From 234b6fb379277c62874a5a0878cceaf7fa1d1a33 Mon Sep 17 00:00:00 2001 From: Thomas Kpenou Date: Thu, 25 Jun 2026 08:46:15 -0400 Subject: [PATCH] fix(auth): allow Vite /assets/ bundles on the login page MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When authentication is enabled, login.html rendered blank: the page's own JS/CSS bundles (served by Vite under /assets/ as hashed, often shared chunks) were treated as auth-required and 302-redirected to login.html, so the browser refused to load them ("MIME type text/html" for the module script). is_allowed_during_login() still whitelisted the old webpack paths (/js/login.js, /css/login.css, ...) which Vite no longer emits — a leftover from the Vite migration that only surfaces with auth on. Allow /assets/ during login: these are static client bundles with no protected data, and the app stays unusable without the authenticated API (admin/index pages still redirect to login). Co-Authored-By: Claude Opus 4.8 --- src/tests/web/web_auth_utils_test.py | 7 ++++++- src/web/web_auth_utils.py | 7 +++++++ 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/src/tests/web/web_auth_utils_test.py b/src/tests/web/web_auth_utils_test.py index b3f6ce75..fbee56a8 100644 --- a/src/tests/web/web_auth_utils_test.py +++ b/src/tests/web/web_auth_utils_test.py @@ -45,7 +45,12 @@ class LoginResourcesTest(TestCase): ('/fonts/roboto-latin-400.60fa3c06.woff'), ('/fonts/roboto-latin-400.479970ff.woff2'), ('/fonts/roboto-latin-500.020c97dc.woff2'), - ('/fonts/roboto-latin-500.87284894.woff') + ('/fonts/roboto-latin-500.87284894.woff'), + # Vite-built hashed bundles served from /assets/ (used by the login page) + ('/assets/login-jEjOHyEw.js'), + ('/assets/css-Bn4Yn0er.css'), + ('/assets/theme-C3Leg-oT.css'), + ('/assets/MaterialIcons-Regular-Bnsxcfr1.woff') ]) def test_is_allowed_during_login_when_allowed(self, resource): request_handler = mock_request_handler(method='GET') diff --git a/src/web/web_auth_utils.py b/src/web/web_auth_utils.py index c28f7c05..62c2becf 100644 --- a/src/web/web_auth_utils.py +++ b/src/web/web_auth_utils.py @@ -117,6 +117,13 @@ def is_allowed_during_login(request_path, login_url, request_handler): '/img/titleBackground_login.jpg', '/img/gitlab-icon-rgb.png'] + # Vite emits the bundled JS/CSS/fonts/images (used by the login page too, + # often as hashed and shared chunks) under /assets/. These are static client + # resources with no protected data, and the app stays unusable without the + # authenticated API, so they must be reachable to render the login page. + if request_path.startswith('/assets/'): + return True + return (request_path in login_resources) or (request_path.startswith('/theme/'))