From 990ac44108e414eadece7f90dc6e5747a91f58e4 Mon Sep 17 00:00:00 2001 From: gilesb Date: Fri, 9 Jan 2026 17:06:27 +0000 Subject: [PATCH] Support return_to redirect with token for iOS Safari Login page accepts return_to URL. After login, redirects to return_to with auth_token in URL so target site can set its own first-party cookie (works around iOS Safari ITP). Co-Authored-By: Claude Opus 4.5 --- server.py | 31 ++++++++++++++++++++++++------- 1 file changed, 24 insertions(+), 7 deletions(-) diff --git a/server.py b/server.py index e199903..afc84f8 100644 --- a/server.py +++ b/server.py @@ -358,8 +358,8 @@ def format_date(value, length: int = 10) -> str: # ============ Auth UI Endpoints ============ @app.get("/login", response_class=HTMLResponse) -async def ui_login_page(request: Request): - """Login page.""" +async def ui_login_page(request: Request, return_to: str = None): + """Login page. Accepts optional return_to URL for redirect after login.""" username = get_user_from_cookie(request) if username: return HTMLResponse(base_html("Already Logged In", f''' @@ -369,10 +369,14 @@ async def ui_login_page(request: Request):
Go to home page
''', username)) - content = ''' + # Hidden field for return_to URL + return_to_field = f'' if return_to else '' + + content = f'''
Login

+ {return_to_field}
Username Username and password are required
') @@ -408,10 +413,22 @@ async def ui_login_submit(request: Request): token = create_access_token(user.username, l2_server=f"https://{DOMAIN}") - response = HTMLResponse(f''' -
Login successful! Redirecting...
- - ''') + # If return_to is specified, redirect there with token for the other site to set its own cookie + if return_to and return_to.startswith("http"): + # Append token to return_to URL for the target site to set its own cookie + separator = "&" if "?" in return_to else "?" + redirect_url = f"{return_to}{separator}auth_token={token.access_token}" + response = HTMLResponse(f''' +
Login successful! Redirecting...
+ + ''') + else: + response = HTMLResponse(f''' +
Login successful! Redirecting...
+ + ''') + + # Always set cookie on L2 as well response.set_cookie( key="auth_token", value=token.access_token,