Stop OpenBao login redirect loop by removing URL rewriting

Remove redirect-bootstrap and mount polling that fought Ember's token
fallback. Keep cosmetic overlay and direct KeyCape OIDC on sign-in only.
This commit is contained in:
tegwick 2026-06-19 21:07:37 +02:00
parent 64d7c18c3f
commit 80648a78b7
6 changed files with 8 additions and 95 deletions

View file

@ -31,7 +31,7 @@ behaviour.
| `VERSION` | OpenBao image tag this overlay targets (`openbao-values.yaml`) |
| `presets.json` | Hidden login defaults (`netkingdom`, `platform-admin`, …) |
| `overlay.css` | Hide raw OpenBao login fields |
| `overlay.js` | Apply presets, branding, mount deep-link |
| `overlay.js` | Apply presets, branding, direct KeyCape OIDC sign-in |
| `nginx.conf` | Gateway proxy + HTML injection |
| `patches/<version>/manifest.sha256` | Upstream UI fingerprints for drift detection |

View file

@ -49,7 +49,7 @@ http {
sub_filter_types text/html;
sub_filter_once on;
sub_filter '</head>' '<script src="/ui/platform-overlay/redirect-bootstrap.js"></script><link rel="stylesheet" href="/ui/platform-overlay/overlay.css"><script src="/ui/platform-overlay/overlay.js"></script></head>';
sub_filter '</head>' '<link rel="stylesheet" href="/ui/platform-overlay/overlay.css"><script src="/ui/platform-overlay/overlay.js" defer></script></head>';
}
}
}

View file

@ -4,8 +4,6 @@
const PRESETS_URL = "/ui/platform-overlay/presets.json";
const MAX_APPLY_ATTEMPTS = 40;
const APPLY_INTERVAL_MS = 250;
const MOUNT_WATCH_MS = 500;
const MOUNT_WATCH_MAX = 24;
const DEFAULT_PRESETS = {
namespace: "",
method: "oidc",
@ -20,7 +18,6 @@
let presets = { ...DEFAULT_PRESETS };
let applyAttempts = 0;
let applyTimer = null;
let mountWatchTimer = null;
let overlayApplied = false;
let signInHandlerInstalled = false;
@ -32,38 +29,8 @@
);
}
function normalizedMount(value) {
return (value || "").replace(/\/$/, "");
}
function desiredMount() {
return normalizedMount(presets.mount || "netkingdom");
}
function currentMountFromQuery() {
return normalizedMount(
new URLSearchParams(window.location.search).get("with") || ""
);
}
function ensureAuthMountSelected() {
const mount = desiredMount();
const current = currentMountFromQuery();
if (current === mount || current === "keycape") {
return false;
}
if (!isAuthPage() || window.location.pathname.includes("/oidc/")) {
return false;
}
const params = new URLSearchParams(window.location.search);
params.set("with", `${mount}/`);
window.location.replace(
`${window.location.pathname}?${params.toString()}`
);
return true;
function isOidcCallbackPage() {
return window.location.pathname.includes("/oidc/");
}
function hideNode(node) {
@ -121,7 +88,7 @@
document.addEventListener(
"click",
(event) => {
if (!isAuthPage()) return;
if (!isAuthPage() || isOidcCallbackPage()) return;
const button = event.target.closest(
'#auth-submit, button[data-test="auth-submit"], form#auth-form button[type="submit"]'
@ -151,7 +118,7 @@
}
function applyDom() {
if (!isAuthPage() || overlayApplied) return false;
if (!isAuthPage() || isOidcCallbackPage() || overlayApplied) return false;
hideNode(document.querySelector(".toolbar-namespace-picker"));
document
@ -245,25 +212,6 @@
}
}
function stopMountWatch() {
if (mountWatchTimer !== null) {
window.clearInterval(mountWatchTimer);
mountWatchTimer = null;
}
}
function watchAuthMount() {
stopMountWatch();
let checks = 0;
mountWatchTimer = window.setInterval(() => {
checks += 1;
if (ensureAuthMountSelected() || checks >= MOUNT_WATCH_MAX) {
stopMountWatch();
}
}, MOUNT_WATCH_MS);
}
function scheduleApply() {
stopApplyLoop();
applyAttempts = 0;
@ -292,15 +240,9 @@
}
async function init() {
if (!isAuthPage()) return;
if (!isAuthPage() || isOidcCallbackPage()) return;
await loadPresets();
if (ensureAuthMountSelected()) {
return;
}
watchAuthMount();
installKeyCapeSignInHandler();
if (document.readyState === "loading") {

View file

@ -1,23 +0,0 @@
(function () {
"use strict";
var path = window.location.pathname;
if (path.indexOf("/oidc/") !== -1) {
return;
}
if (!/\/ui\/vault\/auth(?:\/|$)/.test(path) && !/\/ui\/?$/.test(path)) {
return;
}
var params = new URLSearchParams(window.location.search);
var current = (params.get("with") || "").replace(/\/$/, "");
if (current === "netkingdom" || current === "keycape") {
return;
}
params.set("with", "netkingdom/");
window.location.replace(
window.location.pathname + "?" + params.toString()
);
})();