Dashboard infinite reload loop in loopback mode — GET /api/auth/me returns 401 on every page load

[beeaton]

Description:

 When running hermes dashboard --host 0.0.0.0 --port 9119 --insecure --skip-build (loopback / non-OAuth mode), the web dashboard enters an infinite full-page reload loop on every page load. The page reloads multiple times per
 second and cannot be interacted with.

 Root Cause:

 The SPA's AuthWidget component calls GET /api/auth/me on mount. In loopback mode there is no OAuth session, so request.state.session is never set. The endpoint raises HTTPException(401):

 python
 sess = getattr(request.state, "session", None)
 if sess is None:
     raise HTTPException(status_code=401, detail="Unauthorized")

 This 401 is caught by fetchJSON()'s global 401 handler in web/src/lib/api.ts, which was designed to handle stale session tokens after a server restart. Since /api/auth/me returns 401 on every request in loopback mode, the first
 API call on every page load triggers window.location.reload(), creating an infinite reload loop.

 Fix applied locally:

 1. hermes_cli/dashboard_auth/routes.py — Return null envelope (200) instead of 401 when session is None
 2. hermes_cli/web_server.py — Added /api/auth/me and /api/auth/providers to _PUBLIC_API_PATHS
 3. web/src/components/AuthWidget.tsx — Guard against null session data in loopback mode

 Expected Behavior:

 In loopback mode, the AuthWidget should either not call /api/auth/me, or the endpoint should return a non-401 response that the AuthWidget can handle gracefully (render nothing).

[

github-issue.md

](url)

[teknium1]

Fixed on main by commit a5c1f92 ("fix(web): stop /api/auth/me 401 from triggering a reload loop"). Diagnosis was exactly right — /api/auth/me 401s by design in loopback mode, but fetchJSON's loopback 401 handler was treating it as a stale rotated session token and full-page-reloading to pick up a fresh one. Every other dashboard call (status, config, sessions) succeeds and clears the one-shot reload guard, so the guard never sticks and the page reload-loops forever.

The fix adds an allowUnauthorized opt-out to fetchJSON that skips only the loopback stale-token reload (the 401 still throws so AuthWidget can swallow it; gated-mode redirect via login_url is unaffected), and wires it through getAuthMe.

This landed ~3 hours after v0.15.0 was tagged, so it isn't in the PyPI release you're running. Update to pick it up:

hermes update

Closing as fixed on main. Will be in the next patch release. Thanks for the detailed report — the network/console traces made the diagnosis a one-shot.

[Milad]

I"m still getting {"detail":"Unauthorized"} as a response to GET /api/auth/me. Running on v0.15.2.

Is there a special thing to do after upgrading?