Merge pull request #218 from naturallaw777/copilot/fix-login-ux-issue

Auto-login on desktop launch: skip duplicate password prompt
Add localhost-only /auto-login endpoint and update Brave launch URL
2026-04-12 20:04:07 -05:00 · 2026-04-13 01:01:58 +00:00 · 2026-04-13 00:59:53 +00:00
2 changed files with 25 additions and 2 deletions
@@ -87,7 +87,7 @@ LOGIN_FAIL_WINDOW = 60.0  # rolling window (seconds) for counting failures
 LOGIN_FAIL_MAX    = 10    # max failures in window before extra delay

 # Public paths that are accessible without a valid session
-_AUTH_EXEMPT_PATHS = {"/login", "/api/login", "/api/updates/status", "/api/rebuild/status"}
+_AUTH_EXEMPT_PATHS = {"/login", "/api/login", "/api/updates/status", "/api/rebuild/status", "/auto-login"}
 # Prefixes for static assets required by the login page
 _AUTH_EXEMPT_PREFIXES = ("/static/css/", "/static/sovran-hub-icon.svg")

@@ -1594,6 +1594,29 @@ async def login_page(request: Request):
    return templates.TemplateResponse("login.html", {"request": request})


+@app.get("/auto-login")
+async def auto_login_redirect(request: Request):
+    """Localhost-only auto-login: create a session, set the cookie, and redirect to /.
+
+    Only requests from 127.0.0.1 or ::1 are accepted so that remote clients on
+    the LAN cannot bypass the password prompt by navigating to this URL.
+    """
+    client_ip = request.client.host if request.client else "unknown"
+    if client_ip not in ("127.0.0.1", "::1"):
+        raise HTTPException(status_code=403, detail="Forbidden")
+    token = _create_session()
+    response = RedirectResponse(url="/", status_code=303)
+    response.set_cookie(
+        key=SESSION_COOKIE_NAME,
+        value=token,
+        max_age=SESSION_MAX_AGE,
+        httponly=True,
+        samesite="lax",
+        secure=False,  # LAN-only appliance; no TLS on the Hub port
+    )
+    return response
+
+
 class LoginRequest(BaseModel):
    password: str

@@ -221,7 +221,7 @@ let
    trap '[ -n "$HUB_DATA" ] && rm -rf "$HUB_DATA"' EXIT INT TERM
    export BAMF_DESKTOP_FILE_HINT="/run/current-system/sw/share/applications/sovran-hub.desktop"
    export GIO_LAUNCHED_DESKTOP_FILE="/run/current-system/sw/share/applications/sovran-hub.desktop"
-    brave --app=http://localhost:8937 \
+    brave --app=http://localhost:8937/auto-login \
          --class=sovran-hub \
          --user-data-dir="$HUB_DATA" \
          --password-store=basic \
Author	SHA1	Message	Date
Sovran_Systems	40180b5cb7	Merge pull request #218 from naturallaw777/copilot/fix-login-ux-issue Auto-login on desktop launch: skip duplicate password prompt	2026-04-12 20:04:07 -05:00
copilot-swe-agent[bot]	b25c077835	Add localhost-only /auto-login endpoint and update Brave launch URL Agent-Logs-Url: https://github.com/naturallaw777/staging_alpha/sessions/a4089cd6-1729-441f-adbf-1fb1c990a4f5 Co-authored-by: naturallaw777 <99053422+naturallaw777@users.noreply.github.com>	2026-04-13 01:01:58 +00:00
copilot-swe-agent[bot]	97a7a9163e	Initial plan	2026-04-13 00:59:53 +00:00