singularity/singularity-forge
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1
singularity-forge/web/lib/auth.ts
Mikael Hugo 22760e03d5
Some checks are pending
CI / detect-changes (push) Waiting to run
Details
CI / docs-check (push) Blocked by required conditions
Details
CI / lint (push) Blocked by required conditions
Details
CI / build (push) Blocked by required conditions
Details
CI / integration-tests (push) Blocked by required conditions
Details
CI / windows-portability (push) Blocked by required conditions
Details
CI / rtk-portability (linux, blacksmith-4vcpu-ubuntu-2404) (push) Blocked by required conditions
Details
CI / rtk-portability (macos, macos-15) (push) Blocked by required conditions
Details
CI / rtk-portability (windows, blacksmith-4vcpu-windows-2025) (push) Blocked by required conditions
Details
fix(sift): increase timeouts for vector retriever + scope-aware retriever for codebase_search 
Vector retriever was disabled everywhere because it appeared to hang.
It was actually doing a first-time embedding index build for 57K files,
which takes ~60-90 min. Re-enable vector by increasing timeouts and
letting scope-aware retriever selection decide when vector is safe.

Changes:
- sift_search: retriever timeout 30s->300s, total 60s->600s
- codebase_search: total timeout 120s->600s
- warmup: retriever timeout 30s->300s, hard timeout 600s->3600s
- codebase_search now uses chooseSiftRetrievers() instead of hardcoded
  bm25+phrase: repo-root -> bm25+phrase (fast), scoped subdirs -> vector
- Comments updated to reflect "slow first build" not "hang"

Tests: 178 files / 1845 tests, all pass.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-05-15 10:46:35 +02:00

136 lines
4 KiB
TypeScript
Raw Blame History

/**
* Client-side auth token management.
*
* The web server generates a random bearer token at launch and passes it to
* the browser via the URL fragment (e.g. `http://127.0.0.1:3000/#token=<hex>`).
* Fragments are never sent in HTTP requests or logged by servers/proxies,
* keeping the token local to the machine.
*
* On first load this module extracts the token from the fragment, persists
* it to localStorage (so it survives page refreshes and is accessible from
* all tabs on the same origin), and clears the fragment from the address bar.
* All subsequent API calls attach the token via the `Authorization: Bearer`
* header.
*
* localStorage is shared across all tabs on the same origin. Because each
* SF instance binds to a unique random port, the origin already scopes
* the token to that instance — no additional namespacing is needed.
*
* For EventSource (SSE), which cannot send custom headers, the token is
* appended as a `?_token=` query parameter instead.
*/
const AUTH_STORAGE_KEY = "sf-auth-token";
let cachedToken: string | null = null;
/**
* Extract the auth token from the URL fragment, localStorage, or prompt for login.
* If not found, redirect to /login page.
*/
export function getAuthToken(): string | null {
if (cachedToken !== null) return cachedToken;
if (typeof window === "undefined") return null;
// 1. Try the URL fragment (initial page load from sf --web)
const hash = window.location.hash;
if (hash) {
const match = hash.match(/token=([a-fA-F0-9]+)/);
if (match) {
cachedToken = match[1];
try {
localStorage.setItem(AUTH_STORAGE_KEY, cachedToken);
} catch {}
window.history.replaceState(
null,
"",
window.location.pathname + window.location.search,
);
return cachedToken;
}
}
// 2. Fall back to localStorage
try {
const stored = localStorage.getItem(AUTH_STORAGE_KEY);
if (stored) {
cachedToken = stored;
return cachedToken;
}
} catch {}
// 3. If not found, redirect to login
if (window.location.pathname !== "/login") {
window.location.href = "/login";
}
return null;
}
/**
* Listen for token changes from other tabs via the `storage` event.
* When another tab writes a new token to localStorage, this tab picks
* it up immediately without requiring a page refresh.
*/
if (typeof window !== "undefined") {
window.addEventListener("storage", (event) => {
if (event.key === AUTH_STORAGE_KEY && event.newValue) {
cachedToken = event.newValue;
}
});
}
/**
* Returns an object with the `Authorization` header for use with `fetch()`.
* Merges with any additional headers provided.
*/
export function authHeaders(
extra?: Record<string, string>,
): Record<string, string> {
const token = getAuthToken();
const headers: Record<string, string> = { ...extra };
if (token) {
headers["Authorization"] = `Bearer ${token}`;
}
return headers;
}
/**
* Wrapper around `fetch()` that automatically injects the auth token.
*
* When no token is available (missing `#token=` fragment and no localStorage
* entry), returns a synthetic 401 Response instead of making an unauthenticated
* request that will fail server-side anyway. This lets callers handle the
* missing-token case uniformly rather than silently cascading 401s.
*/
export async function authFetch(
input: RequestInfo | URL,
init?: RequestInit,
): Promise<Response> {
const token = getAuthToken();
if (!token) {
return new Response(JSON.stringify({ error: "No auth token available" }), {
status: 401,
headers: { "Content-Type": "application/json" },
});
}
const headers = new Headers(init?.headers);
if (!headers.has("Authorization")) {
headers.set("Authorization", `Bearer ${token}`);
}
return fetch(input, { ...init, headers });
}
/**
* Append the auth token as a `_token` query parameter to a URL string.
* Used for EventSource connections which cannot send custom headers.
*/
export function appendAuthParam(url: string): string {
const token = getAuthToken();
if (!token) return url;
const separator = url.includes("?") ? "&" : "?";
return `${url}${separator}_token=${token}`;
}
Reference in a new issue View git blame Copy permalink