feat(dashboard-auth): Phase 6 — 401 re-auth envelope + next= propagation

Contract V1 of nous-account-service PR #180 ships no refresh tokens, so the original Phase 6 silent-refresh design is replaced with a thinner '401 → redirect to /login' UX. The dashboard's gated middleware now emits a structured envelope on any auth failure; the SPA's fetch wrapper sees it and full-page-navigates the user through re-auth. hermes_cli/dashboard_auth/cookies.py: set_session_cookies(refresh_token='') SKIPS writing the hermes_session_rt cookie. Forward-compat: a non-empty refresh_token still emits the cookie unchanged, so a future Portal contract that starts issuing RTs flips the persistence on with no other change. clear_session_cookies still emits a Max-Age=0 deletion for the RT cookie so stale cookies from earlier deployments get flushed on logout / session expiry. Deprecation marker + rationale in module docstring per the user's docstring-only deprecation pattern. hermes_cli/dashboard_auth/middleware.py: _unauth_response now builds a structured JSON envelope for API 401s: { error: 'session_expired' | 'unauthenticated', detail: 'Unauthorized', reason: <internal>, login_url: '/login?next=<safe-path>' } HTML redirects also carry next= so a user landing on /sessions without a cookie bounces back to /sessions after re-auth. _safe_next_target validates same-origin: drops protocol-relative paths (//evil.com), absolute URLs, and any /login or /auth/* loop. Dead cookies are cleared on the 401 path so the browser stops replaying invalid tokens. hermes_cli/dashboard_auth/routes.py: /auth/callback accepts next= query param and validates via _validate_post_login_target (same rules as the gate's _safe_next_target — defence-in-depth because next= survived a full IDP round trip and attacker-controlled state can re-enter via the callback URL). Open-redirect attempts land at '/' instead. web/src/lib/api.ts: fetchJSON parses the 401 envelope and full-page-navigates to body.login_url ONLY on the known session-expiry error codes. Domain-level 401s (e.g. permission errors) bubble up as regular errors. credentials: 'include' added so cookie auth works for all fetches routed through this wrapper. sessionStorage.lastLocation is preserved for future use by AuthWidget / hermes_status. Test files marked with pytest.mark.xdist_group so the four files that mutate web_server.app.state.auth_required serialize onto the same xdist worker — eliminates 'works locally, fails in CI' app-state bleed. 20 new tests in test_dashboard_auth_401_reauth.py: - set_session_cookies(refresh_token='') skips RT cookie - clear_session_cookies still emits RT deletion - 401 envelope shape (unauthenticated vs session_expired) - dead cookie cleared on invalid-token 401 - login_url carries next= for deep paths - login loop avoided when path is /login/auth/api-auth - protocol-relative URL rejected - _safe_next_target unit tests (accept same-origin, reject loops/abs) - /auth/callback respects safe next= but rejects open redirects 2 pre-existing tests updated to accept the new /login?next=%2F shape. Full dashboard-auth suite: 168 passed, 1 skipped (Phase 0 pre-existing).
2026-05-29 06:31:32 +00:00 · 2026-05-21 16:53:02 +10:00 · 2026-05-21 16:53:02 +10:00 · 5e9308b5b8
commit 5e9308b5b8
parent 8971e94831
8 changed files with 506 additions and 22 deletions
--- a/hermes_cli/dashboard_auth/cookies.py
+++ b/hermes_cli/dashboard_auth/cookies.py
@ -1,10 +1,14 @@
 """Cookie helpers for dashboard auth.

 Three cookies in play:
-  - hermes_session_at: the OAuth access token
-                       (HttpOnly, lifetime = token TTL)
-  - hermes_session_rt: the OAuth refresh token
-                       (HttpOnly, lifetime = 30 days)
+  - hermes_session_at:   the OAuth access token
+                         (HttpOnly, lifetime = token TTL)
+  - hermes_session_rt:   the OAuth refresh token
+                         (HttpOnly, lifetime = 30 days)
+                         **DEPRECATED in OAuth contract v1** — Nous Portal
+                         does not issue refresh tokens; we keep the cookie
+                         name and clear semantics for forward compatibility
+                         and to flush stale cookies from old browsers.
  - hermes_session_pkce: short-lived PKCE state + CSRF nonce + provider
                         hint (HttpOnly, lifetime = 10 minutes)

@ -16,6 +20,14 @@ which honours ``X-Forwarded-Proto`` upstream of Fly's TLS terminator
 when uvicorn is configured with ``proxy_headers=True``. Loopback dev
 traffic is always HTTP so ``Secure`` would lock the cookies out of
 the browser.
+
+.. deprecated:: contract v1
+   ``set_session_cookies`` accepts ``refresh_token=""`` (the contract-v1
+   default) and silently skips writing ``hermes_session_rt`` in that case.
+   ``clear_session_cookies`` still emits a Max-Age=0 deletion for the RT
+   cookie so users carrying a stale cookie from an earlier deployment get
+   it cleared on logout / session expiry. The full refresh-flow machinery
+   was rewritten as "401 → redirect to /login" in Phase 6.
 """
 from __future__ import annotations

@ -52,22 +64,31 @@ def set_session_cookies(
    access_token_expires_in: int,
    use_https: bool,
 ) -> None:
-    """Set both session cookies on the response.
+    """Set the session cookies on the response.

    ``access_token_expires_in`` is in seconds. Use the provider's reported
-    TTL for the access token. The refresh token cookie always lives 30
-    days regardless of the underlying provider's refresh TTL.
+    TTL for the access token.
+
+    ``refresh_token`` is accepted for backward / forward compatibility but
+    SKIPPED when empty — Nous Portal contract v1 issues no refresh tokens
+    so a ``Session.refresh_token == ""`` from the provider means we don't
+    persist anything. If a future contract revision starts emitting refresh
+    tokens, this helper will write the RT cookie again with no other change.
    """
    response.set_cookie(
        SESSION_AT_COOKIE, access_token,
        max_age=access_token_expires_in,
        **_common_attrs(use_https),
    )
-    response.set_cookie(
-        SESSION_RT_COOKIE, refresh_token,
-        max_age=_RT_MAX_AGE,
-        **_common_attrs(use_https),
-    )
+    # Contract v1: empty refresh token means "don't persist RT cookie".
+    # Keeping a literal empty-value cookie around would be dead state at
+    # best, attack surface at worst.
+    if refresh_token:
+        response.set_cookie(
+            SESSION_RT_COOKIE, refresh_token,
+            max_age=_RT_MAX_AGE,
+            **_common_attrs(use_https),
+        )


 def clear_session_cookies(response: Response) -> None:
--- a/hermes_cli/dashboard_auth/middleware.py
+++ b/hermes_cli/dashboard_auth/middleware.py
@ -58,14 +58,73 @@ def _client_ip(request: Request) -> str:
    return request.client.host if request.client else ""


-def _unauth_response(path: str, *, reason: str) -> Response:
-    """API routes → 401 JSON; HTML routes → 302 → /login."""
+def _unauth_response(request: Request, *, reason: str) -> Response:
+    """API routes → 401 JSON with ``login_url``; HTML routes → 302 → /login.
+
+    The JSON envelope carries a ``login_url`` field with a ``next=`` query
+    string so the SPA's global 401 handler can drop the user back where
+    they were after re-auth. The contract is intentionally simple so any
+    fetch-wrapper can implement the redirect without parsing details:
+
+        if response.status === 401 && body.error in ("unauthenticated",
+                                                       "session_expired"):
+            window.location.assign(body.login_url);
+
+    HTML redirects also carry the ``next=`` query string so direct
+    navigation to ``/sessions`` (etc.) without a cookie comes back to
+    ``/sessions`` after login.
+    """
+    path = request.url.path
+    next_param = _safe_next_target(request)
+    login_url = f"/login?next={next_param}" if next_param else "/login"
+
    if path.startswith("/api/"):
+        # API routes never get redirects: the browser fetch() API would
+        # follow a 302 into the cross-origin OAuth dance opaquely. Return
+        # 401 with a structured envelope so the SPA can full-page-navigate
+        # to login_url.
+        error_code = (
+            "session_expired"
+            if reason == "invalid_or_expired_session"
+            else "unauthenticated"
+        )
        return JSONResponse(
-            {"detail": "Unauthorized", "reason": reason},
+            {
+                "error": error_code,
+                "detail": "Unauthorized",
+                "reason": reason,
+                "login_url": login_url,
+            },
            status_code=401,
        )
-    return RedirectResponse(url="/login", status_code=302)
+    return RedirectResponse(url=login_url, status_code=302)
+
+
+def _safe_next_target(request: Request) -> str:
+    """Build the URL-encoded ``next`` query value, or empty string.
+
+    Only same-origin relative paths are accepted; absolute URLs or
+    ``//evil.com`` open-redirect attempts are silently dropped. The empty
+    string return means the caller produces a bare ``/login`` URL — fine,
+    user lands at the dashboard root after re-auth.
+    """
+    path = request.url.path
+    # Reject anything that doesn't start with "/" or starts with "//"
+    # (protocol-relative URL — would open-redirect to an attacker host).
+    if not path or not path.startswith("/") or path.startswith("//"):
+        return ""
+    # Don't redirect back to the auth routes themselves — that loops.
+    if any(
+        path == p or path.startswith(p)
+        for p in ("/login", "/auth/", "/api/auth/")
+    ):
+        return ""
+    # Preserve query string if present (e.g. /sessions?page=2).
+    query = request.url.query
+    target = f"{path}?{query}" if query else path
+    # urlencode the whole thing as a single value.
+    from urllib.parse import quote
+    return quote(target, safe="")


 async def gated_auth_middleware(
@ -86,7 +145,7 @@ async def gated_auth_middleware(

    at, _rt = read_session_cookies(request)
    if not at:
-        return _unauth_response(path, reason="no_cookie")
+        return _unauth_response(request, reason="no_cookie")

    # Try every registered provider's verify_session in turn. Providers
    # MUST return None for tokens they don't recognise (not raise). This
@ -120,7 +179,14 @@ async def gated_auth_middleware(
            reason="no_provider_recognises",
            ip=_client_ip(request),
        )
-        return _unauth_response(path, reason="invalid_or_expired_session")
+        response = _unauth_response(request, reason="invalid_or_expired_session")
+        # Clear the dead cookie so the browser doesn't keep sending it.
+        # Contract v1: no refresh token to retry with, so the only correct
+        # next step is full re-auth via /login. Importing locally avoids a
+        # cycle with cookies → middleware at module load.
+        from hermes_cli.dashboard_auth.cookies import clear_session_cookies
+        clear_session_cookies(response)
+        return response

    request.state.session = session
    return await call_next(request)
--- a/hermes_cli/dashboard_auth/routes.py
+++ b/hermes_cli/dashboard_auth/routes.py
@ -151,6 +151,7 @@ async def auth_callback(
    state: str = "",
    error: str = "",
    error_description: str = "",
+    next: str = "",
 ):
    pkce_raw = read_pkce_cookie(request)
    if not pkce_raw:
@ -241,7 +242,12 @@ async def auth_callback(
    )

    expires_in = max(60, session.expires_at - int(time.time()))
-    resp = RedirectResponse(url="/", status_code=302)
+    # Honour the ``next=`` query param the gate's _unauth_response set in
+    # the redirect URL. Validated against the same same-origin rules as
+    # the gate's _safe_next_target — any absolute URL / protocol-relative
+    # path / loop back to /login is dropped in favour of ``/``.
+    landing = _validate_post_login_target(next) or "/"
+    resp = RedirectResponse(url=landing, status_code=302)
    set_session_cookies(
        resp,
        access_token=session.access_token,
@ -253,6 +259,31 @@ async def auth_callback(
    return resp


+def _validate_post_login_target(raw: str) -> str:
+    """Return ``raw`` if it's a safe same-origin path, else empty string.
+
+    The ``next`` query param survives a full OAuth round trip — the gate
+    encodes it into the /login redirect, the login page emits it back into
+    /auth/login, and the IDP preserves it across /authorize/callback. We
+    have to re-validate here because the value came back in via the
+    URL (an attacker could craft a /auth/callback URL with their own
+    ``next=https://evil.example``).
+    """
+    if not raw:
+        return ""
+    from urllib.parse import unquote
+    decoded = unquote(raw)
+    if not decoded.startswith("/") or decoded.startswith("//"):
+        return ""
+    # Don't loop back to login pages or auth flow.
+    if any(
+        decoded == p or decoded.startswith(p)
+        for p in ("/login", "/auth/", "/api/auth/")
+    ):
+        return ""
+    return decoded
+
+
@router.post("/auth/logout", name="auth_logout")
 async def auth_logout(request: Request):
    _at, rt = read_session_cookies(request)