mirrors/hermes-agent
1
0
Fork 0
mirror of https://github.com/NousResearch/hermes-agent.git synced 2026-06-12 08:51:53 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 14

fix(dashboard): honor injected HERMES_DASHBOARD_SESSION_TOKEN

Browse source 
The desktop shell mints a session token and signs its /api + /api/ws
calls with it via HERMES_DASHBOARD_SESSION_TOKEN, but the main-merge
restored a web_server.py that ignored the env var and minted its own
random _SESSION_TOKEN -- so every desktop request 401'd and the UI
reported "gateway offline". Read the injected token (fall back to a
fresh random one) so loopback HTTP + WS auth line up.

Adds a regression test so a future merge can't silently drop the read.
This commit is contained in:
Brooklyn Nicholson 2026-05-29 23:26:31 -05:00
parent 5335869de4
commit 960ea8a849
2 changed files with 35 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

29
tests/hermes_cli/test_web_server.py
View file

@ -89,6 +89,35 @@ class TestRedactKey:
assert "not set" in result.lower() or result == "***" or "\x1b" in result
class TestSessionTokenInjection:
"""The desktop shell mints HERMES_DASHBOARD_SESSION_TOKEN and signs its
/api + /api/ws calls with it. The backend must adopt that token, else every
desktop request 401s ("gateway is offline"). A main-merge once silently
dropped this read this guards the contract, not a literal value.
"""
def test_honors_injected_token(self, monkeypatch):
import importlib
import hermes_cli.web_server as ws
monkeypatch.setenv("HERMES_DASHBOARD_SESSION_TOKEN", "desktop-seeded-token")
try:
importlib.reload(ws)
assert ws._SESSION_TOKEN == "desktop-seeded-token"
finally:
monkeypatch.delenv("HERMES_DASHBOARD_SESSION_TOKEN", raising=False)
importlib.reload(ws)
def test_falls_back_to_random_token(self, monkeypatch):
import importlib
import hermes_cli.web_server as ws
monkeypatch.delenv("HERMES_DASHBOARD_SESSION_TOKEN", raising=False)
importlib.reload(ws)
assert ws._SESSION_TOKEN and len(ws._SESSION_TOKEN) >= 32
# ---------------------------------------------------------------------------
# web_server tests (FastAPI endpoints)
# ---------------------------------------------------------------------------