Theme OAuth error and 404 pages to match homepage styling with VGI logo

Extract shared HTML style constants (_FONT_IMPORTS, _ERROR_PAGE_STYLE,
_VGI_LOGO_HTML) into _common.py and apply the branded theme (Inter/JetBrains
Mono fonts, green color scheme, circular logo, footer) to the OAuth error page
and 404 page, replacing the previous plain system-font styling.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: rustyconover

vgi_rpc/http/_common.py

@@ -66,6 +66,44 @@ def _decompress_body(data: bytes) -> bytes:
     return zstandard.ZstdDecompressor().decompress(data)
 
 
+# ---------------------------------------------------------------------------
+# Shared HTML styles for error and landing pages
+# ---------------------------------------------------------------------------
+
+_FONT_IMPORTS = (
+    '<link rel="preconnect" href="https://fonts.googleapis.com">'
+    '<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>'
+    '<link href="https://fonts.googleapis.com/css2?family=Inter:wght@400;600;700&family=JetBrains+Mono:wght@400;600&display=swap" rel="stylesheet">'  # noqa: E501
+)
+
+_ERROR_PAGE_STYLE = """\
+<style>
+  body {{ font-family: 'Inter', system-ui, -apple-system, sans-serif; max-width: 600px;
+         margin: 0 auto; padding: 60px 20px 0; color: #2c2c1e; text-align: center;
+         background: #faf8f0; }}
+  .logo {{ margin-bottom: 24px; }}
+  .logo img {{ width: 120px; height: 120px; border-radius: 50%;
+               box-shadow: 0 4px 24px rgba(0,0,0,0.12); }}
+  h1 {{ color: #2d5016; margin-bottom: 8px; font-weight: 700; }}
+  code {{ font-family: 'JetBrains Mono', monospace; background: #f0ece0;
+          padding: 2px 6px; border-radius: 3px; font-size: 0.9em; color: #2c2c1e; }}
+  a {{ color: #2d5016; text-decoration: none; }}
+  a:hover {{ color: #4a7c23; }}
+  p {{ line-height: 1.7; color: #6b6b5a; }}
+  .detail {{ margin-top: 12px; padding: 12px 16px; background: #f0ece0;
+             border-radius: 6px; font-size: 0.9em; color: #6b6b5a; }}
+  footer {{ margin-top: 48px; padding: 20px 0; border-top: 1px solid #f0ece0;
+            color: #6b6b5a; font-size: 0.85em; line-height: 1.8; }}
+  footer a {{ color: #2d5016; font-weight: 600; }}
+  footer a:hover {{ color: #4a7c23; }}
+</style>"""
+
+_VGI_LOGO_HTML = """\
+<div class="logo">
+  <img src="https://vgi-rpc-python.query.farm/assets/logo-hero.png" alt="vgi-rpc logo">
+</div>"""
+
+
 class _RpcHttpError(Exception):
     """Internal exception for HTTP-layer errors with status codes."""
 

vgi_rpc/http/_oauth_pkce.py

@@ -36,6 +36,8 @@
 
 from vgi_rpc.rpc import AuthContext
 
+from ._common import _ERROR_PAGE_STYLE, _FONT_IMPORTS, _VGI_LOGO_HTML
+
 logger = logging.getLogger(__name__)
 
 # ---------------------------------------------------------------------------
@@ -71,6 +73,24 @@ def _generate_state_nonce() -> str:
     return secrets.token_urlsafe(24)
 
 
+def _is_jwt_expired(token: str) -> bool:
+    """Check whether a JWT's exp claim is in the past. Returns False if not a JWT or can't decode."""
+    try:
+        parts = token.split(".")
+        if len(parts) < 2:
+            return False
+        # Add padding for base64url
+        payload_b64 = parts[1]
+        payload_b64 += "=" * (-len(payload_b64) % 4)
+        payload = json.loads(base64.urlsafe_b64decode(payload_b64))
+        exp = payload.get("exp")
+        if exp is None:
+            return False
+        return int(time.time()) >= int(exp)
+    except Exception:
+        return False
+
+
 # ---------------------------------------------------------------------------
 # Derived HMAC key — prevents cross-protocol forgery with stream state tokens
 # ---------------------------------------------------------------------------
@@ -367,30 +387,33 @@ def _validate_return_to(url: str, allowed_origins: frozenset[str] = frozenset())
 # Error HTML page
 # ---------------------------------------------------------------------------
 
-_OAUTH_ERROR_HTML = """\
+_OAUTH_ERROR_HTML = (
+    """\
 <!DOCTYPE html>
 <html lang="en">
 <head>
 <meta charset="utf-8">
 <meta name="viewport" content="width=device-width, initial-scale=1">
-<title>Authentication Error</title>
-<style>
-  body {{ font-family: system-ui, -apple-system, sans-serif; max-width: 600px;
-         margin: 0 auto; padding: 60px 20px; color: #2c2c1e; text-align: center;
-         background: #faf8f0; }}
-  h1 {{ color: #8b0000; }}
-  .detail {{ background: #f0ece0; padding: 12px 20px; border-radius: 6px;
-             font-family: monospace; margin: 20px 0; text-align: left; }}
-  a {{ color: #2d5016; }}
-</style>
+<title>Authentication Error &mdash; vgi-rpc</title>
+"""
+    + _FONT_IMPORTS
+    + _ERROR_PAGE_STYLE
+    + """
 </head>
 <body>
+"""
+    + _VGI_LOGO_HTML
+    + """
 <h1>Authentication Error</h1>
 <p>{message}</p>
 {detail}
 <p><a href="{retry_url}">Try again</a></p>
+<footer>
+  Powered by <a href="https://vgi-rpc.query.farm"><code>vgi-rpc</code></a>
+</footer>
 </body>
 </html>"""
+)
 
 
 def _oauth_error_page(message: str, detail: str | None, retry_url: str) -> bytes:
@@ -700,10 +723,9 @@ def __init__(
     def process_request(self, req: falcon.Request, resp: falcon.Response) -> None:
         """If the user is already authenticated and has _vgi_return_to, redirect immediately.
 
-        This relies on _AuthMiddleware running first (Falcon processes
-        process_request in middleware list order).  If the cookie token is
-        expired or invalid, _AuthMiddleware raises 401 *before* we get here,
-        so we only redirect when the token is genuinely valid.
+        The landing page path is exempt from _AuthMiddleware, so we must
+        check the JWT exp claim ourselves to avoid redirecting with an
+        expired token (which would cause an infinite redirect loop).
         """
         if req.method != "GET":
             return
@@ -714,6 +736,9 @@ def process_request(self, req: falcon.Request, resp: falcon.Response) -> None:
         token = req.cookies.get(_AUTH_COOKIE_NAME)
         if not token:
             return  # Not authenticated — let normal flow handle it
+        # Don't redirect with an expired token — let the OAuth flow run again
+        if _is_jwt_expired(token):
+            return
         # Already authenticated with a return_to — redirect back with the token
         separator = "#" if "#" not in return_to else "&"
         fragment_params = [f"token={token}"]

vgi_rpc/http/_server.py

@@ -83,6 +83,8 @@
 
 from ._common import (
     _ARROW_CONTENT_TYPE,
+    _ERROR_PAGE_STYLE,
+    _FONT_IMPORTS,
     _MAX_UPLOAD_URL_COUNT,
     _UPLOAD_URL_METHOD,
     _UPLOAD_URL_SCHEMA,
@@ -1101,42 +1103,10 @@ def _unpack_and_recover_state(
         return state_obj, output_schema, input_schema
 
 
-# ---------------------------------------------------------------------------
-# Shared HTML styles for error and landing pages
-# ---------------------------------------------------------------------------
-
-_FONT_IMPORTS = (
-    '<link rel="preconnect" href="https://fonts.googleapis.com">'
-    '<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>'
-    '<link href="https://fonts.googleapis.com/css2?family=Inter:wght@400;600;700&family=JetBrains+Mono:wght@400;600&display=swap" rel="stylesheet">'  # noqa: E501
-)
-
 # ---------------------------------------------------------------------------
 # 404 sink for unmatched routes
 # ---------------------------------------------------------------------------
 
-_ERROR_PAGE_STYLE = """\
-<style>
-  body {{ font-family: 'Inter', system-ui, -apple-system, sans-serif; max-width: 600px;
-         margin: 0 auto; padding: 60px 20px 0; color: #2c2c1e; text-align: center;
-         background: #faf8f0; }}
-  .logo {{ margin-bottom: 24px; }}
-  .logo img {{ width: 120px; height: 120px; border-radius: 50%;
-               box-shadow: 0 4px 24px rgba(0,0,0,0.12); }}
-  h1 {{ color: #2d5016; margin-bottom: 8px; font-weight: 700; }}
-  code {{ font-family: 'JetBrains Mono', monospace; background: #f0ece0;
-          padding: 2px 6px; border-radius: 3px; font-size: 0.9em; color: #2c2c1e; }}
-  a {{ color: #2d5016; text-decoration: none; }}
-  a:hover {{ color: #4a7c23; }}
-  p {{ line-height: 1.7; color: #6b6b5a; }}
-  .detail {{ margin-top: 12px; padding: 12px 16px; background: #f0ece0;
-             border-radius: 6px; font-size: 0.9em; color: #6b6b5a; }}
-  footer {{ margin-top: 48px; padding: 20px 0; border-top: 1px solid #f0ece0;
-            color: #6b6b5a; font-size: 0.85em; line-height: 1.8; }}
-  footer a {{ color: #2d5016; font-weight: 600; }}
-  footer a:hover {{ color: #4a7c23; }}
-</style>"""
-
 _NOT_FOUND_HTML_TEMPLATE = (
     """\
 <!DOCTYPE html>