From b25c077835466fdc6c7beb4d12617f1b9ded5e06 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 13 Apr 2026 01:01:58 +0000 Subject: [PATCH] Add localhost-only /auto-login endpoint and update Brave launch URL Agent-Logs-Url: https://github.com/naturallaw777/staging_alpha/sessions/a4089cd6-1729-441f-adbf-1fb1c990a4f5 Co-authored-by: naturallaw777 <99053422+naturallaw777@users.noreply.github.com> --- app/sovran_systemsos_web/server.py | 25 ++++++++++++++++++++++++- modules/core/sovran-hub.nix | 2 +- 2 files changed, 25 insertions(+), 2 deletions(-) diff --git a/app/sovran_systemsos_web/server.py b/app/sovran_systemsos_web/server.py index e94223e..19b698b 100644 --- a/app/sovran_systemsos_web/server.py +++ b/app/sovran_systemsos_web/server.py @@ -87,7 +87,7 @@ LOGIN_FAIL_WINDOW = 60.0 # rolling window (seconds) for counting failures LOGIN_FAIL_MAX = 10 # max failures in window before extra delay # Public paths that are accessible without a valid session -_AUTH_EXEMPT_PATHS = {"/login", "/api/login", "/api/updates/status", "/api/rebuild/status"} +_AUTH_EXEMPT_PATHS = {"/login", "/api/login", "/api/updates/status", "/api/rebuild/status", "/auto-login"} # Prefixes for static assets required by the login page _AUTH_EXEMPT_PREFIXES = ("/static/css/", "/static/sovran-hub-icon.svg") @@ -1594,6 +1594,29 @@ async def login_page(request: Request): return templates.TemplateResponse("login.html", {"request": request}) +@app.get("/auto-login") +async def auto_login_redirect(request: Request): + """Localhost-only auto-login: create a session, set the cookie, and redirect to /. + + Only requests from 127.0.0.1 or ::1 are accepted so that remote clients on + the LAN cannot bypass the password prompt by navigating to this URL. + """ + client_ip = request.client.host if request.client else "unknown" + if client_ip not in ("127.0.0.1", "::1"): + raise HTTPException(status_code=403, detail="Forbidden") + token = _create_session() + response = RedirectResponse(url="/", status_code=303) + response.set_cookie( + key=SESSION_COOKIE_NAME, + value=token, + max_age=SESSION_MAX_AGE, + httponly=True, + samesite="lax", + secure=False, # LAN-only appliance; no TLS on the Hub port + ) + return response + + class LoginRequest(BaseModel): password: str diff --git a/modules/core/sovran-hub.nix b/modules/core/sovran-hub.nix index c8a5c36..f790eeb 100644 --- a/modules/core/sovran-hub.nix +++ b/modules/core/sovran-hub.nix @@ -221,7 +221,7 @@ let trap '[ -n "$HUB_DATA" ] && rm -rf "$HUB_DATA"' EXIT INT TERM export BAMF_DESKTOP_FILE_HINT="/run/current-system/sw/share/applications/sovran-hub.desktop" export GIO_LAUNCHED_DESKTOP_FILE="/run/current-system/sw/share/applications/sovran-hub.desktop" - brave --app=http://localhost:8937 \ + brave --app=http://localhost:8937/auto-login \ --class=sovran-hub \ --user-data-dir="$HUB_DATA" \ --password-store=basic \