HeyPuter · Salazareo · Mar 24, 2026 · Mar 24, 2026
diff --git a/src/backend/src/routers/hosting/puterSiteMiddleware.js b/src/backend/src/routers/hosting/puterSiteMiddleware.js
@@ -331,53 +331,6 @@ function getPrivateAccessRejectionReason (error) {
     return error?.code || error?.message || 'unknown';
 }
 
-function stripBootstrapAuthTokenFromOriginalUrl (originalUrl) {
-    if ( typeof originalUrl !== 'string' || !originalUrl ) return null;
-
-    try {
-        const placeholderOrigin = 'https://placeholder.puter.local';
-        const parsedUrl = new URL(originalUrl, placeholderOrigin);
-        const hadToken =
-            parsedUrl.searchParams.has('puter.auth.token')
-            || parsedUrl.searchParams.has('auth_token');
-        if ( ! hadToken ) return null;
-
-        parsedUrl.searchParams.delete('puter.auth.token');
-        parsedUrl.searchParams.delete('auth_token');
-
-        const search = parsedUrl.searchParams.toString();
-        const cleanPath = parsedUrl.pathname || '/';
-        return search ? `${cleanPath}?${search}` : cleanPath;
-    } catch {
-        return null;
-    }
-}
-
-function hasAppInstanceIdQueryParam (req) {
-    const queryParamCandidates = [
-        req.query?.['puter.app_instance_id'],
-        req.query?.puter?.app_instance_id,
-    ];
-    for ( const queryParamCandidate of queryParamCandidates ) {
-        if ( typeof queryParamCandidate === 'string' && queryParamCandidate.trim() ) {
-            return true;
-        }
-    }
-
-    if ( typeof req.originalUrl !== 'string' || !req.originalUrl ) {
-        return false;
-    }
-
-    try {
-        const placeholderOrigin = 'https://placeholder.puter.local';
-        const parsedUrl = new URL(req.originalUrl, placeholderOrigin);
-        const appInstanceId = parsedUrl.searchParams.get('puter.app_instance_id');
-        return typeof appInstanceId === 'string' && !!appInstanceId.trim();
-    } catch {
-        return false;
-    }
-}
-
 function getTokenFromAuthorizationHeader (req) {
     const authorizationHeader = req.headers?.authorization;
     if ( typeof authorizationHeader !== 'string' ) return null;
@@ -920,18 +873,6 @@ async function evaluatePublicHostedActorContext ({
         return true;
     }
 
-    const sanitizedUrl = stripBootstrapAuthTokenFromOriginalUrl(req.originalUrl);
-    if ( sanitizedUrl ) {
-        logPrivateAccessEvent('public_actor.cookie_redirect', {
-            appUid: tokenAppUid ?? null,
-            userUid: identity.userUid ?? null,
-            requestHost: req.hostname,
-            redirectUrl: sanitizedUrl,
-        });
-        res.redirect(sanitizedUrl);
-        return false;
-    }
-
     return true;
 }
 
@@ -1238,30 +1179,6 @@ async function evaluatePrivateAppAccess ({ req, res, services, app, requestPath
             }),
         );
 
-        const sanitizedUrl = stripBootstrapAuthTokenFromOriginalUrl(req.originalUrl);
-        const shouldKeepBootstrapTokenInUrl = hasAppInstanceIdQueryParam(req);
-        if ( sanitizedUrl && !shouldKeepBootstrapTokenInUrl ) {
-            logPrivateAccessEvent('private_access.allowed_cookie_redirect', {
-                appUid: app.uid,
-                userUid: identity.userUid ?? null,
-                requestHost: req.hostname,
-                requestPath,
-                source: identity.source,
-                redirectUrl: sanitizedUrl,
-            });
-            res.redirect(sanitizedUrl);
-            return false;
-        }
-        if ( sanitizedUrl && shouldKeepBootstrapTokenInUrl ) {
-            logPrivateAccessEvent('private_access.allowed_cookie_redirect_skipped_for_app_instance', {
-                appUid: app.uid,
-                userUid: identity.userUid ?? null,
-                requestHost: req.hostname,
-                requestPath,
-                source: identity.source,
-                redirectUrl: sanitizedUrl,
-            });
-        }
     }
 
     logPrivateAccessEvent('private_access.allowed', {

diff --git a/src/backend/src/routers/hosting/puterSiteMiddleware.test.js b/src/backend/src/routers/hosting/puterSiteMiddleware.test.js
@@ -1135,7 +1135,7 @@ describe('PuterSiteMiddleware', () => {
                 'private-token',
                 { sameSite: 'none' },
             );
-            expect(mockRes.redirect).toHaveBeenCalledWith('/asset.js?foo=bar');
+            expect(mockRes.redirect).not.toHaveBeenCalled();
             expect(mockNext).not.toHaveBeenCalled();
         });
 
@@ -1729,7 +1729,7 @@ describe('PuterSiteMiddleware', () => {
             expect(mockNext).not.toHaveBeenCalled();
         });
 
-        it('sets public hosted cookie and redirects to sanitized url for bootstrap tokens', async () => {
+        it('sets public hosted cookie for bootstrap tokens without server-side token stripping redirect', async () => {
             const { rootDirectoryNode, missingFileNode } = createRootAndMissingNodes();
             let filesystemNodeCallCount = 0;
             const authService = {
@@ -1835,7 +1835,7 @@ describe('PuterSiteMiddleware', () => {
                 'public-hosted-token-333',
                 { sameSite: 'none' },
             );
-            expect(mockRes.redirect).toHaveBeenCalledWith('/asset.js?foo=bar');
+            expect(mockRes.redirect).not.toHaveBeenCalled();
             expect(mockNext).not.toHaveBeenCalled();
         });
 
@@ -1942,7 +1942,7 @@ describe('PuterSiteMiddleware', () => {
                 subdomain: 'paid',
                 host: 'paid.site.puter.localhost',
             });
-            expect(mockRes.redirect).toHaveBeenCalledWith('/asset.js?foo=bar');
+            expect(mockRes.redirect).not.toHaveBeenCalled();
             expect(mockNext).not.toHaveBeenCalled();
         });
 

diff --git a/src/backend/src/services/BaseService.d.ts b/src/backend/src/services/BaseService.d.ts
@@ -19,6 +19,7 @@ import type { MeteringServiceWrapper } from './MeteringService/MeteringServiceWr
 import type { SUService } from './SUService';
 import type { UserService } from './UserService';
 import { TokenService } from './auth/TokenService';
+import { SessionService } from './SessionService';
 
 export interface ServicesMap {
     su: SUService;
@@ -41,7 +42,8 @@ export interface ServicesMap {
     'clean-email': CleanEmailService;
     'error-service': ErrorService;
     driver: DriverService;
-    'token': TokenService
+    'token': TokenService;
+    'session': SessionService;
 }
 
 export interface ServiceResources {