Silent SSO via sso_hint cookie

- Federation sets sso_hint=1 on .rose-ash.com after magic link login - Client apps: before_request checks sso_hint, triggers silent OAuth once per session (sso_checked flag prevents loops) - Logout clears sso_hint cookie on all apps Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-23 11:23:26 +00:00
parent d0a5170cd9
commit bfd8d55f27
2 changed files with 23 additions and 3 deletions
--- a/infrastructure/factory.py
+++ b/infrastructure/factory.py
@@ -5,7 +5,7 @@ import os
 from pathlib import Path
 from typing import Callable, Awaitable, Sequence

-from quart import Quart, request, g, send_from_directory
+from quart import Quart, request, g, redirect, send_from_directory

 from shared.config import init_config, config, pretty
 from shared.models import KV  # ensure shared models imported
@@ -122,6 +122,24 @@ def create_base_app(
        for fn in before_request_fns:
            app.before_request(fn)

+    # Silent SSO: if federation set sso_hint cookie, trigger OAuth once
+    if name != "federation":
+        from urllib.parse import quote as _quote
+
+        @app.before_request
+        async def _sso_check():
+            from quart import session as qs
+            if request.path.startswith("/auth/"):
+                return
+            if qs.get("uid"):
+                return
+            if qs.get("sso_checked"):
+                return
+            if not request.cookies.get("sso_hint"):
+                return
+            qs["sso_checked"] = True
+            return redirect(f"/auth/login/?next={_quote(request.url, safe='')}")
+
    @app.before_request
    async def _csrf_protect():
        await protect()