openclaw/oikos
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

fix(auth): resolve post-login navigate race condition and add version display (#68) (#70)

Browse Source 
Root cause: when auth.me() failed during initial navigation, the catch block
called navigate('/login') without clearing _pendingLoginRedirect. The outer
finally then fired a second concurrent navigate('/login'), which held
isNavigating=true while running. If the user submitted the login form (or
iCloud Keychain autofilled credentials) before the second navigation
completed, navigate('/', user) was silently blocked by the isNavigating guard —
login appeared to succeed but the app never advanced to the dashboard.

Fix: clear _pendingLoginRedirect in the catch block so the finally handler
does not spawn the duplicate navigation.

Also adds a GET /api/v1/version endpoint (no auth required) and shows the
version on the login page, so users can verify their PWA has received the
latest cached JS.

Resolves #68

Co-authored-by: Ulas Kalayci <ulas.kalayci@googlemail.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
ulsklyc
2026-04-21 08:19:53 +02:00
committed by GitHub
parent c1bdd4361d
commit d1ec7367a0
22 changed files with 711 additions and 657 deletions
Download Patch File Download Diff File Expand all files Collapse all files
server/index.js
+10
View File
@@ -8,6 +8,7 @@ import express from 'express';
import helmet from 'helmet';
import rateLimit from 'express-rate-limit';
import path from 'path';
import { readFileSync } from 'node:fs';
import { createLogger } from './logger.js';
import * as db from './db.js';
import { router as authRouter, sessionMiddleware, requireAuth } from './auth.js';
@@ -32,6 +33,10 @@ const log = createLogger('Server');
const logSync = createLogger('Sync');
const logOikos = createLogger('Oikos');
const { version: APP_VERSION } = JSON.parse(
readFileSync(new URL('../package.json', import.meta.url), 'utf-8')
);
const app = express();
const PORT = process.env.PORT || 3000;
@@ -155,6 +160,11 @@ app.use('/api/', apiLimiter);
// --------------------------------------------------------
app.use('/api/v1/auth', authRouter);
// Versionsinformation - keine Authentifizierung erforderlich (Login-Seite benötigt diese)
app.get('/api/v1/version', (req, res) => {
res.json({ version: APP_VERSION });
});
// Alle weiteren API-Routen erfordern Authentifizierung + CSRF-Schutz
app.use('/api/v1', requireAuth);
app.use('/api/v1', csrfMiddleware);