You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Follow-up to #5292, scoped to extension-provided OAuth login flows.
When an extension OAuth provider calls OAuthLoginCallbacks.onPrompt() more than once in the same login dialog, the current prompt's live input can also render in earlier prompt rows.
I reproduced this with a local extension provider named Prompt Repro: the first prompt asks for First prompt: with placeholder first-value, then the second prompt asks for Second prompt:. After submitting the first prompt and typing second-secret-demo into the second prompt, the first prompt row also shows > second-secret-demo.
The submitted values are still captured sequentially. The bug is visual/TUI-only, but it can reveal a secret such as an API key in a previous prompt slot.
Steps to reproduce
Install or load an extension that registers an OAuth provider whose oauth.login(callbacks) does:
Select the extension provider, for example Prompt Repro.
Submit the first prompt.
Type into the second prompt without submitting.
Observed:
First prompt:
e.g., first-value
> second-secret-demo
Second prompt:
> second-secret-demo
The original real-world flow was a LiteLLM extension that asks for a base URL, then an API key.
Expected behavior
Only the active prompt should render a live input. Previous prompt rows should remain visible as stable submitted text or otherwise stop rendering the active input value.
A fix should preserve auth content already shown by onAuth() before onPrompt(); the whole login dialog should not be cleared between prompts.
What happened?
Screen.Recording.2026-06-02.at.15.13.57.mov
Follow-up to #5292, scoped to extension-provided OAuth login flows.
When an extension OAuth provider calls
OAuthLoginCallbacks.onPrompt()more than once in the same login dialog, the current prompt's live input can also render in earlier prompt rows.I reproduced this with a local extension provider named
Prompt Repro: the first prompt asks forFirst prompt:with placeholderfirst-value, then the second prompt asks forSecond prompt:. After submitting the first prompt and typingsecond-secret-demointo the second prompt, the first prompt row also shows> second-secret-demo.The submitted values are still captured sequentially. The bug is visual/TUI-only, but it can reveal a secret such as an API key in a previous prompt slot.
Steps to reproduce
Install or load an extension that registers an OAuth provider whose
oauth.login(callbacks)does:Start Pi and run
/login.Select
Use a subscription.Select the extension provider, for example
Prompt Repro.Submit the first prompt.
Type into the second prompt without submitting.
Observed:
The original real-world flow was a LiteLLM extension that asks for a base URL, then an API key.
Expected behavior
Only the active prompt should render a live input. Previous prompt rows should remain visible as stable submitted text or otherwise stop rendering the active input value.
A fix should preserve auth content already shown by
onAuth()beforeonPrompt(); the whole login dialog should not be cleared between prompts.Version
0.78.1