fix(docker): let dashboard/playground load when auth gate is active#2039
Open
ntohidi wants to merge 1 commit into
Open
fix(docker): let dashboard/playground load when auth gate is active#2039ntohidi wants to merge 1 commit into
ntohidi wants to merge 1 commit into
Conversation
…2037) The AuthGateMiddleware blocked UI static pages with 401 because browsers cannot attach Authorization headers to top-level navigation. The UI shell serves no data, so it is safe to load without credentials. - Add public_prefixes to AuthGateMiddleware for prefix-based path bypass - Register /dashboard, /playground, /static as public prefixes - Add token input bar to both playground and dashboard UIs - Replace all bare fetch() calls with authFetch() that attaches Bearer token - Append ?token= to monitor WebSocket URL (gate already accepts it for WS) All API/data routes remain fail-closed behind the auth gate. Closes #2037
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #2037 — Docker v0.9.0 dashboard and playground return 401 when
CRAWL4AI_API_TOKENis set becauseAuthGateMiddlewareblocks the static UI pages before any HTML can load.Root cause: The middleware only accepts
Authorization: Bearerheaders for HTTP requests. Browsers can't attach custom headers to top-level navigation, creating a catch-22: the HTML can't load to bootstrap the JS that would send auth headers.Fix:
public_prefixestoAuthGateMiddlewareso/dashboard,/playground,/staticserve without credentials (they contain no data, only HTML/CSS/JS)sessionStoragefetch()calls withauthFetch()that attachesAuthorization: Bearer <token>?token=to the monitor WebSocket URL (the gate already accepts this for WS)All API/data routes remain fail-closed behind the auth gate.
Test plan
curl http://localhost:11235/dashboardreturns 200 (HTML) withCRAWL4AI_API_TOKENsetcurl http://localhost:11235/playgroundreturns 200 (HTML) withCRAWL4AI_API_TOKENsetcurl -X POST http://localhost:11235/crawlreturns 401 (API stays gated)curl -H "Authorization: Bearer <token>" -X POST http://localhost:11235/crawlreturns 200CRAWL4AI_API_TOKEN, server binds loopback only (unchanged behavior)