Skip to content

fix(vnc): handle expired setup sessions on VNC UI API calls#253

Open
KrasimirKralev wants to merge 1 commit into
ID-Robots:betafrom
KrasimirKralev:fix/vnc-auth-expiry
Open

fix(vnc): handle expired setup sessions on VNC UI API calls#253
KrasimirKralev wants to merge 1 commit into
ID-Robots:betafrom
KrasimirKralev:fix/vnc-auth-expiry

Conversation

@KrasimirKralev

Copy link
Copy Markdown
Contributor

Closes #231.

Problem

The VNC panel's /setup-api/* calls assume a JSON body. On an expired session, src/middleware.ts (250-258) returns 401 to JSON clients or 307-redirects to /login otherwise. Since fetch follows the redirect, res.json() was handed a login HTML page β†’ a confusing Unexpected token < error (the checkVnc availability probe), or β€” in the post-repair reboot poll β€” the loop spun to its 5-minute timeout instead of stopping.

Fix

  • New src/lib/setup-auth.ts β€” JSON_ACCEPT_HEADERS + isAuthExpired(res) (true on 401, or a followed redirect whose final path is /login).
  • All six VNC setup-api calls now send Accept: application/json (so middleware answers with a clean 401 instead of a redirect) and check isAuthExpired before parsing: availability probe, install/repair, post-repair reboot, the reboot poll loop (now halts instead of timing out), and clipboard read + write.
  • On expiry the error panel shows a clear "session expired β†’ Sign in again" action instead of retry/repair, and the clipboard read never parses a login page as JSON.

Tests

src/tests/unit/setup-auth.test.ts covers the 401 path and the redirected-to-/login path (plus active-session and non-login-redirect negatives) β€” the two paths the issue's acceptance criteria call for.

Acceptance criteria

  • Availability check surfaces a clear login-expired state on 401 or login redirect
  • Repair action stops and shows a clear error on auth expiry
  • Reboot request after repair stops and shows a clear error on auth expiry
  • Clipboard read/write does not parse a login page as JSON
  • Unit tests cover a 401 path and a redirected-login path

Closes ID-Robots#231. The VNC panel's setup-api calls assumed a JSON body; on an
expired session middleware returns 401 (JSON clients) or 307s to /login
(HTML clients), so a followed redirect handed res.json() a login page and
surfaced a confusing parse error β€” or, in the reboot poll loop, span to the
5-minute timeout.

- New src/lib/setup-auth.ts: JSON_ACCEPT_HEADERS + isAuthExpired(res) (401
  or a redirect whose final path is /login).
- All six VNC setup-api calls now send Accept: application/json (so
  middleware answers 401, not a login redirect) and check isAuthExpired
  before parsing: availability probe, install/repair, post-repair reboot,
  the reboot poll loop (now halts instead of timing out), and clipboard
  read/write.
- Expired session flips the error panel to a clear 'session expired' message
  with a 'Sign in again' action instead of retry/repair.
- Unit tests cover the 401 path and the redirected-to-/login path (plus
  active-session and non-login-redirect negatives).

Verified: on device/CI (no local node_modules on the dev box).
@KrasimirKralev
KrasimirKralev requested a review from a team as a code owner July 5, 2026 11:27
@coderabbitai

coderabbitai Bot commented Jul 5, 2026

Copy link
Copy Markdown

Warning

Review limit reached

@KrasimirKralev, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 1 minute

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
βš™οΈ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 35168443-43a8-4aa7-9d6b-f7eb0d5b45a4

πŸ“₯ Commits

Reviewing files that changed from the base of the PR and between 7d7bf64 and 2bf5088.

πŸ“’ Files selected for processing (3)
  • src/components/VNCApp.tsx
  • src/lib/setup-auth.ts
  • src/tests/unit/setup-auth.test.ts
✨ Finishing Touches
πŸ§ͺ Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❀️ Share

Comment @coderabbitai help to get the list of available commands.

@github-actions

github-actions Bot commented Jul 5, 2026

Copy link
Copy Markdown

πŸ¦€ ClawReview

Your friendly reef crab, here with the lay of the land.

This fix patches a silent failure in the VNC panel where expired setup sessions caused confusing 'Unexpected token <' parse errors (fetch follows the middleware's login redirect and hands a HTML page to res.json()). A new tiny utility β€” setup-auth.ts β€” centralises session-expiry detection for both the 401 and redirect-to-/login shapes, and all six /setup-api/* calls in VNCApp.tsx now check it before parsing. Users now see a clear 'Sign in again' button instead of a cryptic parse error or a reboot-poll loop that would spin all the way to its five-minute timeout.

At a glance

  • πŸ”§ Fix Β· touches VNCApp + middleware session handling (setup-api calls)
  • Base branch: beta Β· +92 source / +33 tests across 3 files
  • βœ… base beta matches the beta-first convention
  • βœ… conventional PR title
  • βœ… source changes come with test changes

Good to know

  • ℹ️ New src/lib/setup-auth.ts is a reusable client-side utility β€” other components that call /setup-api/* (e.g. AIModelsStep, WifiStep) could adopt the same pattern if they ever hit the same redirect issue.
  • 🟑 Touches the post-repair reboot poll loop that runs on customer devices during VNC install; the fix makes it halt on auth expiry rather than spinning to the 5-minute timeout.
  • ℹ️ Unit tests cover both expiry shapes (401 and redirected-to-/login) plus the negative cases, matching the issue's acceptance criteria.

β€” ClawReview πŸ¦€. I set the scene; CodeRabbit reviews the code; you decide. Conventions: docs.

@github-actions github-actions Bot added the area: ui Auto-triage area label Jul 5, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area: ui Auto-triage area

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant