Replace Node UI token bootstrap with dashboard sessions#1428
Conversation
Add dashboard username/password login
…wups Refine dashboard login follow-up boundaries
| // widening the api.ts surface. | ||
| async function post<T = unknown>(path: string, body: unknown): Promise<T> { | ||
| const res = await fetch(path, { | ||
| const res = await apiFetch(path, { |
There was a problem hiding this comment.
🔴 Bug: Ontology install helper breaks the new daemonFetch path contract
What's wrong
The PR introduces a typed same-origin fetch boundary for dashboard-session requests, but this changed call passes a plain string into that boundary. That weakens the contract and is likely to break TypeScript compilation for ontology install.
Example
post('/api/sub-graph/create', ...) is valid at runtime, but inside post the literal has been widened to string, so apiFetch(path, ...) no longer satisfies the new DaemonPath contract.
Suggested direction
Keep the typed same-origin boundary by using DaemonPath at the helper boundary or validating with daemonPath.
For Agents
In packages/node-ui/src/ui/lib/ontologyInstall.ts, change the helper to accept DaemonPath or wrap the argument with daemonPath(path) before calling apiFetch. Preserve the same-origin path guard and type-check this file.
| try { | ||
| const { ensureDashboardCredentials } = await import('../daemon/dashboard-credentials.js'); | ||
| return await ensureDashboardCredentials(); | ||
| } catch (err: any) { |
There was a problem hiding this comment.
🟡 Issue: Init dashboard credential failure path is untested
What's wrong
The new init flow intentionally catches dashboard credential creation failures so dkg init can continue, but the added init tests only cover success and auth-disabled paths. A regression that rethrows here would break first-run setup when a stale or corrupt credential file exists, and the current init test suite would not catch it.
Example
A focused regression test can create an invalid dashboard.credentials.json, call ensureDashboardCredentialsForInit(true), and assert it resolves null plus logs the reset-password guidance instead of throwing.
Suggested direction
Add an init-specific regression test for invalid or unreadable dashboard credentials so the best-effort contract is pinned.
For Agents
Add coverage in packages/cli/test/init-dashboard-credentials.test.ts for the catch path in ensureDashboardCredentialsForInit: seed an invalid credential file under DKG_HOME, call the helper with auth enabled, assert no throw, null result, and warning guidance. Preserve existing create/rerun/auth-disabled behavior.
Summary
window.__DKG_TOKEN__bootstrap from production/uiand Vite dev serving, so the static SPA no longer receives a reusable daemon bearer token.HttpOnlySameSite=Strictcookies, loopback bootstrap, token exchange, logout/status/CSRF endpoints, and CSRF checks for unsafe dashboard API requests.Related
Files changed
packages/cli/src/daemon/dashboard-session.tspackages/cli/src/auth.tspackages/cli/src/daemon/lifecycle.tspackages/node-ui/src/api.ts,packages/node-ui/vite.config.tspackages/node-ui/src/ui/**apiFetch, removes EventSource query tokens, and avoids sending dashboard credentials to external RPC URLs.packages/node-ui/e2e/**,packages/node-ui/test/**,packages/cli/test/**scripts/devnet-test-node-ui-smoke.sh.github/workflows/ci.ymlbuild:uicontract check for no__DKG_TOKEN__and valid referenced assets.agent-docs/**Test plan
pnpm --filter @origintrail-official/dkg exec vitest run --config vitest.unit.config.ts test/auth.test.ts test/dashboard-session.test.tspassed: 44 tests.pnpm --filter @origintrail-official/dkg-node-ui exec vitest run test/api-routes.test.ts test/ui-compat.test.ts test/ui-api-pure.test.ts test/pca-api.test.ts test/web3-clients.test.ts test/use-current-agent.test.ts test/openclaw-bridge.test.ts --no-file-parallelismpassed: 296 passed, 38 skipped.pnpm --filter @origintrail-official/dkg-node-ui exec tsc --noEmitpassed.pnpm --filter @origintrail-official/dkg exec tsc --noEmitpassed.pnpm --filter @origintrail-official/dkg-node-ui run build:uipassed; existing chunk-size / mock-subgraph export warnings only.packages/node-ui/dist-ui/index.htmlpassed: no__DKG_TOKEN__, referenced assets present.pnpm --filter @origintrail-official/dkg run buildpassed.scripts/devnet-test-node-ui-smoke.shagainst a one-node WSL devnet passed:PASS=11 FAIL=0.PLAYWRIGHT_DEVNET_TIMEOUT_MS=300000 PW_HEADLESS=1 pnpm exec playwright test e2e/specs/auth-session.spec.tspassed on the standard four-node real-node devnet: 1 passed.