feat(web): protect launcher dashboard with token and SPA login#1953
Open
zeed-w-beez wants to merge 8 commits intosipeed:mainfrom
Open
feat(web): protect launcher dashboard with token and SPA login#1953zeed-w-beez wants to merge 8 commits intosipeed:mainfrom
zeed-w-beez wants to merge 8 commits intosipeed:mainfrom
Conversation
10 tasks
Collaborator
|
Hi @zeed-w-beez, great work on this PR! 🎯 However, CI is failing and needs to be fixed before merging: ❌ Failed Checks
🐛 Root CauseFile: Error: This is related to the change in 🔧 Suggested FixThe test is trying to use a struct value where a pointer is expected. Either:
Please fix and push a new commit! Looking forward to seeing this merged. 👍 |
zeed-w-beez
force-pushed
the
feature/dashboard-launcher-token
branch
from
efbeab9 to
c3598f5
Compare
Author
|
CI is fixed and green. Ready to merge. @yinwm |
zeed-w-beez
force-pushed
the
feature/dashboard-launcher-token
branch
3 times, most recently
from
7e0b5d7 to
ac6a016
Compare
Author
|
rebase main. |
…dling - Added dashboard token and signing key management in launcher configuration. - Integrated dashboard authentication into the API routes. - Updated frontend API calls to use `launcherFetch` for consistent request handling. - Introduced new routes for launcher login and improved URL generation for Pico events and WebSocket connections. - Enhanced tests for dashboard secrets and URL building logic.
- Updated the login process to allow automatic token submission via URL, improving user experience. - Refactored login handling to utilize a dedicated function for better code organization and error management. - Added validation for search parameters to ensure proper token handling in the login route.
…onfiguration - Reformatted function signatures and variable assignments for better clarity. - Enhanced the EnsureDashboardSecrets function with multi-line parameters for improved readability. - Adjusted variable unpacking in tests to align with updated function signatures.
- Adjusted the test for JSON unmarshalling to clarify that unexported fields are not populated, regardless of the presence of JSON tags. - Removed the JSON tag from the private field in the test struct to reflect this behavior accurately.
- Implemented token-based login via URL query parameters for the launcher dashboard. - Updated session cookie management to improve security and streamline login flow. - Refactored related functions for better readability and maintainability. - Added tests to validate the new token handling behavior in various scenarios.
… unnecessary config parameter - Updated the `buildWsURL`, `buildPicoEventsURL`, and `buildPicoSendURL` functions to eliminate the unused `cfg` parameter. - Adjusted related tests to reflect the changes in function signatures. - Enhanced the `picoWebUIAddr` function to ensure it uses the request's host directly, improving URL accuracy for browser clients.
zeed-w-beez
force-pushed
the
feature/dashboard-launcher-token
branch
from
ac6a016 to
9c53b71
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
📝 Description
背景与目标
Launcher 内嵌的 Web Dashboard 与
/api/*需要访问控制,避免在暴露端口(含 LAN)时被未授权访问。本 PR 为 Dashboard 增加基于launcher-config.json中dashboard_token(或环境变量PICOCLAW_LAUNCHER_TOKEN) 的认证:浏览器侧通过登录页提交令牌后写入 HttpOnly Cookie,或使用Authorization: Bearer <token>。改动摘要
launcherconfig:dashboard_token、auth_signing_key的生成/持久化及PICOCLAW_LAUNCHER_TOKEN覆盖;单元测试。POST/GET /api/auth/login|logout|status:校验令牌、设置/清除会话 Cookie(SameSite=Lax,HTTPS 下Secure)。LauncherDashboardAuth:除公开路径外要求有效 Cookie 或 Bearer;对路径做path.Clean规范化,避免/assets/../api/...类绕过;公开/launcher-login、/assets/*及 favicon/manifest 等静态资源以便 SPA 登录页加载。main.go:注册上述路由与中间件栈。gateway_host:补充buildPicoEventsURL/buildPicoSendURL(及requestHTTPScheme),/api/pico/token等响应携带events_url/send_url,与现有buildWsURL一致走 Web 端口。/launcher-login:React 登录表单、i18n、主题/语言切换;launcher-auth使用普通fetch登录,避免与 401 跳转逻辑冲突。launcherFetch:带 Cookie 的请求;401 + JSON 时跳转登录页;已在登录页时不再跳转以防循环;各 API 模块统一改用launcherFetch。__root:在登录路由下不挂载AppLayout、不初始化 chat store;用 地址栏 pathname ∪ 路由 判断登录页,避免网关轮询 401 导致重载循环。lib/launcher-login-path:路径规范化复用。routeTree.gen.ts:注册/launcher-login。Makefile:build-launcher始终执行pnpm build:backend,避免陈旧dist嵌入导致路由缺失。documents/web_launcher_dashboard_auth.md:行为简述。security_integration_test:去掉未导出字段上的json标签以通过 vet(语义不变:encoding/json仍不写入未导出字段)。影响
launcher-config.json可能写入随机dashboard_token/auth_signing_key;若设置PICOCLAW_LAUNCHER_TOKEN,以环境变量为准。🗣️ Type of Change
documents/短文)🤖 AI Code Generation
🔗 Related Issue
📚 Technical Context
documents/web_launcher_dashboard_auth.md。🧪 Test Environment
make check/go test ./web/backend/...通过make build-launcher后:无 Cookie 访问/→ 重定向或 API 401 → 登录页;登录后正常访问 Dashboard 与聊天相关 API☑️ Checklist
make check(或等价检查)通过documents/(或确认无需更长文档)