fix(app): handle web basic auth startup credentials#28019
Open
n3crosis wants to merge 9 commits into
Open
Conversation
Agent-Logs-Url: https://github.com/n3crosis/opencode/sessions/49f38d9c-2304-442d-afb8-6159375148d5 Co-authored-by: n3crosis <11072158+n3crosis@users.noreply.github.com>
Agent-Logs-Url: https://github.com/n3crosis/opencode/sessions/49f38d9c-2304-442d-afb8-6159375148d5 Co-authored-by: n3crosis <11072158+n3crosis@users.noreply.github.com>
Agent-Logs-Url: https://github.com/n3crosis/opencode/sessions/49f38d9c-2304-442d-afb8-6159375148d5 Co-authored-by: n3crosis <11072158+n3crosis@users.noreply.github.com>
Agent-Logs-Url: https://github.com/n3crosis/opencode/sessions/49f38d9c-2304-442d-afb8-6159375148d5 Co-authored-by: n3crosis <11072158+n3crosis@users.noreply.github.com>
…sync-error Co-authored-by: n3crosis <11072158+n3crosis@users.noreply.github.com>
Agent-Logs-Url: https://github.com/n3crosis/opencode/sessions/6f06909d-b09d-43ce-85ca-20f0912e0fd7 Co-authored-by: n3crosis <11072158+n3crosis@users.noreply.github.com>
Agent-Logs-Url: https://github.com/n3crosis/opencode/sessions/6f06909d-b09d-43ce-85ca-20f0912e0fd7 Co-authored-by: n3crosis <11072158+n3crosis@users.noreply.github.com>
Agent-Logs-Url: https://github.com/n3crosis/opencode/sessions/6f06909d-b09d-43ce-85ca-20f0912e0fd7 Co-authored-by: n3crosis <11072158+n3crosis@users.noreply.github.com>
Contributor
|
Thanks for your contribution! This PR doesn't have a linked issue. All PRs must reference an existing issue. Please:
See CONTRIBUTING.md for details. |
Contributor
There was a problem hiding this comment.
Pull request overview
This PR fixes web app startup when HTTP Basic credentials are provided in the URL, ensuring credentials are extracted for SDK/WebSocket auth while removed from the visible browser URL.
Changes:
- Adds URL-based Basic Auth parsing alongside existing
auth_tokenparsing. - Preserves empty-password Basic Auth credentials for SDK and terminal WebSocket fallback auth.
- Adds focused tests for URL credential parsing and terminal auth token behavior.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
packages/app/src/entry.tsx |
Extracts startup auth from URL userinfo and clears credentials from browser history. |
packages/app/src/utils/server.ts |
Adds authFromUrl and treats empty string passwords as valid credentials. |
packages/app/src/utils/server.test.ts |
Covers URL credential parsing cases. |
packages/app/src/utils/terminal-websocket-url.ts |
Sends terminal fallback auth when password is empty but defined. |
packages/app/src/utils/terminal-websocket-url.test.ts |
Covers username-only startup credentials and undefined password behavior. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Contributor
|
Thanks for updating your PR! It now meets our contributing guidelines. 👍 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Issue for this PR
Closes #15991
Closes #15238
Type of change
What does this PR do?
When the web app is opened with HTTP Basic credentials in the URL, the app reads those credentials into the startup server connection while continuing to use a credential-free server URL. This lets SDK requests include the expected Basic Authorization header and avoids startup failures around the global sync provider.
The app now also removes startup credentials from the browser URL/history after extracting them, and terminal WebSocket fallback auth treats an empty password as valid Basic Auth instead of omitting auth.
Added focused coverage for parsing credentials from URLs and terminal auth token handling.
How did you verify your code works?
oxlintpasses on changed filescd packages/app && bun testScreenshots / recordings
N/A
Checklist
If you do not follow this template your PR will be automatically rejected.