Skip to content

fix(auth): honor HERMES_DASHBOARD_PUBLIC_URL for self-hosted OIDC callback (#42780)#42937

Open
rodboev wants to merge 1 commit into
NousResearch:mainfrom
rodboev:pr/dashboard-public-url-selfhosted-oidc
Open

fix(auth): honor HERMES_DASHBOARD_PUBLIC_URL for self-hosted OIDC callback (#42780)#42937
rodboev wants to merge 1 commit into
NousResearch:mainfrom
rodboev:pr/dashboard-public-url-selfhosted-oidc

Conversation

@rodboev

@rodboev rodboev commented Jun 9, 2026

Copy link
Copy Markdown
Contributor

Summary

Self-hosted dashboard OIDC login could still build an http://.../auth/callback redirect behind Docker and reverse proxies even when HERMES_DASHBOARD_PUBLIC_URL was set to the correct public https://... origin. This PR makes the env-backed public URL path authoritative for the self-hosted callback flow and adds a regression so proxy-derived scheme inference cannot override it.

What Changed

  • hermes_cli/dashboard_auth/prefix.py and/or hermes_cli/dashboard_auth/routes.py: keep self-hosted callback construction on the documented public-url authority path
  • dashboard auth tests: assert self-hosted login uses https://<public>/auth/callback when only HERMES_DASHBOARD_PUBLIC_URL is configured

Why It Matters

Operators running Hermes behind reverse proxies should not have to duplicate the public callback origin into config.yaml when the documented env override is already present. This restores the advertised Docker/reverse-proxy deployment behavior and prevents OIDC providers from rejecting the callback before login even begins.

Verification

pytest tests/hermes_cli/test_dashboard_auth*.py -v --timeout=60
pytest tests/ -v --timeout=60

@liuhao1024

liuhao1024 commented Jun 9, 2026

Copy link
Copy Markdown
Contributor

Positive verification — clean security fix.

The approach of persisting redirect_uri in the PKCE cookie and recovering it in the callback is correct and ensures the same URI is presented to the OIDC provider in both start_login and complete_login. This eliminates the scheme-mismatch failure when a reverse proxy infers http on the callback request even though HERMES_DASHBOARD_PUBLIC_URL specifies https.

Observations:

  • quote(redirect_uri, safe='') properly URL-encodes the stored value; unquote() in the callback reverses it. No injection vector.
  • The _validate_post_login_target guard on next is untouched — good; those two cookie fields serve different purposes.
  • Test exercises the exact failure mode: x-forwarded-proto: http on the callback request, env-backed https:// public URL, and asserts both start and complete see the same https URI.

No issues found.

@alt-glitch alt-glitch added type/bug Something isn't working P3 Low — cosmetic, nice to have area/auth Authentication, OAuth, credential pools comp/cli CLI entry point, hermes_cli/, setup wizard labels Jun 9, 2026
@benbarclay benbarclay mentioned this pull request Jun 10, 2026
Merged
@rodboev rodboev force-pushed the pr/dashboard-public-url-selfhosted-oidc branch from 4d06527 to 754845e Compare June 10, 2026 13:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

area/auth Authentication, OAuth, credential pools comp/cli CLI entry point, hermes_cli/, setup wizard P3 Low — cosmetic, nice to have type/bug Something isn't working

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@rodboev @liuhao1024 @alt-glitch