Sovran_Systems/Sovran_SystemsOS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add localhost-only /auto-login endpoint and update Brave launch URL

Browse Source 
Agent-Logs-Url: https://github.com/naturallaw777/staging_alpha/sessions/a4089cd6-1729-441f-adbf-1fb1c990a4f5

Co-authored-by: naturallaw777 <99053422+naturallaw777@users.noreply.github.com>
This commit is contained in:
copilot-swe-agent[bot]
2026-04-13 01:01:58 +00:00
committed by GitHub
parent 97a7a9163e
commit b25c077835
2 changed files with 25 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
app/sovran_systemsos_web/server.py
View File

@@ -87,7 +87,7 @@ LOGIN_FAIL_WINDOW = 60.0 # rolling window (seconds) for counting failures
LOGIN_FAIL_MAX = 10 # max failures in window before extra delay
# Public paths that are accessible without a valid session
_AUTH_EXEMPT_PATHS = {"/login", "/api/login", "/api/updates/status", "/api/rebuild/status"}
_AUTH_EXEMPT_PATHS = {"/login", "/api/login", "/api/updates/status", "/api/rebuild/status", "/auto-login"}
# Prefixes for static assets required by the login page
_AUTH_EXEMPT_PREFIXES = ("/static/css/", "/static/sovran-hub-icon.svg")
@@ -1594,6 +1594,29 @@ async def login_page(request: Request):
return templates.TemplateResponse("login.html", {"request": request})
@app.get("/auto-login")
async def auto_login_redirect(request: Request):
"""Localhost-only auto-login: create a session, set the cookie, and redirect to /.
Only requests from 127.0.0.1 or ::1 are accepted so that remote clients on
the LAN cannot bypass the password prompt by navigating to this URL.
"""
client_ip = request.client.host if request.client else "unknown"
if client_ip not in ("127.0.0.1", "::1"):
raise HTTPException(status_code=403, detail="Forbidden")
token = _create_session()
response = RedirectResponse(url="/", status_code=303)
response.set_cookie(
key=SESSION_COOKIE_NAME,
value=token,
max_age=SESSION_MAX_AGE,
httponly=True,
samesite="lax",
secure=False, # LAN-only appliance; no TLS on the Hub port
)
return response
class LoginRequest(BaseModel):
password: str

2
modules/core/sovran-hub.nix
View File

@@ -221,7 +221,7 @@ let
trap '[ -n "$HUB_DATA" ] && rm -rf "$HUB_DATA"' EXIT INT TERM
export BAMF_DESKTOP_FILE_HINT="/run/current-system/sw/share/applications/sovran-hub.desktop"
export GIO_LAUNCHED_DESKTOP_FILE="/run/current-system/sw/share/applications/sovran-hub.desktop"
brave --app=http://localhost:8937 \
brave --app=http://localhost:8937/auto-login \
--class=sovran-hub \
--user-data-dir="$HUB_DATA" \
--password-store=basic \