You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
- Let the SPA shell (HTML/JS/CSS, /search, /view/<id>, /auth/callback)
load without an auth challenge when OIDC is enabled, so the SPA can
run the redirect itself. API and direct .html/.txt previews stay
gated.
- Suppress WWW-Authenticate: Basic on 401s when OIDC is on, so the
browser's native Basic dialog doesn't pop up on a SPA-side 401.
Basic Auth still works for clients that send the header proactively.
- Add the IdP origin to connect-src in the CSP so the SPA can reach
the discovery / JWKS / token endpoints.
- Drop the duplicate Basic Auth check in websockets.ServeWs — auth is
the middleware's job, and the duplicate broke browser WS upgrades
(browsers can't send Authorization on WS handshakes).
- Move the SPA-side OIDC config to a cached Promise so callers race-
free await the same init. AuthCallbackView does a hard navigation
after exchange so the router guard sees the freshly stored user.
- Store tokens in localStorage so a new tab inherits the session.
- Move the logout button next to "About Mailpit" and show the signed-
in user's name beside it.
0 commit comments