th-bc624a: Big Smooth UI sign-in (click-to-login th over the web UI)#216
Merged
Conversation
… over the daemon) Lets a user viewing the Big Smooth web UI remotely (e.g. over tailscale) log `th` into Smoo AI by clicking a button instead of SSHing in to run `th auth login`. Adds GET /auth/login (mint PKCE + CSRF state, 302 to smoo.ai/cli-login), GET /auth/callback (single-use state validation + token exchange, persist the user session), and GET /api/auth/status. The callback URL is derived from Host + X-Forwarded-Proto; the PKCE primitives are copied from smooth-cli (bigsmooth can't depend on the CLI). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
🦋 Changeset detectedLatest commit: 1091e3c The changes in this PR will be included in the next version bump. This PR includes changesets to release 1 package
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
To log the Big Smooth daemon's
thinto Smoo AI you currently have to SSH to the host and runth auth login(which opens a localhost-callback browser flow). A user viewing the Big Smooth web UI remotely (e.g. over a tailscale-served origin) has no way to sign in from the browser.Solution
Route the same browser OAuth2 + PKCE flow through the daemon itself, so a "Sign in to Smoo AI" button in the web UI is all that's needed.
New routes on the Big Smooth axum server (
smooth-bigsmooth):GET /auth/login— derives the daemon's own callback URL from the request (X-Forwarded-Protoheader, defaulthttp, +Host), mints a PKCE pair + CSRFstate, stashes the verifier in a single-use in-memory store (10-min TTL, pruned on insert), and 302s tosmoo.ai/cli-login?redirect_uri=…&state=…&code_challenge=…&code_challenge_method=S256.GET /auth/callback— single-use-removes thestate(CSRF/expiry → fail closed), exchanges the code atsmoo.ai/api/token, persists a userCredentialsto~/.smooth/auth/smooai-user.json(the same fileth's user-authed API calls read), and renders a success/failure HTML page. Surfaces an upstreamerror=(user cancelled) as a friendly page.GET /api/auth/status—{ loggedIn, user, orgId }; never errors on a missing session file.Web UI (
smooth-web): a minimal sidebar affordance polls/api/auth/statusand shows "Signed in as …" or a plain-anchor Sign in to Smoo AI button (plain<a>, so the browser follows the daemon's 302 rather than client-routing).The PKCE / URL-building / callback-parsing / token-exchange primitives are copied from
smooth-cli(auth::{browser_login,pkce}) becausesmooth-bigsmoothcan't depend onsmooth-cli(the CLI depends on the lib, not vice-versa). Aponytail:comment marks the duplication for extraction if a third consumer appears.Credentials/CredentialsStorecome from the sharedsmooai-client-sharedcrate (same dep +authfeature the CLI uses).Security notes
stateis single-use and validated before the code is touched; unknown/expired state fails closed. Verifiers and tokens are never logged.smoo.ai/cli-loginmay whitelist only127.0.0.1redirect_uris (the CLI flow always uses a loopback callback). If so, this daemon-originredirect_uri(e.g.https://smooth.<tailnet>.ts.net/auth/callback) will be rejected at the smoo.ai side on first real use, and we'd need aredirect_uriallowlist entry on the smoo.ai side (or a device-code flow instead). Noredirect_urivalidation exists in this repo — it lives entirely on the smoo.ai side.Tests
cargo test -p smooai-smooth-bigsmooth auth_login— redirect_uri derivation (Host + X-Forwarded-Proto, first-hop, missing-Host), pending-store insert / TTL-expiry / single-use removal / prune-on-insert, callback parsing incl. state-mismatch / missing-code / access-denied / percent-decode, authorize-URL building, and the RFC 7636 challenge vector. All green.🤖 Generated with Claude Code