remove authToken; that would prevent localhost from entering pw-less

mac/VibeTunnel/Core/Services/BunServer.swift

@@ -1,6 +1,5 @@
 import Foundation
 import OSLog
-import CryptoKit
 
 /// Server state enumeration
 enum ServerState {
@@ -45,21 +44,6 @@ final class BunServer {
     var port: String = ""
 
     var bindAddress: String = "127.0.0.1"
-    
-    /// Local authentication token for bypassing auth on localhost
-    private let localAuthToken: String = {
-        // Generate a secure random token for this session
-        let randomData = Data((0..<32).map { _ in UInt8.random(in: 0...255) })
-        return randomData.base64EncodedString()
-            .replacingOccurrences(of: "+", with: "-")
-            .replacingOccurrences(of: "/", with: "_")
-            .replacingOccurrences(of: "=", with: "")
-    }()
-    
-    /// Get the local auth token for use in HTTP requests
-    var localToken: String {
-        localAuthToken
-    }
 
     // MARK: - Initialization
 
@@ -169,9 +153,9 @@ final class BunServer {
         
         // Add local bypass authentication for the Mac app
         if authMode != "none" {
-            // Enable local bypass with our generated token
+            // Enable local bypass without requiring token for browser access
-            vibetunnelArgs += " --allow-local-bypass --local-auth-token \(localAuthToken)"
+            vibetunnelArgs += " --allow-local-bypass"
-            logger.info("Local authentication bypass enabled for Mac app")
+            logger.info("Local authentication bypass enabled for localhost connections")
         }
 
         // Create wrapper to run vibetunnel with a parent death signal

mac/VibeTunnel/Core/Services/ServerManager.swift

@@ -224,9 +224,6 @@ class ServerManager {
             }
 
             logger.info("Started server on port \(self.port)")
-            
-            // Pass the local auth token to SessionMonitor
-            SessionMonitor.shared.setLocalAuthToken(server.localToken)
 
             // Trigger cleanup of old sessions after server starts
             await triggerInitialCleanup()
@@ -256,9 +253,6 @@ class ServerManager {
         await server.stop()
         bunServer = nil
         isRunning = false
-        
-        // Clear the auth token from SessionMonitor
-        SessionMonitor.shared.setLocalAuthToken(nil)
 
         // Reset crash tracking when manually stopped
         consecutiveCrashes = 0
@@ -322,11 +316,6 @@ class ServerManager {
             var request = URLRequest(url: url)
             request.httpMethod = "POST"
             request.timeoutInterval = 10
-            
-            // Add local auth token if available
-            if let server = bunServer {
-                request.setValue(server.localToken, forHTTPHeaderField: "X-VibeTunnel-Local")
-            }
 
             // Make the cleanup request
             let (data, response) = try await URLSession.shared.data(for: request)

mac/VibeTunnel/Core/Services/SessionMonitor.swift

@@ -29,17 +29,11 @@ final class SessionMonitor {
     private var lastFetch: Date?
     private let cacheInterval: TimeInterval = 2.0
     private let serverPort: Int
-    private var localAuthToken: String?
 
     private init() {
         let port = UserDefaults.standard.integer(forKey: "serverPort")
         self.serverPort = port > 0 ? port : 4_020
     }
-    
-    /// Set the local auth token for server requests
-    func setLocalAuthToken(_ token: String?) {
-        self.localAuthToken = token
-    }
 
     /// Number of running sessions
     var sessionCount: Int {
@@ -75,13 +69,7 @@ final class SessionMonitor {
                 throw URLError(.badURL)
             }
 
-            var request = URLRequest(url: url, timeoutInterval: 3.0)
+            let request = URLRequest(url: url, timeoutInterval: 3.0)
-            
-            // Add local auth token if available
-            if let token = localAuthToken {
-                request.setValue(token, forHTTPHeaderField: "X-VibeTunnel-Local")
-            }
-            
             let (data, response) = try await URLSession.shared.data(for: request)
 
             guard let httpResponse = response as? HTTPURLResponse,

web/src/server/middleware/auth.ts

@@ -12,7 +12,6 @@ interface AuthConfig {
   bearerToken?: string; // Token that HQ must use to authenticate with this remote
   authService?: AuthService; // Enhanced auth service for JWT tokens
   allowLocalBypass?: boolean; // Allow localhost connections to bypass auth
-  localAuthToken?: string; // Token for localhost authentication
 }
 
 interface AuthenticatedRequest extends Request {
@@ -67,24 +66,10 @@ export function createAuthMiddleware(config: AuthConfig) {
 
     // Check for local bypass if enabled
     if (config.allowLocalBypass && isLocalRequest(req)) {
-      // If a local auth token is configured, check for it
+      logger.debug('Local request authenticated - bypassing auth');
-      if (config.localAuthToken) {
+      req.authMethod = 'local-bypass';
-        const providedToken = req.headers['x-vibetunnel-local'] as string;
+      req.userId = 'local-user';
-        if (providedToken === config.localAuthToken) {
+      return next();
-          logger.debug('Local request authenticated with token');
-          req.authMethod = 'local-bypass';
-          req.userId = 'local-user';
-          return next();
-        } else {
-          logger.debug('Local request missing or invalid token');
-        }
-      } else {
-        // No token required for local bypass
-        logger.debug('Local request authenticated without token');
-        req.authMethod = 'local-bypass';
-        req.userId = 'local-user';
-        return next();
-      }
     }
 
     // Only log auth requests that might be problematic (no header or failures)

web/src/server/server.ts

@@ -63,7 +63,6 @@ interface Config {
   bellNotificationsEnabled: boolean;
   // Local bypass configuration
   allowLocalBypass: boolean;
-  localAuthToken: string | null;
 }
 
 // Show help message
@@ -82,7 +81,6 @@ Options:
   --disallow-user-password  Disable password auth, SSH keys only (auto-enables --enable-ssh-keys)
   --no-auth             Disable authentication (auto-login as current user)
   --allow-local-bypass  Allow localhost connections to bypass authentication
-  --local-auth-token <token>  Token for localhost authentication bypass
   --debug               Enable debug logging
 
 Push Notification Options:
@@ -148,7 +146,6 @@ function parseArgs(): Config {
     bellNotificationsEnabled: true, // Enable bell notifications by default
     // Local bypass configuration
     allowLocalBypass: false,
-    localAuthToken: null as string | null,
   };
 
   // Check for help flag first
@@ -207,9 +204,6 @@ function parseArgs(): Config {
       config.generateVapidKeys = true;
     } else if (args[i] === '--allow-local-bypass') {
       config.allowLocalBypass = true;
-    } else if (args[i] === '--local-auth-token' && i + 1 < args.length) {
-      config.localAuthToken = args[i + 1];
-      i++; // Skip the token value in next iteration
     } else if (args[i].startsWith('--')) {
       // Unknown argument
       logger.error(`Unknown argument: ${args[i]}`);
@@ -442,7 +436,6 @@ export async function createApp(): Promise<AppInstance> {
     bearerToken: remoteBearerToken || undefined, // Token that HQ must use to auth with us
     authService, // Add enhanced auth service for JWT tokens
     allowLocalBypass: config.allowLocalBypass,
-    localAuthToken: config.localAuthToken || undefined,
   });
 
   // Serve static files with .html extension handling