diff --git a/project-kitestacks-migration.md b/project-kitestacks-migration.md index 85053dd..e17be27 100644 --- a/project-kitestacks-migration.md +++ b/project-kitestacks-migration.md @@ -518,6 +518,25 @@ Verified current live state on monk before making changes: - public repeated asset check over `https://status.kitestacks.com/assets/index-BBxTfFCS.js` found `transports:["websocket"]` 6/6, confirming both tunnel backends serve the patched client bundle. +- User still saw the same issue after trying another browser. Follow-up: + websocket connections were reaching Kuma, but logs showed no `Login by token`, + so the handoff from Authentik callback to Kuma storage was unreliable. Changed + the SSO callback from `/?authentik_token=` URL handoff to a short-lived + readable cookie `uk_authentik_token` plus redirect directly to `/dashboard`. + Updated injected HTML to read that cookie before Kuma initializes, store the + token in `localStorage.token`, set `localStorage.remember=1`, then delete the + cookie. This avoids long-token URL handling. +- Important operational gotcha: Uptime Kuma caches `index.html` in memory at + startup. After changing the mounted `index.html`/compressed variants, `docker + compose up -d` was not enough because containers stayed "Running"; had to run + `docker compose restart uptime-kuma` on BOTH monk and kscloud1 to reload the + HTML into memory. +- Verification after cookie handoff + explicit restarts: + - monk local `/dashboard` HTML contains `uk_authentik_token`, `authentik_token`, + and `Sign in with Authentik`. + - kscloud1 local `/dashboard` HTML contains the same. + - public repeated check for `uk_authentik_token` over + `https://status.kitestacks.com/dashboard` returned `cookie-handoff` 6/6. Important security hygiene: local git remote for `~/claude-memory` contains an HTTP token in the URL; do not print it in summaries. Prefer redacted URLs in