feat(port-squat): version-gated backward-compat for token check @W-22838968

ankitsinghkuntal09 · ankitsinghkuntal09 · commit fcdb4e35deac · 2026-06-08T16:19:37.000+05:30
Webapps using @salesforce/ui-bundle >= 2.0.0 go through the strict X-Live-Preview-Token check from PR #53. Older installs fall back to the pre-fix reachability behavior so existing customers aren't broken. - Add MIN_TOKEN_SUPPORTED_VERSION cutoff (2.0.0) - Read installed @salesforce/ui-bundle version from webapp node_modules - Pre-flight + post-spawn branch on STRICT vs LEGACY mode
diff --git a/src/commands/ui-bundle/dev.ts b/src/commands/ui-bundle/dev.ts
@@ -15,6 +15,8 @@
  */
 
 import { randomUUID } from 'node:crypto';
+import { readFile } from 'node:fs/promises';
+import { join } from 'node:path';
 import open from 'open';
 import select from '@inquirer/select';
 import { SfCommand, Flags } from '@salesforce/sf-plugins-core';
@@ -29,6 +31,29 @@ import { discoverUiBundle, DEFAULT_DEV_COMMAND, type DiscoveredUiBundle } from '
 Messages.importMessagesDirectoryFromMetaUrl(import.meta.url);
 const messages = Messages.loadMessages('@salesforce/plugin-ui-bundle-dev', 'ui-bundle.dev');
 
+// Webapps with @salesforce/ui-bundle >= this version echo X-Live-Preview-Token
+// and go through the strict port-squat check. Older installs fall back to the
+// pre-fix reachability check so existing customers aren't broken.
+const MIN_TOKEN_SUPPORTED_VERSION = '2.0.0';
+
+function compareVersions(a: string, b: string): number {
+  const norm = (v: string): number[] =>
+    v
+      .split('-')[0]
+      .split('+')[0]
+      .split('.')
+      .map((s) => Number(s) || 0);
+  const pa = norm(a);
+  const pb = norm(b);
+  for (let i = 0; i < 3; i++) {
+    const av = pa[i] ?? 0;
+    const bv = pb[i] ?? 0;
+    if (av > bv) return 1;
+    if (av < bv) return -1;
+  }
+  return 0;
+}
+
 export default class UiBundleDev extends SfCommand<UiBundleDevResult> {
   public static readonly summary = messages.getMessage('summary');
   public static readonly description = messages.getMessage('description');
@@ -103,6 +128,46 @@ export default class UiBundleDev extends SfCommand<UiBundleDevResult> {
     });
   }
 
+  private static async getWebappUiBundleVersion(uiBundleDir: string): Promise<string | null> {
+    try {
+      const pkgPath = join(uiBundleDir, 'node_modules', '@salesforce', 'ui-bundle', 'package.json');
+      const raw = await readFile(pkgPath, 'utf-8');
+      const parsed = JSON.parse(raw) as { version?: unknown };
+      return typeof parsed.version === 'string' ? parsed.version : null;
+    } catch {
+      return null;
+    }
+  }
+
+  private static isNewWebapp(version: string | null): boolean {
+    if (!version) return false;
+    return compareVersions(version, MIN_TOKEN_SUPPORTED_VERSION) >= 0;
+  }
+
+  private static async isUrlReachable(url: string): Promise<boolean> {
+    try {
+      const response = await fetch(url, {
+        method: 'HEAD',
+        signal: AbortSignal.timeout(3000),
+      });
+      return response.ok;
+    } catch {
+      return false;
+    }
+  }
+
+  private static async pollUntilReachable(
+    url: string,
+    timeoutMs: number,
+    intervalMs = 500,
+    start = Date.now()
+  ): Promise<boolean> {
+    if (await UiBundleDev.isUrlReachable(url)) return true;
+    if (Date.now() - start >= timeoutMs) return false;
+    await new Promise((r) => setTimeout(r, intervalMs));
+    return UiBundleDev.pollUntilReachable(url, timeoutMs, intervalMs, start);
+  }
+
   /**
    * Check the port status: is it available, or is a server already running there?
    * If a server is running, verify its identity via the health check token.
@@ -305,15 +370,31 @@ export default class UiBundleDev extends SfCommand<UiBundleDevResult> {
         );
       }
 
-      // Check port status: available, verified (our server), or unverified (foreign)
-      const portStatus = await UiBundleDev.checkPortStatus(resolvedUrl);
-      if (portStatus === 'verified') {
+      // Pick security model based on installed @salesforce/ui-bundle version.
+      const installedUiBundleVersion = await UiBundleDev.getWebappUiBundleVersion(uiBundleDir);
+      const useNewSecurityModel = UiBundleDev.isNewWebapp(installedUiBundleVersion);
+      this.logger.debug(
+        `port-squat gate: webapp=${selectedUiBundle.name} installed=${installedUiBundleVersion ?? '<unknown>'} ` +
+          `cutoff=${MIN_TOKEN_SUPPORTED_VERSION} mode=${useNewSecurityModel ? 'STRICT' : 'LEGACY'}`
+      );
+
+      let portReachable = false;
+      if (useNewSecurityModel) {
+        const portStatus = await UiBundleDev.checkPortStatus(resolvedUrl);
+        if (portStatus === 'verified') {
+          portReachable = true;
+        } else if (portStatus === 'unverified') {
+          process.stderr.write(JSON.stringify({ error: 'PortSquattingAbort', port: resolvedUrl }) + '\n');
+          throw new SfError('Aborted: unverified server on port.', 'PortSquattingAbort');
+        }
+      } else {
+        portReachable = await UiBundleDev.isUrlReachable(resolvedUrl);
+      }
+
+      if (portReachable) {
         devServerUrl = resolvedUrl;
         this.log(messages.getMessage('info.url-already-available', [resolvedUrl]));
-        this.logger.debug(`URL ${resolvedUrl} is verified as our server, skipping dev server startup`);
-      } else if (portStatus === 'unverified') {
-        process.stderr.write(JSON.stringify({ error: 'PortSquattingAbort', port: resolvedUrl }) + '\n');
-        throw new SfError('Aborted: unverified server on port.', 'PortSquattingAbort');
+        this.logger.debug(`URL ${resolvedUrl} is already available, skipping dev server startup`);
       } else if (flags.url) {
         // User explicitly passed --url; assume server is already running at that URL
         // Fail immediately if unreachable (don't start dev server)
@@ -369,8 +450,10 @@ export default class UiBundleDev extends SfCommand<UiBundleDevResult> {
 
         this.devServerManager.start();
 
-        // Poll until our server is verified, or fail on process error / port squatting
-        const pollPromise = UiBundleDev.pollUntilVerified(resolvedUrl, 60_000);
+        // Strict poll aborts on foreign server; legacy poll just waits for reachability.
+        const pollPromise = useNewSecurityModel
+          ? UiBundleDev.pollUntilVerified(resolvedUrl, 60_000)
+          : UiBundleDev.pollUntilReachable(resolvedUrl, 60_000);
         const errorPromise = new Promise<boolean>((_, reject) => {
           this.devServerManager!.once('error', (error: SfError | DevServerError) => {
             const devError =
