Skip to content

fix(hub): print direct local login link on startup#363

Open
Sun-sunshine06 wants to merge 1 commit intotiann:mainfrom
Sun-sunshine06:pr/hub-direct-login
Open

fix(hub): print direct local login link on startup#363
Sun-sunshine06 wants to merge 1 commit intotiann:mainfrom
Sun-sunshine06:pr/hub-direct-login

Conversation

@Sun-sunshine06
Copy link
Copy Markdown
Contributor

@Sun-sunshine06 Sun-sunshine06 commented Mar 25, 2026

Summary

Print a direct local login link when HAPI Hub starts, and update CLI guidance to point users to that startup output.

Why

When HAPI Hub is opened remotely or through a browser on another device, it can be inconvenient to manually find the access token in local config files.
A startup login URL makes first-time access much easier.

Changes

  • print a local login URL on hub startup
  • extract direct-access URL helpers into a small utility
  • add unit tests for tokenized URL generation
  • update CLI auth/token help text to mention the startup login URL

Notes

  • this keeps the change scoped to discoverability and onboarding
  • no runtime auth flow is changed

Testing

  • cd hub && bun test src/utils/directAccess.test.ts
  • bun typecheck

github-actions[bot]
github-actions bot reviewed Mar 25, 2026
View reviewed changes
Copy link
Copy Markdown

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Findings

  • [Major] Startup log now prints tokenized login URL every run; CLI_API_TOKEN ends up in logs even when sourced from env/file. Evidence hub/src/index.ts:232
    Suggested fix: 
    if (config.cliApiTokenIsNew || process.env.HAPI_LOG_TOKENS === 'true') {
    console.log('[Web] Login:  ' + localDirectAccessUrl)
}

Summary

  • Review mode: initial. 1 major issue: token logged each startup; gate behind opt-in or only on new token.

Testing

  • Not run (automation)

hub/src/index.ts
console.log('[Web] Hub listening on :' + config.listenPort)
console.log('[Web] Local: http://localhost:' + config.listenPort)
console.log('[Web] Local: ' + localUrl)
console.log('[Web] Login: ' + localDirectAccessUrl)
Copy link
Copy Markdown

@github-actions github-actions bot Mar 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[MAJOR] Startup log prints tokenized login URL every run; CLI_API_TOKEN ends up in logs even when sourced from env/file. Evidence hub/src/index.ts:232.

Suggested fix:

if (config.cliApiTokenIsNew || process.env.HAPI_LOG_TOKENS === 'true') {
    console.log('[Web] Login:  ' + localDirectAccessUrl)
}

@hqhq1025
Copy link
Copy Markdown
Collaborator

hqhq1025 commented Apr 11, 2026

Useful feature — the local login link is a nice DX improvement, and the code is well-structured (extracted utility + tests).

One concern: the token is printed in plain text in the terminal log.

```
[Web] Login: http://localhost:3006/?token=
```

If the user shares terminal output (e.g. in a bug report, screenshot, or log aggregation), the token leaks. For a local-only scenario the risk is low, but worth considering:

  • Mask the token in the log output (e.g. show only the first 8 chars: `?token=abc12345....`)
  • Or print the URL only on first run / behind a flag

This may be an acceptable tradeoff for the maintainer to decide — just flagging the risk.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Sun-sunshine06 @hqhq1025