feat(auth): bounce to /login.html on 401 so AUTH_ENABLED=true gives a real login #26

Merged

zgaetano merged 1 commit from feat/auth-login-redirect into main 2026-05-23 16:41:25 -04:00

Conversation 0 Commits 1 Files changed 1 +9

zgaetano commented 2026-05-23 16:41:14 -04:00

Owner

Copy link

Summary

The login flow already exists end-to-end (the form is in services/web-ui/public/login.html, backed by POST /api/v1/auth/login and POST /api/v1/auth/setup), but the SPA never bounces to it. Flipping AUTH_ENABLED=true on mam-api today would just leave the app stuck on the loading screen because /auth/me would 401 and the wrapper would silently throw.

This adds a single check in apiFetch: any 401 redirects to /login.html (unless we're already there).

Behaviour

• AUTH_ENABLED=false (current state): /auth/me returns the synthetic operator with 200, the new branch is dormant, nothing changes.
• AUTH_ENABLED=true, no session: any API call (the page boots by fetching /projects, /assets, /recorders, /auth/me, etc.) hits 401, the wrapper redirects to /login.html. The operator runs the "Create admin account" flow once, signs in, and lands on home.html with a real session.
• Loop guard: if we're already on /login.html, the redirect is skipped (login.html uses its own fetch, not apiFetch, so this is defensive).

Roll-out

1. Land this PR (safe with AUTH_ENABLED=false).
2. Update /mnt/NVME/MAM/wild-dragon/.env on TrueNAS: set AUTH_ENABLED=true and a non-default SESSION_SECRET.
3. Restart mam-api.
4. Visit any page → bounce to /login.html → "Create admin account" → sign in.

Test plan

• Deploy, hit / — page still loads as before (auth still off, synthetic user shows in sidebar)
• On the server, flip AUTH_ENABLED=true and restart mam-api; reload the app — redirect to /login.html
• Click "Create admin account", complete the setup, sign in — land on the SPA with the real user in the sidebar bottom-left
• Click "Sign out" — reload bounces back to /login.html

🤖 Generated with Claude Code

## Summary The login flow already exists end-to-end (the form is in [services/web-ui/public/login.html](services/web-ui/public/login.html), backed by `POST /api/v1/auth/login` and `POST /api/v1/auth/setup`), but the SPA never bounces to it. Flipping `AUTH_ENABLED=true` on `mam-api` today would just leave the app stuck on the loading screen because `/auth/me` would `401` and the wrapper would silently throw. This adds a single check in `apiFetch`: any `401` redirects to `/login.html` (unless we're already there). ## Behaviour - **`AUTH_ENABLED=false` (current state):** `/auth/me` returns the synthetic operator with `200`, the new branch is dormant, nothing changes. - **`AUTH_ENABLED=true`, no session:** any API call (the page boots by fetching `/projects`, `/assets`, `/recorders`, `/auth/me`, etc.) hits `401`, the wrapper redirects to `/login.html`. The operator runs the "Create admin account" flow once, signs in, and lands on `home.html` with a real session. - **Loop guard:** if we're already on `/login.html`, the redirect is skipped (login.html uses its own `fetch`, not `apiFetch`, so this is defensive). ## Roll-out 1. Land this PR (safe with `AUTH_ENABLED=false`). 2. Update `/mnt/NVME/MAM/wild-dragon/.env` on TrueNAS: set `AUTH_ENABLED=true` and a non-default `SESSION_SECRET`. 3. Restart `mam-api`. 4. Visit any page → bounce to `/login.html` → "Create admin account" → sign in. ## Test plan - [ ] Deploy, hit `/` — page still loads as before (auth still off, synthetic user shows in sidebar) - [ ] On the server, flip `AUTH_ENABLED=true` and restart mam-api; reload the app — redirect to `/login.html` - [ ] Click "Create admin account", complete the setup, sign in — land on the SPA with the real user in the sidebar bottom-left - [ ] Click "Sign out" — reload bounces back to `/login.html` 🤖 Generated with [Claude Code](https://claude.com/claude-code)

zgaetano added 1 commit 2026-05-23 16:41:15 -04:00

feat(auth): bounce to /login.html on any 401 from the api wrapper ... bec4bfaf31

apiFetch now redirects to /login.html when the server returns 401, so
flipping AUTH_ENABLED=true on mam-api gives the user the login screen
instead of a half-loaded app that silently failed to fetch /auth/me.

While AUTH_ENABLED=false the server's /auth/me still returns a synthetic
200 user, so this branch is dormant — safe to deploy ahead of the env
flip on the server. After the flip the operator visits /login.html
(directly or via auto-redirect), runs the "Create admin account" flow
once, and lands back on the SPA with a real session.

Guards against a redirect loop if login.html itself somehow lands here.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

zgaetano merged commit 53049d1c4d into main 2026-05-23 16:41:25 -04:00

zgaetano deleted branch feat/auth-login-redirect 2026-05-23 16:41:25 -04:00

zgaetano referenced this pull request from a commit 2026-05-23 16:41:26 -04:00

Merge pull request 'feat(auth): bounce to /login.html on 401 so AUTH_ENABLED=true gives a real login' (#26) from feat/auth-login-redirect into main

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels   

bug

Bug report

  

bug

Something is not working

  

duplicate

This issue or pull request already exists

  

enhancement

New feature

  

help wanted

Need some help

  

invalid

Something is wrong

  

question

More information is needed

  

wontfix

This won't be fixed

No labels

bug

bug

duplicate

enhancement

help wanted

invalid

question

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: WildDragonLLC/dragonflight#26

No description provided.