remove authToken; that would prevent localhost from entering pw-less

2026-04-02 10:45:57 +00:00 · 2025-06-24 03:38:41 +02:00 · 2025-06-24 03:38:41 +02:00 · f59147dbc1
commit f59147dbc1
parent bb6934de5d
5 changed files with 8 additions and 69 deletions
--- a/mac/VibeTunnel/Core/Services/BunServer.swift
+++ b/mac/VibeTunnel/Core/Services/BunServer.swift
@ -1,6 +1,5 @@
 import Foundation
 import OSLog
-import CryptoKit

 /// Server state enumeration
 enum ServerState {
@ -45,21 +44,6 @@ final class BunServer {
    var port: String = ""

    var bindAddress: String = "127.0.0.1"
-    
-    /// Local authentication token for bypassing auth on localhost
-    private let localAuthToken: String = {
-        // Generate a secure random token for this session
-        let randomData = Data((0..<32).map { _ in UInt8.random(in: 0...255) })
-        return randomData.base64EncodedString()
-            .replacingOccurrences(of: "+", with: "-")
-            .replacingOccurrences(of: "/", with: "_")
-            .replacingOccurrences(of: "=", with: "")
-    }()
-    
-    /// Get the local auth token for use in HTTP requests
-    var localToken: String {
-        localAuthToken
-    }

    // MARK: - Initialization

@ -169,9 +153,9 @@ final class BunServer {
        
        // Add local bypass authentication for the Mac app
        if authMode != "none" {
-            // Enable local bypass with our generated token
-            vibetunnelArgs += " --allow-local-bypass --local-auth-token \(localAuthToken)"
-            logger.info("Local authentication bypass enabled for Mac app")
+            // Enable local bypass without requiring token for browser access
+            vibetunnelArgs += " --allow-local-bypass"
+            logger.info("Local authentication bypass enabled for localhost connections")
        }

        // Create wrapper to run vibetunnel with a parent death signal
--- a/mac/VibeTunnel/Core/Services/ServerManager.swift
+++ b/mac/VibeTunnel/Core/Services/ServerManager.swift
@ -224,9 +224,6 @@ class ServerManager {
            }

            logger.info("Started server on port \(self.port)")
-            
-            // Pass the local auth token to SessionMonitor
-            SessionMonitor.shared.setLocalAuthToken(server.localToken)

            // Trigger cleanup of old sessions after server starts
            await triggerInitialCleanup()
@ -256,9 +253,6 @@ class ServerManager {
        await server.stop()
        bunServer = nil
        isRunning = false
-        
-        // Clear the auth token from SessionMonitor
-        SessionMonitor.shared.setLocalAuthToken(nil)

        // Reset crash tracking when manually stopped
        consecutiveCrashes = 0
@ -322,11 +316,6 @@ class ServerManager {
            var request = URLRequest(url: url)
            request.httpMethod = "POST"
            request.timeoutInterval = 10
-            
-            // Add local auth token if available
-            if let server = bunServer {
-                request.setValue(server.localToken, forHTTPHeaderField: "X-VibeTunnel-Local")
-            }

            // Make the cleanup request
            let (data, response) = try await URLSession.shared.data(for: request)
--- a/mac/VibeTunnel/Core/Services/SessionMonitor.swift
+++ b/mac/VibeTunnel/Core/Services/SessionMonitor.swift
@ -29,17 +29,11 @@ final class SessionMonitor {
    private var lastFetch: Date?
    private let cacheInterval: TimeInterval = 2.0
    private let serverPort: Int
-    private var localAuthToken: String?

    private init() {
        let port = UserDefaults.standard.integer(forKey: "serverPort")
        self.serverPort = port > 0 ? port : 4_020
    }
-    
-    /// Set the local auth token for server requests
-    func setLocalAuthToken(_ token: String?) {
-        self.localAuthToken = token
-    }

    /// Number of running sessions
    var sessionCount: Int {
@ -75,13 +69,7 @@ final class SessionMonitor {
                throw URLError(.badURL)
            }

-            var request = URLRequest(url: url, timeoutInterval: 3.0)
-            
-            // Add local auth token if available
-            if let token = localAuthToken {
-                request.setValue(token, forHTTPHeaderField: "X-VibeTunnel-Local")
-            }
-            
+            let request = URLRequest(url: url, timeoutInterval: 3.0)
            let (data, response) = try await URLSession.shared.data(for: request)

            guard let httpResponse = response as? HTTPURLResponse,
--- a/web/src/server/middleware/auth.ts
+++ b/web/src/server/middleware/auth.ts
@ -12,7 +12,6 @@ interface AuthConfig {
  bearerToken?: string; // Token that HQ must use to authenticate with this remote
  authService?: AuthService; // Enhanced auth service for JWT tokens
  allowLocalBypass?: boolean; // Allow localhost connections to bypass auth
-  localAuthToken?: string; // Token for localhost authentication
 }

 interface AuthenticatedRequest extends Request {
@ -67,24 +66,10 @@ export function createAuthMiddleware(config: AuthConfig) {

    // Check for local bypass if enabled
    if (config.allowLocalBypass && isLocalRequest(req)) {
-      // If a local auth token is configured, check for it
-      if (config.localAuthToken) {
-        const providedToken = req.headers['x-vibetunnel-local'] as string;
-        if (providedToken === config.localAuthToken) {
-          logger.debug('Local request authenticated with token');
-          req.authMethod = 'local-bypass';
-          req.userId = 'local-user';
-          return next();
-        } else {
-          logger.debug('Local request missing or invalid token');
-        }
-      } else {
-        // No token required for local bypass
-        logger.debug('Local request authenticated without token');
-        req.authMethod = 'local-bypass';
-        req.userId = 'local-user';
-        return next();
-      }
+      logger.debug('Local request authenticated - bypassing auth');
+      req.authMethod = 'local-bypass';
+      req.userId = 'local-user';
+      return next();
    }

    // Only log auth requests that might be problematic (no header or failures)
--- a/web/src/server/server.ts
+++ b/web/src/server/server.ts
@ -63,7 +63,6 @@ interface Config {
  bellNotificationsEnabled: boolean;
  // Local bypass configuration
  allowLocalBypass: boolean;
-  localAuthToken: string | null;
 }

 // Show help message
@ -82,7 +81,6 @@ Options:
  --disallow-user-password  Disable password auth, SSH keys only (auto-enables --enable-ssh-keys)
  --no-auth             Disable authentication (auto-login as current user)
  --allow-local-bypass  Allow localhost connections to bypass authentication
-  --local-auth-token <token>  Token for localhost authentication bypass
  --debug               Enable debug logging

 Push Notification Options:
@ -148,7 +146,6 @@ function parseArgs(): Config {
    bellNotificationsEnabled: true, // Enable bell notifications by default
    // Local bypass configuration
    allowLocalBypass: false,
-    localAuthToken: null as string | null,
  };

  // Check for help flag first
@ -207,9 +204,6 @@ function parseArgs(): Config {
      config.generateVapidKeys = true;
    } else if (args[i] === '--allow-local-bypass') {
      config.allowLocalBypass = true;
-    } else if (args[i] === '--local-auth-token' && i + 1 < args.length) {
-      config.localAuthToken = args[i + 1];
-      i++; // Skip the token value in next iteration
    } else if (args[i].startsWith('--')) {
      // Unknown argument
      logger.error(`Unknown argument: ${args[i]}`);
@ -442,7 +436,6 @@ export async function createApp(): Promise<AppInstance> {
    bearerToken: remoteBearerToken || undefined, // Token that HQ must use to auth with us
    authService, // Add enhanced auth service for JWT tokens
    allowLocalBypass: config.allowLocalBypass,
-    localAuthToken: config.localAuthToken || undefined,
  });

  // Serve static files with .html extension handling