Skip to content

fix(web): redirect unauthenticated remote dashboard to /login#79

Merged
cidrblock merged 8 commits into
redhat-developer:mainfrom
cidrblock:feat/auth-redirect-unauthenticated
Jul 17, 2026
Merged

fix(web): redirect unauthenticated remote dashboard to /login#79
cidrblock merged 8 commits into
redhat-developer:mainfrom
cidrblock:feat/auth-redirect-unauthenticated

Conversation

@cidrblock

@cidrblock cidrblock commented Jul 17, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • Unauthenticated non-local browser visits to /, /index.html, and SPA deep-links now 302 → /login when HTTP auth is enabled.
  • Fixes the empty dashboard UX (No providers configured) caused by the SPA loading while /api/* returns 401.
  • Auto-session requires a local TCP peer and every Host / X-Forwarded-Host value to be loopback.
  • SPA catch-all does not swallow /api, /v1, or /mcp — those return JSON 404 when unmatched.
  • Host parsing preserves bare IPv6 loopback (::1); dashboard HTML is Cache-Control: no-store.
  • Local/dev unchanged: loopback + localhost Host auto-session; ABBENAY_HTTP_AUTH=0 escape hatch (loopback bind only).

Background

Auth disable for local use already exists (ABBENAY_HTTP_AUTH=0 / docs in CONFIGURATION, CONTAINER, GETTING_STARTED). This PR closes the gap where remote users hit / without cookies and saw a blank config UI.

Test plan

  • vitest http-security unit + integration (Host locality, SPA /providers redirect, API JSON 404, Cache-Control)
  • Manual: LAN / HTTPS hostname → redirects to /login (verified by reviewer)
  • Manual: after login, providers/models render (verified by reviewer)
  • Manual: aby web on 127.0.0.1 still opens dashboard without login form
  • Manual: ABBENAY_HTTP_AUTH=0 on loopback still serves dashboard without token

Copilot AI review requested due to automatic review settings July 17, 2026 18:04

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the daemon’s web dashboard security flow so that, when HTTP auth is enabled and the server is bound beyond loopback, unauthenticated browser visits to the dashboard entrypoint redirect to /login instead of loading the SPA in an unauthenticated state (which previously produced an “empty dashboard” UX when /api/* returned 401).

Changes:

  • Add a shared isLoopbackRemoteAddress helper and a shouldRedirectDashboardToLogin policy function.
  • Apply the redirect decision in the dashboard HTML handler (GET / and GET /index.html) to send unauthenticated remote clients to /login.
  • Extend unit/integration coverage for the new policy behavior and document the redirect behavior in user docs.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
packages/daemon/tests/integration/http-security.test.ts Adds an integration assertion that localhost binds still serve the dashboard without prior cookies.
packages/daemon/src/daemon/web/server.ts Routes unauthenticated dashboard HTML requests through the new redirect policy.
packages/daemon/src/daemon/web/http-security.ts Introduces loopback detection and redirect policy helpers.
packages/daemon/src/daemon/web/http-security.test.ts Adds unit tests for loopback detection and redirect policy decisions.
docs/GETTING_STARTED.md Documents / → /login behavior for remote binds and reiterates the auth-disable escape hatch constraints.
docs/CONFIGURATION.md Documents redirect behavior on non-loopback binds and clarifies API vs browser unauthenticated behavior.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread packages/daemon/src/daemon/web/server.ts Outdated
Copilot AI review requested due to automatic review settings July 17, 2026 18:25

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot was unable to review this pull request because the user who requested the review is ineligible. To be eligible to request a review, you need a paid Copilot license, or your organization must enable Copilot code review.

@sudhirverma sudhirverma left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM — verified LAN / → /login redirect and Ollama dashboard after login.

cidrblock added a commit to cidrblock/abbenay that referenced this pull request Jul 17, 2026
Reverse proxies often appear as loopback peers after TLS termination.
Gate auto-session and skip-redirect on both local TCP peer and local
Host/X-Forwarded-Host so public hostnames always hit /login.

Addresses Copilot review on redhat-developer#79.
Copilot AI review requested due to automatic review settings July 17, 2026 18:41
@cidrblock
cidrblock force-pushed the feat/auth-redirect-unauthenticated branch from 9348e1d to c8a60b1 Compare July 17, 2026 18:41

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated 4 comments.

Comment thread packages/daemon/src/daemon/web/http-security.ts Outdated
Comment thread packages/daemon/src/daemon/web/http-security.test.ts
Comment thread packages/daemon/src/daemon/web/http-security.ts
Comment thread packages/daemon/src/daemon/web/http-security.test.ts Outdated
Copilot AI review requested due to automatic review settings July 17, 2026 18:54
cidrblock added a commit to cidrblock/abbenay that referenced this pull request Jul 17, 2026
Reverse proxies often appear as loopback peers after TLS termination.
Gate auto-session and skip-redirect on both local TCP peer and local
Host/X-Forwarded-Host so public hostnames always hit /login.

Addresses Copilot review on redhat-developer#79.
@cidrblock
cidrblock force-pushed the feat/auth-redirect-unauthenticated branch from 602dcb2 to 9d275f5 Compare July 17, 2026 18:55

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated 4 comments.

Comment thread packages/daemon/src/daemon/web/http-security.ts Outdated
Comment thread packages/daemon/src/daemon/web/http-security.test.ts
Comment thread packages/daemon/tests/integration/http-security.test.ts
Comment thread packages/daemon/src/daemon/web/http-security.test.ts
Copilot AI review requested due to automatic review settings July 17, 2026 18:59

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated 3 comments.

Comment thread packages/daemon/src/daemon/web/http-security.ts Outdated
Comment thread packages/daemon/tests/integration/http-security.test.ts Outdated
Comment thread packages/daemon/src/daemon/web/server.ts
Copilot AI review requested due to automatic review settings July 17, 2026 19:04

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated 1 comment.

Comment thread docs/GETTING_STARTED.md Outdated
Copilot AI review requested due to automatic review settings July 17, 2026 19:10

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated 1 comment.

Comment thread packages/daemon/src/daemon/web/server.ts
Copilot AI review requested due to automatic review settings July 17, 2026 19:17

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated 1 comment.

Comment thread packages/daemon/src/daemon/web/server.ts
Copilot AI review requested due to automatic review settings July 17, 2026 19:23

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated no new comments.

When auth is enabled on a non-loopback bind, serve /login instead of the
SPA for clients without a session cookie. Remote users were seeing an empty
"No providers configured" dashboard because /api/* returned 401.

Local use is unchanged: localhost binds and loopback clients still
auto-establish cookies. ABBENAY_HTTP_AUTH=0 remains the escape hatch for
throwaway local development (loopback only).
Reverse proxies often appear as loopback peers after TLS termination.
Gate auto-session and skip-redirect on both local TCP peer and local
Host/X-Forwarded-Host so public hostnames always hit /login.

Addresses Copilot review on redhat-developer#79.
Preserve bare IPv6 loopback Host values, take the first X-Forwarded-Host
entry, and cover both in unit tests.
Require every Host / X-Forwarded-Host value to be loopback before
auto-session, and cover spoofed multi-value chains plus a GET /
integration redirect behind a public forwarded host.
Tighten the localhost dashboard integration assertion and update
serveDashboardHtml / GETTING_STARTED prose so they match the
peer-and-Host auto-session policy.
Route the catch-all dashboard HTML handler through serveDashboardHtml
so paths like /providers use the same Host locality policy as /.
Set Cache-Control inside serveDashboardHtml so SPA deep-links cannot
cache a stale embedded CSRF token.
Copilot AI review requested due to automatic review settings July 17, 2026 19:31
@cidrblock
cidrblock force-pushed the feat/auth-redirect-unauthenticated branch from 8b99bf6 to 3b60106 Compare July 17, 2026 19:31

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated 1 comment.

Comment thread packages/daemon/src/daemon/web/server.ts Outdated
Unknown /api, /v1, and /mcp GETs return JSON 404 instead of dashboard
HTML or a /login redirect from the SPA fallback.
Copilot AI review requested due to automatic review settings July 17, 2026 19:37

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated no new comments.

@cidrblock
cidrblock merged commit 8d49d22 into redhat-developer:main Jul 17, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants