Skip to content

fix(dashboard): send Auth1 token in PostAuth header for v2.0.89 login#144

Closed
Await-d wants to merge 3 commits into
dwgx:masterfrom
Await-d:fix/postauth-auth1-header-protocol
Closed

fix(dashboard): send Auth1 token in PostAuth header for v2.0.89 login#144
Await-d wants to merge 3 commits into
dwgx:masterfrom
Await-d:fix/postauth-auth1-header-protocol

Conversation

@Await-d
Copy link
Copy Markdown

@Await-d Await-d commented May 7, 2026
edited
Loading

Affected version

  • Reproduced on v2.0.89 deployments during email/password login.
  • The visible failure is:
    • ERR_POSTAUTH_FAILED
    • unauthenticated: missing required header: X-Devin-Auth1-Token

Summary

  • update WindsurfPostAuth to send the Auth1 token via X-Devin-Auth1-Token
  • switch PostAuth to the current empty application/proto request body shape
  • parse raw PostAuth responses for devin-session-token$... session credentials
  • add a regression assertion for the Devin Auth1 header protocol

Why this is separate from v2.0.90

v2.0.90 fixes the later OneTimeToken/OTT failure by using the Devin sessionToken directly as the API key. This PR fixes an earlier PostAuth protocol failure where upstream now requires the Auth1 token in the X-Devin-Auth1-Token header instead of the JSON body.

Verification

  • node --test test/v2090-ott-bypass.test.js
  • node --check src/dashboard/windsurf-login.js

dwgx and others added 3 commits May 5, 2026 00:50
@dwgx @claude
fix: dwgx#114 dwgx#123 #132 + circuit breaker stats — 4 HIGH from dua…
c63bef5 
…l-audit v2.0.88-90

- client.js: cascadeHistoryBudget default 200k→400k, add truncation note
  for trimmed history so model doesn't ask user to repeat
- handlers/chat.js: add IP-rate-limit circuit breaker for non-stream and
  stream paths, record policy blocked + rate limited events
- handlers/messages.js: defensive startMessage() in finish() prevents
  event ordering violation when message stops before it starts
- dashboard/stats.js: track policyBlockedCount and rateLimitedCount,
  persist to stats.json for dashboard visibility

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@dwgx @claude
fix(dashboard): proxy save feedback and parseProxyUrl whitespace hand…
bc6e9c2 
…ling

- Frontend saveGlobalProxy/editAccountProxy now checks API error response
  before showing success toast (fixes silent failure on ERR_PROXY_PRIVATE_HOST)
- parseProxyUrl normalizes whitespace and supports space-separated format
  like "socks5 127.0.0.1 1089" in addition to canonical URL form
- setGlobalProxy/setAccountProxy auto-trim proxy host values

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@Await-d
fix(dashboard): send Auth1 token in PostAuth header
2973127
@Await-d Await-d changed the title fix(dashboard): send Auth1 token in PostAuth header fix(dashboard): send Auth1 token in PostAuth header for v2.0.89 login May 7, 2026
dwgx added a commit that referenced this pull request May 7, 2026
@dwgx
fix(#134): PostAuth empty proto body + raw token parsing (PR #144 by @…
1383b0c 
…Await-d)

Upstream PostAuth now expects:
- Empty application/proto body instead of JSON bridge
- X-Devin-Auth1-Token header + Referer
- Raw response parsing for devin-session-token

Co-authored-by: Await-d
@dwgx
Copy link
Copy Markdown
Owner

dwgx commented May 7, 2026

@Await-d 感谢!PostAuth proto body + raw token parsing 已 cherry-pick 到 master (commit 1383b0c)。空 body + Referer + X-Devin-Auth1-Token header + parsePostAuthResponseData 全部合入。Credits 面板会加上。

@dwgx
Copy link
Copy Markdown
Owner

dwgx commented May 7, 2026

Cherry-picked to master in 1383b0c. Thanks @Await-d!

@dwgx dwgx closed this May 7, 2026
dwgx added a commit that referenced this pull request May 7, 2026
@dwgx
release: 2.0.91 — #135 context crash fix + #134 PostAuth proto body + #…
51574cd 
…137 proxy parse + cache switch

- P0: ReferenceError context is not defined in streamResponse (#135)
- PostAuth empty proto body + X-Devin-Auth1-Token + Referer (#134 via @Await-d PR #144)
- parseProxyUrl whitespace + frontend error check (#137)
- RESPONSE_CACHE_ENABLED env (PR #142 by @suhaihui-git)
- IP rate-limit circuit breaker (#132)
- CLAUDE.md for agent rules
dwgx added a commit that referenced this pull request May 7, 2026
@dwgx
fix(#134): PostAuth empty proto body + raw token parsing (PR #144 by @…
a7dd4cd 
…Await-d)

Upstream PostAuth now expects:
- Empty application/proto body instead of JSON bridge
- X-Devin-Auth1-Token header + Referer
- Raw response parsing for devin-session-token

Co-authored-by: Await-d
dwgx added a commit that referenced this pull request May 7, 2026
@dwgx
release: 2.0.91 — #135 context crash fix + #134 PostAuth proto body + #…
81384f5 
…137 proxy parse + cache switch

- P0: ReferenceError context is not defined in streamResponse (#135)
- PostAuth empty proto body + X-Devin-Auth1-Token + Referer (#134 via @Await-d PR #144)
- parseProxyUrl whitespace + frontend error check (#137)
- RESPONSE_CACHE_ENABLED env (PR #142 by @suhaihui-git)
- IP rate-limit circuit breaker (#132)
- CLAUDE.md for agent rules
dwgx added a commit that referenced this pull request May 9, 2026
@dwgx
fix(#134): PostAuth empty proto body + raw token parsing (PR #144 by @…
136436a 
…Await-d)

Upstream PostAuth now expects:
- Empty application/proto body instead of JSON bridge
- X-Devin-Auth1-Token header + Referer
- Raw response parsing for devin-session-token

Co-authored-by: Await-d
dwgx added a commit that referenced this pull request May 9, 2026
@dwgx
release: 2.0.91 — #135 context crash fix + #134 PostAuth proto body + #…
9ec58a7 
…137 proxy parse + cache switch

- P0: ReferenceError context is not defined in streamResponse (#135)
- PostAuth empty proto body + X-Devin-Auth1-Token + Referer (#134 via @Await-d PR #144)
- parseProxyUrl whitespace + frontend error check (#137)
- RESPONSE_CACHE_ENABLED env (PR #142 by @suhaihui-git)
- IP rate-limit circuit breaker (#132)
- CLAUDE.md for agent rules
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Await-d @dwgx