fix: surface https backend requirement in dashboard

[LIghtJUNction]

Motivation

• Users deploying the dashboard to GitHub Pages saw opaque AxiosError: Network Error failures because an HTTP backend is blocked by browser mixed-content when the page is served over HTTPS.
• Avoid applying an insecure (HTTP) backend URL on app bootstrap when the dashboard is served via HTTPS, and give an actionable message to users instead of leaving the client in a broken state.
• Prevent saving backend URLs that will be blocked by the browser so users cannot accidentally persist a non-working configuration from multiple UI entry points.

Description

• Add getApiBaseUrlValidationError and related base normalization helpers to dashboard/src/utils/request.ts to detect and return an actionable validation message for the HTTPS-page + HTTP-backend mixed-content case.
• Change app bootstrap in dashboard/src/main.ts to run the validation and avoid applying stored HTTP backends when the dashboard is served over https:, using setApiBaseUrl only when valid.
• Validate backend URLs before saving in the welcome flow, settings page, and login server dialog by wiring those UIs to the new validation function (dashboard/src/views/WelcomePage.vue, dashboard/src/views/Settings.vue, dashboard/src/views/authentication/auth/LoginPage.vue), and show an explicit error instead of attempting the request.
• Keep axios/fetch URL normalization and the centralized request helpers in place so resolved API/WS URLs continue to be generated consistently across the dashboard.

Testing

• Ran git diff --check and it reported no issues.
• Ran ruff format . which completed successfully.
• Ran ruff check . which failed due to pre-existing repository-wide Ruff violations unrelated to this change.
• Ran cd dashboard && bunx prettier --check src/utils/request.ts src/main.ts src/views/WelcomePage.vue src/views/Settings.vue src/views/authentication/auth/LoginPage.vue which passed formatting checks.
• Attempted a production build with cd dashboard && bunx vite build --debug which entered the build pipeline and produced Vite transform logs but did not finish within the environment time window (timed out in this session).

---

Codex Task

Summary by Sourcery

Validate and normalize configured backend URLs across the dashboard to avoid broken connections and mixed-content issues, and improve server compatibility with language-aware clients.

Bug Fixes:

• Prevent saving or applying HTTP backend URLs when the dashboard is served over HTTPS, avoiding browser mixed-content failures and broken startup state.
• Ensure the welcome flow backend connectivity check restores the previous API base URL if the connection attempt fails, preventing a bad URL from polluting subsequent requests.

Enhancements:

• Reuse centralized API base URL validation and normalization in the welcome flow, settings page, and login server configuration dialog to provide consistent, actionable error feedback to users.
• Allow the dashboard backend server to accept the Accept-Language header for better language-aware client support.

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the dashboard's robustness and user experience by addressing mixed-content issues that arise when the dashboard is deployed over HTTPS but attempts to connect to an HTTP backend. It introduces a comprehensive validation and URL resolution system, ensuring that API connections are secure and correctly formed. By centralizing this logic and integrating validation into critical UI flows, the changes prevent common configuration pitfalls and provide users with clear, actionable feedback, moving away from opaque network errors to more informative messages.

Highlights

• Mixed-Content Validation: Introduced getApiBaseUrlValidationError and related helper functions in dashboard/src/utils/request.ts to detect and provide actionable validation messages for mixed-content scenarios (HTTPS dashboard with HTTP backend).
• Secure Backend Configuration: Modified the app bootstrap process in dashboard/src/main.ts to validate API backend URLs, preventing the application of insecure HTTP backends when the dashboard is served over HTTPS. This ensures the client avoids a broken state and receives clear error messages.
• Centralized URL Resolution: Refactored API and WebSocket URL resolution across the dashboard by introducing resolveApiUrl and resolveWebSocketUrl in dashboard/src/utils/request.ts. This centralizes logic, ensuring consistent URL generation and proper handling of base paths and protocols.
• UI Integration of Validation: Integrated the new backend URL validation into key user interface components, including the welcome flow (dashboard/src/views/WelcomePage.vue), settings page (dashboard/src/views/Settings.vue), and login server dialog (dashboard/src/views/authentication/auth/LoginPage.vue), to prevent users from persisting non-working configurations.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request is a significant improvement, centralizing API URL handling and validation in a new request.ts utility. This effectively addresses the browser mixed-content issue when the dashboard is served over HTTPS. The refactoring across various components to use these new helpers is clean and enhances maintainability. I've identified a high-severity issue where the new validation logic could be bypassed due to the api store's initialization logic. My review includes specific suggestions to rectify this, which will also simplify the application's startup flow.

[gemini-code-assist]

With the proposed change to state initialization, this init() method becomes redundant. The apiBaseUrl is correctly set globally in main.ts before the store is even created, and the store's state will be correctly initialized from that global value. Calling setApiBaseUrl again here is unnecessary. This method and its calls in main.ts can be removed to simplify the app's startup logic.

[gemini-code-assist]

Following the simplification of the apiStore initialization, this call to apiStore.init() is no longer necessary and should be removed. Please see my related comments in dashboard/src/stores/api.ts for the full context.

[gemini-code-assist]

This call to apiStore.init() is also redundant and should be removed as part of the apiStore initialization simplification.

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

[sourcery-ai]

Hey - I've found 1 issue, and left some high level feedback:

• In checkAndSaveBackend you normalize before validation, but in the Settings and Login flows you pass the raw URL into getApiBaseUrlValidationError; consider normalizing first in those flows as well so validation behavior (e.g., handling of trailing slashes or missing scheme) is consistent across all entry points.
• The error message in checkAndSaveBackend currently interpolates the entire error object (Failed to connect to backend: ${error}); using error.message or extracting a more user-friendly Axios error description would avoid noisy [object Object] output and give users clearer feedback.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- In `checkAndSaveBackend` you normalize before validation, but in the Settings and Login flows you pass the raw URL into `getApiBaseUrlValidationError`; consider normalizing first in those flows as well so validation behavior (e.g., handling of trailing slashes or missing scheme) is consistent across all entry points.
- The error message in `checkAndSaveBackend` currently interpolates the entire error object (`Failed to connect to backend: ${error}`); using `error.message` or extracting a more user-friendly Axios error description would avoid noisy `[object Object]` output and give users clearer feedback.

## Individual Comments

### Comment 1
<location path="dashboard/src/views/authentication/auth/LoginPage.vue" line_range="29-35" />
<code_context>
 const newPresetUrl = ref("");

 function saveApiUrl() {
+  const validationError = getApiBaseUrlValidationError(apiUrl.value);
+  if (validationError) {
+    toast.error(validationError);
+    return;
+  }
+
   apiStore.setApiBaseUrl(apiUrl.value);
   serverConfigDialog.value = false;
   window.location.reload();
</code_context>
<issue_to_address>
**suggestion (bug_risk):** Align API URL handling here with the new normalization/validation pattern used on the welcome page.

Here `saveApiUrl` validates and then persists `apiUrl.value` directly, while the welcome page does normalize → validate → `setApiBaseUrl` using the normalized URL. If `normalizeConfiguredApiBaseUrl` enforces key invariants (e.g., trailing slashes, scheme), consider using it here as well so validation and stored values stay consistent and callers can always rely on a normalized base URL regardless of where it was configured.

Suggested implementation:

```
function saveApiUrl() {
  const normalizedApiUrl = normalizeConfiguredApiBaseUrl(apiUrl.value);
  const validationError = getApiBaseUrlValidationError(normalizedApiUrl);
  if (validationError) {
    toast.error(validationError);
    return;
  }

  apiStore.setApiBaseUrl(normalizedApiUrl);
  serverConfigDialog.value = false;
  window.location.reload();

```

1. Ensure `normalizeConfiguredApiBaseUrl` is imported in this file from the same module used on the welcome page (e.g., a shared API config/util file).
2. If the welcome page wraps `normalizeConfiguredApiBaseUrl` in any additional error handling (e.g., try/catch if it can throw), mirror that pattern here for consistency.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[sourcery-ai]

suggestion (bug_risk): Align API URL handling here with the new normalization/validation pattern used on the welcome page.

Here saveApiUrl validates and then persists apiUrl.value directly, while the welcome page does normalize → validate → setApiBaseUrl using the normalized URL. If normalizeConfiguredApiBaseUrl enforces key invariants (e.g., trailing slashes, scheme), consider using it here as well so validation and stored values stay consistent and callers can always rely on a normalized base URL regardless of where it was configured.

Suggested implementation:

function saveApiUrl() {
  const normalizedApiUrl = normalizeConfiguredApiBaseUrl(apiUrl.value);
  const validationError = getApiBaseUrlValidationError(normalizedApiUrl);
  if (validationError) {
    toast.error(validationError);
    return;
  }

  apiStore.setApiBaseUrl(normalizedApiUrl);
  serverConfigDialog.value = false;
  window.location.reload();

1. Ensure normalizeConfiguredApiBaseUrl is imported in this file from the same module used on the welcome page (e.g., a shared API config/util file).
2. If the welcome page wraps normalizeConfiguredApiBaseUrl in any additional error handling (e.g., try/catch if it can throw), mirror that pattern here for consistency.