Allow web UI shell without auth

Author: wangzexi

packages/opencode/src/server/shared/public-ui.ts

@@ -1,12 +1,16 @@
-// Static UI assets the browser fetches without app-managed credentials, e.g.
-// the manifest link in <head>. These bypass auth so the page can install/render
-// the manifest icons even when a server password is configured.
+// Static UI shell and assets the browser fetches before app-managed credentials
+// are available. API routes stay protected; the loaded app supplies credentials
+// from its server connection config.
 export const PUBLIC_UI_PATHS = new Set<string>([
+  "/",
+  "/index.html",
   "/site.webmanifest",
   "/web-app-manifest-192x192.png",
   "/web-app-manifest-512x512.png",
 ])
 
 export function isPublicUIPath(method: string, pathname: string) {
-  return method === "GET" && PUBLIC_UI_PATHS.has(pathname)
+  if (method !== "GET" && method !== "HEAD") return false
+  if (PUBLIC_UI_PATHS.has(pathname)) return true
+  return pathname.startsWith("/assets/")
 }

packages/opencode/test/server/httpapi-ui.test.ts

@@ -301,11 +301,25 @@ describe("HttpApi UI fallback", () => {
     expect(response.status).toBe(404)
   })
 
-  test("requires server password for the web UI", async () => {
+  test("serves the web UI shell without auth even when a server password is set", async () => {
     Flag.OPENCODE_EXPERIMENTAL_HTTPAPI = true
     Flag.OPENCODE_DISABLE_EMBEDDED_WEB_UI = true
 
-    const response = await uiApp({ password: "secret", username: "opencode" }).request("/")
+    const response = await uiApp({
+      password: "secret",
+      username: "opencode",
+      client: httpClient(new Response("<html>opencode</html>", { headers: { "content-type": "text/html" } })),
+    }).request("/")
+
+    expect(response.status).toBe(200)
+    expect(await response.text()).toBe("<html>opencode</html>")
+  })
+
+  test("keeps non-public UI fallback paths protected without auth", async () => {
+    Flag.OPENCODE_EXPERIMENTAL_HTTPAPI = true
+    Flag.OPENCODE_DISABLE_EMBEDDED_WEB_UI = true
+
+    const response = await uiApp({ password: "secret", username: "opencode" }).request("/session")
 
     expect(response.status).toBe(401)
     expect(response.headers.get("www-authenticate")).toBe('Basic realm="Secure Area"')
@@ -336,16 +350,16 @@ describe("HttpApi UI fallback", () => {
     expect(response.status).toBe(200)
   })
 
-  // Regression for #25698 (Ope): the browser fetches the PWA manifest and
-  // its icons via flows that don't carry app-managed credentials (the
-  // `<link rel="manifest">` request is not under page-auth control), so the
-  // server returning 401 breaks PWA install. These specific public assets
-  // should bypass auth.
-  test("serves the PWA manifest without auth even when a server password is set", async () => {
+  test("serves public UI assets without auth even when a server password is set", async () => {
     Flag.OPENCODE_EXPERIMENTAL_HTTPAPI = true
     Flag.OPENCODE_DISABLE_EMBEDDED_WEB_UI = true
 
-    for (const path of ["/site.webmanifest", "/web-app-manifest-192x192.png", "/web-app-manifest-512x512.png"]) {
+    for (const path of [
+      "/assets/app.js",
+      "/site.webmanifest",
+      "/web-app-manifest-192x192.png",
+      "/web-app-manifest-512x512.png",
+    ]) {
       const response = await uiApp({
         password: "secret",
         username: "opencode",