listen remotely but the dashboard URL printed from configureServer is still hard-coded to http://127.0.0.1:${port}/?token=..., and the skill tells agents to report that captured tokenized URL. From a browser outside the VM, 127.0.0.1 points at the user's own machine, so the documented remote setup produces an unusable URL unless the user manually transplants the token onto the public host. Please derive/report the tokenized URL using the configured public host or document that replacement explicitly.
Useful? React with 👍 / 👎.
1 participant
Problem
Users serving the dashboard from a remote VM accessed via a domain name hit Vite's host check and see:
The
serverblock hardcodedhost: "127.0.0.1"and set noallowedHosts, so the only workaround was hand-editingvite.config.ts. Closes #485.Fix
Add two opt-in environment variables to
packages/dashboard/vite.config.ts, keeping the strict localhost-only default when they are unset:UNDERSTAND_HOST— overrides the bind address (e.g.0.0.0.0).UNDERSTAND_ALLOWED_HOSTS— comma-separatedallowedHostslist;all/true/*disables the host check entirely.The one-time access token still gates every data endpoint, so the security model is unchanged for the default case.
Docs
Documented both env vars under a new "Serving from a remote VM" section in the
understand-dashboardskill.Notes
tsc --noEmitand@understand-anything/core buildpass.