fix(web): redirect unauthenticated remote dashboard to /login#79
Merged
cidrblock merged 8 commits intoJul 17, 2026
Merged
Conversation
There was a problem hiding this comment.
Pull request overview
This PR updates the daemon’s web dashboard security flow so that, when HTTP auth is enabled and the server is bound beyond loopback, unauthenticated browser visits to the dashboard entrypoint redirect to /login instead of loading the SPA in an unauthenticated state (which previously produced an “empty dashboard” UX when /api/* returned 401).
Changes:
- Add a shared
isLoopbackRemoteAddresshelper and ashouldRedirectDashboardToLoginpolicy function. - Apply the redirect decision in the dashboard HTML handler (
GET /andGET /index.html) to send unauthenticated remote clients to/login. - Extend unit/integration coverage for the new policy behavior and document the redirect behavior in user docs.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| packages/daemon/tests/integration/http-security.test.ts | Adds an integration assertion that localhost binds still serve the dashboard without prior cookies. |
| packages/daemon/src/daemon/web/server.ts | Routes unauthenticated dashboard HTML requests through the new redirect policy. |
| packages/daemon/src/daemon/web/http-security.ts | Introduces loopback detection and redirect policy helpers. |
| packages/daemon/src/daemon/web/http-security.test.ts | Adds unit tests for loopback detection and redirect policy decisions. |
| docs/GETTING_STARTED.md | Documents / → /login behavior for remote binds and reiterates the auth-disable escape hatch constraints. |
| docs/CONFIGURATION.md | Documents redirect behavior on non-loopback binds and clarifies API vs browser unauthenticated behavior. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
sudhirverma
approved these changes
Jul 17, 2026
sudhirverma
left a comment
Contributor
There was a problem hiding this comment.
LGTM — verified LAN / → /login redirect and Ollama dashboard after login.
cidrblock
added a commit
to cidrblock/abbenay
that referenced
this pull request
Jul 17, 2026
Reverse proxies often appear as loopback peers after TLS termination. Gate auto-session and skip-redirect on both local TCP peer and local Host/X-Forwarded-Host so public hostnames always hit /login. Addresses Copilot review on redhat-developer#79.
cidrblock
force-pushed
the
feat/auth-redirect-unauthenticated
branch
from
July 17, 2026 18:41
9348e1d to
c8a60b1
Compare
cidrblock
added a commit
to cidrblock/abbenay
that referenced
this pull request
Jul 17, 2026
Reverse proxies often appear as loopback peers after TLS termination. Gate auto-session and skip-redirect on both local TCP peer and local Host/X-Forwarded-Host so public hostnames always hit /login. Addresses Copilot review on redhat-developer#79.
cidrblock
force-pushed
the
feat/auth-redirect-unauthenticated
branch
from
July 17, 2026 18:55
602dcb2 to
9d275f5
Compare
When auth is enabled on a non-loopback bind, serve /login instead of the SPA for clients without a session cookie. Remote users were seeing an empty "No providers configured" dashboard because /api/* returned 401. Local use is unchanged: localhost binds and loopback clients still auto-establish cookies. ABBENAY_HTTP_AUTH=0 remains the escape hatch for throwaway local development (loopback only).
Reverse proxies often appear as loopback peers after TLS termination. Gate auto-session and skip-redirect on both local TCP peer and local Host/X-Forwarded-Host so public hostnames always hit /login. Addresses Copilot review on redhat-developer#79.
Preserve bare IPv6 loopback Host values, take the first X-Forwarded-Host entry, and cover both in unit tests.
Require every Host / X-Forwarded-Host value to be loopback before auto-session, and cover spoofed multi-value chains plus a GET / integration redirect behind a public forwarded host.
Tighten the localhost dashboard integration assertion and update serveDashboardHtml / GETTING_STARTED prose so they match the peer-and-Host auto-session policy.
Route the catch-all dashboard HTML handler through serveDashboardHtml so paths like /providers use the same Host locality policy as /.
Set Cache-Control inside serveDashboardHtml so SPA deep-links cannot cache a stale embedded CSRF token.
cidrblock
force-pushed
the
feat/auth-redirect-unauthenticated
branch
from
July 17, 2026 19:31
8b99bf6 to
3b60106
Compare
Unknown /api, /v1, and /mcp GETs return JSON 404 instead of dashboard HTML or a /login redirect from the SPA fallback.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
/,/index.html, and SPA deep-links now 302 →/loginwhen HTTP auth is enabled.No providers configured) caused by the SPA loading while/api/*returns401.Host/X-Forwarded-Hostvalue to be loopback./api,/v1, or/mcp— those return JSON 404 when unmatched.::1); dashboard HTML isCache-Control: no-store.ABBENAY_HTTP_AUTH=0escape hatch (loopback bind only).Background
Auth disable for local use already exists (
ABBENAY_HTTP_AUTH=0/ docs in CONFIGURATION, CONTAINER, GETTING_STARTED). This PR closes the gap where remote users hit/without cookies and saw a blank config UI.Test plan
vitesthttp-securityunit + integration (Host locality, SPA/providersredirect, API JSON 404, Cache-Control)/login(verified by reviewer)aby webon127.0.0.1still opens dashboard without login formABBENAY_HTTP_AUTH=0on loopback still serves dashboard without token