fix: update logic to stop auth loop

2026-04-20 23:23:36 +00:00 · 2026-01-27 21:36:00 +11:00 · 2026-01-27 21:36:00 +11:00 · abfbd7b4e0
commit abfbd7b4e0
parent 64c302d30f
4 changed files with 43 additions and 22 deletions
--- a/backend/pycache/app.cpython-311.pyc
+++ b/backend/pycache/app.cpython-311.pyc
--- a/backend/app.py
+++ b/backend/app.py
@ -2445,13 +2445,25 @@ async def verify_turnstile(request: Request):
    auth_token = turnstile_verifier.issue_auth_token()
    print(f"[turnstile] Verification successful, issued auth token")

-    return JSONResponse(
+    # Create response with auth token and set cookie
+    response = JSONResponse(
      {
        "success": True,
        "auth_token": auth_token,
      },
      status_code=200,
    )
+    
+    # Set auth cookie (expires in TURNSTILE_TOKEN_TTL_SECONDS)
+    response.set_cookie(
+      key="meshmap_auth",
+      value=auth_token,
+      max_age=TURNSTILE_TOKEN_TTL_SECONDS,
+      path="/",
+      samesite="lax",
+    )
+    
+    return response

  except json.JSONDecodeError:
    return JSONResponse(
--- a/backend/static/index.html
+++ b/backend/static/index.html
@ -56,26 +56,25 @@
    window.__meshmapStarted = false;
    window.__meshmapReportError = (message) => console.warn(message);
    
-    // Check Turnstile authentication
-    (function() {
-      const turnstileEnabled = document.body.getAttribute('data-turnstile-enabled') === 'true';
-      if (!turnstileEnabled) {
-        console.log('[auth] Turnstile disabled, loading map');
-        return;
-      }
-      
-      // Check for auth token in sessionStorage or localStorage
-      const authToken = sessionStorage.getItem('meshmap_auth_token') || 
-                        localStorage.getItem('meshmap_auth_token');
-      
-      if (!authToken) {
-        console.log('[auth] No auth token found, redirecting to landing');
-        window.location.href = '/';
-        return;
-      }
-      
-      console.log('[auth] Auth token found, loading map');
-    })();
+     // Check Turnstile authentication
+     (function() {
+       const turnstileEnabled = document.body.getAttribute('data-turnstile-enabled') === 'true';
+       if (!turnstileEnabled) {
+         console.log('[auth] Turnstile disabled, loading map');
+         return;
+       }
+       
+       // If this is the landing page (has Turnstile container), don't do auth check
+       // The frontend will handle Turnstile verification
+       const isTurnstileContainer = document.getElementById('turnstile-container');
+       if (isTurnstileContainer) {
+         console.log('[auth] On landing page with Turnstile widget');
+         return;
+       }
+       
+       // This is the map page - server already verified auth, just log
+       console.log('[auth] On map page, server verified authentication');
+     })();
  </script>
  <div class="hud">
    <div class="hud-header">
--- a/backend/static/turnstile.js
+++ b/backend/static/turnstile.js
@ -182,7 +182,17 @@ const TurnstileAuth = {
        this.log(4, 'Token verified successfully');
        this.showSuccess();
        
-        // Store the auth token
+        // Store the auth token in cookie (sent with every request)
+        // Set with expires in 24 hours (86400 seconds)
+        const expiresIn = 86400;
+        const d = new Date();
+        d.setTime(d.getTime() + (expiresIn * 1000));
+        const expires = d.toUTCString();
+        document.cookie = `meshmap_auth=${data.auth_token}; expires=${expires}; path=/; SameSite=Lax`;
+        
+        this.log(4, `Cookie set: meshmap_auth`);
+        
+        // Also store in sessionStorage/localStorage for client-side checks
        sessionStorage.setItem('meshmap_auth_token', data.auth_token);
        localStorage.setItem('meshmap_auth_token', data.auth_token);