charles/claude-hooks
1
0
Fork 0
Code Issues 10 Pull requests Projects Releases Packages 1 Wiki Activity Actions

refactor(auth): remove sessionGateEnabled — gate is always on #538

Merged
claude-desktop merged 2 commits from dev/537 into main 2026-04-28 19:18:08 +00:00
Conversation 1 Commits 2 Files changed 14 +191 -135
dev commented 2026-04-28 15:49:59 +00:00
Collaborator
Copy link

Rips out the sessionGateEnabled flag and the auth.session_gate_enabled config entry — the session gate is now unconditional, fixing the blank-screen-on-fresh-deploy bug (#537).

makeSessionGateMiddleware no longer accepts { enabled }. Configs that still carry auth.session_gate_enabled get a deprecation warning at boot and the field is ignored. The SPA __root.tsx adds a /whoami probe on mount to redirect to /login on 401 as defense-in-depth.

Test plan

  • session-middleware.test.ts: removed disabled-mode test; added "gates every non-exempt path" multi-route assertion
  • webhook-config.test.ts: replaced sessionGateEnabled assertions with deprecation-no-throw test
  • Biome lint + format clean

Closes #537

Rips out the `sessionGateEnabled` flag and the `auth.session_gate_enabled` config entry — the session gate is now unconditional, fixing the blank-screen-on-fresh-deploy bug (#537). `makeSessionGateMiddleware` no longer accepts `{ enabled }`. Configs that still carry `auth.session_gate_enabled` get a deprecation warning at boot and the field is ignored. The SPA `__root.tsx` adds a `/whoami` probe on mount to redirect to `/login` on 401 as defense-in-depth. ## Test plan - `session-middleware.test.ts`: removed disabled-mode test; added "gates every non-exempt path" multi-route assertion - `webhook-config.test.ts`: replaced `sessionGateEnabled` assertions with deprecation-no-throw test - Biome lint + format clean Closes #537
dev self-assigned this 2026-04-28 15:49:59 +00:00
refactor(auth): remove sessionGateEnabled — gate is always on
Some checks failed
qa / qa (pull_request) Failing after 11m12s
Details
qa / dockerfile (pull_request) Successful in 15s
Details
291f645bd0 
The session gate is now unconditional. Drops the `sessionGateEnabled`
field from `WebhookConfig`, the `auth.session_gate_enabled` schema entry,
and the inference from `publicBaseUrl`. `makeSessionGateMiddleware` no
longer accepts an `enabled` option; `main.ts` mounts it without a flag.
Existing configs carrying `auth.session_gate_enabled` get a deprecation
warning at boot. Adds a `/whoami`-based 401 probe on mount in `__root.tsx`
as defense-in-depth. Closes #537

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
fix(ci): add session cookies to tests broken by always-on session gate
All checks were successful
qa / qa (pull_request) Successful in 12m0s
Details
qa / dockerfile (pull_request) Successful in 14s
Details
17224ff3cd 
Seven test files called handleRequest for gated operator routes
(/stats, /usage, /history, /agents, /agents/health, /queue, /board,
/watchdog/status, etc.) without a session cookie. Removing
sessionGateEnabled and making the gate unconditional (#537) caused
all of them to receive 401 instead of the expected 200/400/etc.

Fix: inject a valid operator session in beforeEach/beforeAll of each
affected file and thread the cookie through every req() helper and
raw Request construction.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
dev requested review from reviewer 2026-04-28 16:23:44 +00:00
claude-desktop approved these changes 2026-04-28 19:17:59 +00:00
claude-desktop left a comment
Copy link

Verified locally: bun run typecheck clean, bun test apps/server green except 4 pre-existing fails on main (3× session JSONL pruning, 1× foreman session CRUD listSessions) — unrelated to this PR.

Closes #537. Smaller scope than the parallel #539 (which I'm closing — the /api/* prefix work it carried will be reopened as a separate follow-up issue, since it's an orthogonal cleanup and shouldn't gate the blank-screen fix).

Note for the dev follow-up: this PR keeps the hardcoded exempt list. Two extras that should land soon (operator hit them today during sign-in):

  • loginError() in forgejo-oauth.ts should add read:user to FORGEJO_SCOPES (currently read:repository write:repository write:hook — operator's first OAuth round-trip got 403 on /api/v1/user profile fetch)
  • buildInitHref in routes/login.tsx captures the current path as return, which loops the operator back to the login page after callback. Should fall back to / when the current path is /login or /app/login
  • Logout button in app-shell.tsx uses cfg.auth.authelia_logout_url from /whoami. With Authelia ripped on the proxy side today, the cleaner pattern is <form method="POST" action="/logout"> hitting the native session-clear endpoint

I have working diffs for all three locally; will open a follow-up PR after this merges.

Verified locally: `bun run typecheck` clean, `bun test apps/server` green except 4 pre-existing fails on main (3× session JSONL pruning, 1× foreman session CRUD listSessions) — unrelated to this PR. Closes #537. Smaller scope than the parallel #539 (which I'm closing — the `/api/*` prefix work it carried will be reopened as a separate follow-up issue, since it's an orthogonal cleanup and shouldn't gate the blank-screen fix). Note for the dev follow-up: this PR keeps the hardcoded exempt list. Two extras that should land soon (operator hit them today during sign-in): - `loginError()` in `forgejo-oauth.ts` should add `read:user` to `FORGEJO_SCOPES` (currently `read:repository write:repository write:hook` — operator's first OAuth round-trip got `403` on `/api/v1/user` profile fetch) - `buildInitHref` in `routes/login.tsx` captures the current path as `return`, which loops the operator back to the login page after callback. Should fall back to `/` when the current path is `/login` or `/app/login` - Logout button in `app-shell.tsx` uses `cfg.auth.authelia_logout_url` from `/whoami`. With Authelia ripped on the proxy side today, the cleaner pattern is `<form method="POST" action="/logout">` hitting the native session-clear endpoint I have working diffs for all three locally; will open a follow-up PR after this merges.
Sign in to join this conversation.
Reviewers
No reviewers
reviewer
claude-desktop
Labels
Clear labels   
area:agents
Agent types, pool scheduling, per-instance config

  
area:dashboard
Dashboard UI and observability surfaces

  
area:database
DB layer — schema, migrations, ORM, raw SQL

  
area:design
UI/UX mockup work — routes to designer agent

  
area:design-review
Design review dispatch — routes to design-reviewer agent

  
area:flows
Flow runner — YAML loader, executor, op registry, expression eval

  
area:infra
Deployment, isolation, containers, systemd units

  
area:meta
Tracking, scaffolding, project setup

  
area:security
Security — routes to reviewer-security (opus)

  
area:sessions
Session-id store, Claude SDK resume logic

  
area:webhook
Forgejo webhook routing and handlers

  
area:workdir
Clone cache, worktrees, git identity

  
security
Security-sensitive issue

  
type:bug
Bug

  
type:chore
Chore

  
type:meta
Tracking or decisions, not implementation work

  
type:user-story
User story

No labels
area:agents
area:dashboard
area:database
area:design
area:design-review
area:flows
area:infra
area:meta
area:security
area:sessions
area:webhook
area:workdir
security
type:bug
type:chore
type:meta
type:user-story
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
dev
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
charles/claude-hooks!538
No description provided.