fix(openbao-ui): handle OIDC callback without Ember popup flow

OpenBao's Ember UI expects OIDC to complete in a popup and postMessage to
window.opener. The standalone KeyCape login uses a full-page redirect, so the
callback now exchanges the authorization code directly, persists the UI token
in localStorage, and redirects into the vault UI. Unauthenticated /ui/ loads
also redirect to the standalone login page to avoid ?with= bounce loops.
This commit is contained in:
tegwick 2026-06-19 21:18:34 +02:00
parent 520c7ea2c0
commit 50799938db
8 changed files with 205 additions and 2 deletions

View file

@ -21,6 +21,26 @@
let overlayApplied = false;
let signInHandlerInstalled = false;
function hasStoredSession() {
try {
return Object.keys(window.localStorage).some((key) =>
key.startsWith("vault-")
);
} catch (_error) {
return false;
}
}
function isUiEntryPath() {
const path = window.location.pathname;
return path === "/ui" || path === "/ui/";
}
function redirectUnauthenticatedUiEntry() {
if (!isUiEntryPath() || hasStoredSession()) return;
window.location.replace("/ui/vault/auth");
}
function isAuthPage() {
const path = window.location.pathname;
return (
@ -240,6 +260,7 @@
}
async function init() {
redirectUnauthenticatedUiEntry();
if (!isAuthPage() || isOidcCallbackPage()) return;
await loadPresets();