fix: browser-style login from app windows dies on IPC scope rejection (v0.0.67)#145
Conversation
Logging out of a remotely-hosted app (e.g. mero-blocks.vercel.app) and navigating in-window to the node's auth page (http://localhost:2528/auth/login) left the user stuck on "No providers available": every fetch from that page was routed through the Tauri IPC proxy, but Tauri v1 matches IPC scopes by exact domain — only the app's own domain was registered, so all IPC calls from the localhost-origin page failed with "Scope not defined for URL", and the proxy re-threw instead of falling back. - proxy_script.js: only proxy fetch/XHR from HTTPS pages (the proxy exists solely to bypass mixed-content blocking; plain-HTTP pages can reach http://localhost natively), and fall back to the native fetch/XHR path as a last resort when the proxy fails - create_app_window: register IPC scopes for the node host and localhost in addition to the app domain, so IPC survives in-window navigation to the auth page - tauri.conf.json: drop the dangerousRemoteDomainIpcAccess wildcard entry — Tauri v1 does exact matching only, so it never matched anything - bump app to 0.0.67 Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
The proxy-script test harness injects the IIFE with a bare mock window that has no `location`, so pageNeedsProxy() threw. Give the mock a location (HTTPS by default so proxy-path tests keep exercising the proxy), add a test for the http-page → native-fetch bypass, and make pageNeedsProxy() fall back to the historical always-proxy behavior if location is ever unreadable. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
There was a problem hiding this comment.
🤖 AI Code Reviewer
Reviewed by 2 agents | Quality score: 90% | Review time: 339.4s
✅ No Issues Found
All agents reviewed the code and found no issues. LGTM! 🎉
🤖 Generated by AI Code Reviewer | Review ID: review-baeaa78f
Documentation ReviewThe following documentation may need updates based on the changes in this PR:
|
There was a problem hiding this comment.
🤖 AI Code Reviewer
Reviewed by 2 agents | Quality score: 90% | Review time: 198.9s
✅ No Issues Found
All agents reviewed the code and found no issues. LGTM! 🎉
🤖 Generated by AI Code Reviewer | Review ID: review-1d79f389
rc.14 embeds auth-frontend v1.3.1 (auth-frontend#37), which pairs with the proxy fix in this PR: the login page recovers from a failed providers load instead of dead-ending on "No providers available". NOTE: builds fail until core 0.11.0-rc.14 is released (core#3218) — the prepare-merod script downloads the binary by release tag. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
|
Added the bundled-merod bump to 0.11.0-rc.14. Build checks will stay red until core cuts the rc.14 release (calimero-network/core#3218) — |
There was a problem hiding this comment.
🤖 AI Code Reviewer
Reviewed by 2 agents | Quality score: 90% | Review time: 204.8s
✅ No Issues Found
All agents reviewed the code and found no issues. LGTM! 🎉
🤖 Generated by AI Code Reviewer | Review ID: review-b5c4883b
…cope # Conflicts: # apps/desktop/src-tauri/src/proxy_script.js # apps/desktop/src/utils/proxyScript.test.ts
There was a problem hiding this comment.
🤖 AI Code Reviewer
Reviewed by 2 agents | Review time: 631.4s
✅ No Issues Found
All agents reviewed the code and found no issues. LGTM! 🎉
🤖 Generated by AI Code Reviewer | Review ID: review-781d98b6
Bugbot is paused — on-demand spend limit reachedBugbot uses usage-based billing for this team and has hit its on-demand spend limit. A team admin can raise the spend limit in the Cursor dashboard, or wait for the next billing cycle to continue. |
There was a problem hiding this comment.
🤖 AI Code Reviewer
Reviewed by 2 agents | Review time: 138.2s
✅ No Issues Found
All agents reviewed the code and found no issues. LGTM! 🎉
🤖 Generated by AI Code Reviewer | Review ID: review-7fe01fcf
Problem
Logging out of a remotely-hosted app (e.g.
mero-blocks.vercel.app) and going through the browser-style login navigates the app window to the node's auth page (http://localhost:2528/auth/login?...). That page then dead-ends on "No providers available / No authentication providers are configured on this node." even though the node has providers configured.Console shows:
Root cause
Three stacked issues:
tauri-1.8.3/src/scope/ipc.rs) on both domain and window label. The{"domain": "*", "windows": ["*"]}entry intauri.conf.jsondangerousRemoteDomainIpcAccessnever matched anything — dead config.create_app_windowregisters an IPC scope only for the app's own domain. After in-window navigation to the auth page, the page origin islocalhost, which has no scope — every IPC call from it is rejected.proxy_script.jsroutes allhttp://localhostfetches through Tauri IPC, even on the auth page itself, where native fetch would work fine (the page is plain-HTTP and same-origin with the node — no mixed content). On proxy failure it re-threw instead of falling back, so the providers request died withHTTP 0.This only bites apps hosted on a domain other than the node — locally-served apps register
localhostas their scope domain, which is why it looked intermittent.Fix
proxy_script.js: only proxy fetch/XHR when the page is served over HTTPS — the proxy exists solely to bypass mixed-content blocking. On plain-HTTP pages (the auth frontend), requests now go through native fetch and just work. Fetch and XHR also fall back to the native path as a last resort if the proxy fails.create_app_window: register IPC scopes for the app domain + the configured node host +localhost(deduped), so IPC survives in-window navigation to the auth page. (Url::domain()returnsNonefor IP hosts, so127.0.0.1pages can never match a scope in Tauri v1 — the JS fallback covers those.)tauri.conf.json: remove the inert wildcarddangerousRemoteDomainIpcAccessentry so it can't be mistaken for real coverage.Testing
cargo checkpasses (viaTAURI_CONFIGallowlist patch; plaincargo checkfails on the pre-existinghttp-allfeature/allowlist mismatch that the tauri CLI reconciles duringtauri build)node --checkonproxy_script.jspassesCompanion PR in auth-frontend improves recovery UX on the providers page (distinguishes "unable to load" from "none configured" + retry).
🤖 Generated with Claude Code