feat: auto-login for specific use-cases

[Nightbr]

resolves #653

🚀 Auto-Login Feature Summary

What's New

• 🔐 Auto-Login Configuration - New environment variables to enable automatic authentication:

  • AUTO_LOGIN_ENABLE - Enable/disable auto-login (default: false)
  • AUTO_LOGIN_USERNAME - Username for auto-login (default: arcane)

• 🌐 New API Endpoints:

  • GET /api/auth/auto-login-config - Returns auto-login status and username (never exposes password)
  • POST /api/auth/auto-login - Performs authentication using server-configured credentials

• 🖥️ Frontend Auto-Login Flow - Automatically logs in users when:

  • User is not authenticated
  • Auto-login is enabled on the backend
  • Local authentication is enabled

• 🔓 Password Change Dialog Skipped - When auto-login is enabled, the "change password" dialog is automatically bypassed

• ⚠️ Security Warning Logs - Backend logs warnings at startup when auto-login is enabled

---

🧪 Testing Guide

1. Configure Environment Variables

Add the following to your .env file or docker/compose.dev.yaml:64:

      # Auto-login for development - automatically logs in with default credentials
      # WARNING: Never enable in production!
      - AUTO_LOGIN_ENABLE=true
      - AUTO_LOGIN_USERNAME=arcane
      - AUTO_LOGIN_PASSWORD=arcane-admin

2. Start the dev env

./scripts/development/dev.sh start

3. Verify Backend Configuration

Test that the backend returns the correct config:

curl -s http://localhost:3552/api/auth/auto-login-config | jq .

Expected response:

{
  "success": true,
  "data": {
    "enabled": true,
    "username": "arcane"
  }
}

4. Test Auto-Login Endpoint

curl -s -X POST http://localhost:3000/api/auth/auto-login | jq .

Expected response:

{
  "success": true,
  "data": {
    "token": "eyJ...",
    "refreshToken": "eyJ...",
    "expiresAt": "...",
    "user": {
      "id": "...",
      "username": "arcane",
      "displayName": "Arcane Admin",
      ...
    }
  }
}

5. Test Frontend Auto-Login

1. Open browser DevTools (F12) → Application → Session Storage
2. Clear any arcane_auto_login_disabled key if present
3. Clear cookies to ensure you're logged out
4. Navigate to http://localhost:3000
5. You should be automatically logged in without seeing the login page

6. Test Disabled State

Set AUTO_LOGIN_ENABLE=false and restart:

curl -s http://localhost:3000/api/auth/auto-login-config | jq .

Expected:

{
  "success": true,
  "data": {
    "enabled": false,
    "username": ""
  }
}

7. Test Auto-Login After Logout

1. Log out from the application
2. You should be automatically logged back in (since auto-login is enabled)

Disclaimer Greptiles Reviews use AI, make sure to check over its work

Greptile Summary

Adds auto-login functionality for development and testing environments, allowing users to bypass the login screen when configured via environment variables.

Key Changes:

• Backend adds AUTO_LOGIN_ENABLE, AUTO_LOGIN_USERNAME, and AUTO_LOGIN_PASSWORD environment variables
• Two new API endpoints: GET /api/auth/auto-login-config (returns enabled status and username) and POST /api/auth/auto-login (performs authentication)
• Frontend automatically attempts auto-login on app load when enabled and user is not authenticated
• Password change dialog and logout buttons are hidden when auto-login is active
• Session storage caching prevents redundant API calls for auto-login config
• Comprehensive test coverage for both backend service and handler layers
• Security warnings logged at startup when auto-login is enabled

Security Considerations:

• Password is never exposed through the config API endpoint
• AutoLoginPassword field has options:"file" tag for proper masking in logs
• Auto-login is disabled if local authentication is disabled
• Clear documentation warns against production use

Confidence Score: 4/5

• Safe to merge with minor fix needed for log message
• Well-implemented feature with strong security practices (password masking, never exposing credentials via API), comprehensive test coverage, and clear documentation. Only issue is a copy-pasted error message. The feature properly gates auto-login behind local auth checks and logs appropriate warnings.
• backend/internal/utils/bootstrap_util.go needs the error message fixed

Important Files Changed

Filename	Overview
backend/internal/utils/bootstrap_util.go	Added auto-login initialization with security warnings; minor copy-paste error in log message
backend/internal/huma/handlers/auth.go	Added auto-login config and login endpoints with proper security checks
backend/internal/services/auth_service.go	Implemented auto-login config getter with local auth validation and password getter for internal use
frontend/src/lib/services/auth-service.ts	Added methods to fetch auto-login config and attempt auto-login with proper error handling
frontend/src/routes/+layout.ts	Integrated auto-login flow during app initialization with proper caching

[greptile-apps]

_{8 files reviewed, 8 comments}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

Additional Comments (2)

backend/internal/services/auth_service.go
Debug log statement left in production code. This will log on every token generation (every login, token refresh) and should be removed.

	accessTokenExpiry := time.Now().Add(time.Duration(sessionTimeout) * time.Minute)

Prompt To Fix With AI

This is a comment left during a code review.
Path: backend/internal/services/auth_service.go
Line: 621:621

Comment:
Debug log statement left in production code. This will log on every token generation (every login, token refresh) and should be removed.

```suggestion
	accessTokenExpiry := time.Now().Add(time.Duration(sessionTimeout) * time.Minute)
```

How can I resolve this? If you propose a fix, please make it concise.

---

frontend/src/lib/services/auth-service.ts
The logout() method doesn't clear the AUTO_LOGIN_DISABLED_KEY from sessionStorage. This means if auto-login is disabled on first load but then gets enabled later (e.g., in a dev/test environment), the frontend will continue to skip auto-login checks until the session storage is manually cleared or the browser is restarted.

Consider clearing this key on logout to ensure auto-login status is re-checked after logging back in:

logout(): void {
	this.clearTokenData();
	userStore.clearUser();
	try {
		sessionStorage.removeItem('arcane_auto_login_disabled');
	} catch {
		// Ignore storage errors
	}
}

Prompt To Fix With AI

This is a comment left during a code review.
Path: frontend/src/lib/services/auth-service.ts
Line: 195:198

Comment:
The `logout()` method doesn't clear the `AUTO_LOGIN_DISABLED_KEY` from sessionStorage. This means if auto-login is disabled on first load but then gets enabled later (e.g., in a dev/test environment), the frontend will continue to skip auto-login checks until the session storage is manually cleared or the browser is restarted.

Consider clearing this key on logout to ensure auto-login status is re-checked after logging back in:
```typescript
logout(): void {
	this.clearTokenData();
	userStore.clearUser();
	try {
		sessionStorage.removeItem('arcane_auto_login_disabled');
	} catch {
		// Ignore storage errors
	}
}
```

How can I resolve this? If you propose a fix, please make it concise.

[kmendell]

Few things ive noticed off the bat, i dont have time to fully review but this should give you a starting point.

[kmendell]

We should be able to use the existing auth/login endpoint for this no?

[Nightbr]

We could but I think it is better to isolate the auto-login logic from the login one to avoid any side effect or complexity on the login logic.

As you prefer, I can refactor to include the logic in the login func handler.

[kmendell]

I more over meant for the actual login, as its does the same thing i would assume, just should post with the given variables? Instead of the ones passed via the form

[Nightbr]

Feel free to commit and push on this to move forward 👌

[kmendell]

@greptileai

[greptile-apps]

_{18 files reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

[github-actions]

This pull request has merge conflicts. Please resolve the conflicts so the PR can stay up-to-date and reviewed.

[kmendell]

I will continue reviewing this soon. Probably for 1.14.0

[github-actions]

This pull request has merge conflicts. Please resolve the conflicts so the PR can stay up-to-date and reviewed.

[github-actions]

This pull request has merge conflicts. Please resolve the conflicts so the PR can stay up-to-date and reviewed.

[github-actions]

This pull request has merge conflicts. Please resolve the conflicts so the PR can stay up-to-date and reviewed.

[kmendell]

Ive been thinking about this more and the risk is just too high for my liking to stick with just env variables to enable this. So my thinking is this:

• Remove the AUTO_LOGIN_ENABLE env
• Add a 'feature flag' to the built in cli that would enable it.

This would require whoever would wnat to use this feature build a custom image in order to enable it therefore requiring alot more work for an attacker if that were the case.

[Nightbr]

Ive been thinking about this more and the risk is just too high for my liking to stick with just env variables to enable this. So my thinking is this:

* Remove the AUTO_LOGIN_ENABLE env

* Add a 'feature flag' to the built in cli that would enable it.

This would require whoever would wnat to use this feature build a custom image in order to enable it therefore requiring alot more work for an attacker if that were the case.

Clearly this is more secure, you can also build another image with a tag prefix "auto-login-*". Could be a good use-case for Golang build tag (Build constraint) to have the API version with auto-login or not at build time.

• https://pkg.go.dev/go/build
• https://dave.cheney.net/2013/10/12/how-to-use-conditional-compilation-with-the-go-build-tool
• https://www.digitalocean.com/community/tutorials/customizing-go-binaries-with-build-tags#build-tag-boolean-logic

[kmendell]

Good point build tags may work too. However my main thing is i wouldnt publish the images, then theres no "safeguard" if an attacker would wnat to try they would have to go through more work by building there own thing, is where im coming from.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[github-actions]

This pull request has merge conflicts. Please resolve the conflicts so the PR can stay up-to-date and reviewed.

[kmendell]

@Nightbr Well that's annoying... can you reopen this against main for me please?

[Nightbr]

@Nightbr Well that's annoying... can you reopen this against main for me please?

Here you go #1556