fix(FR-2574): fix sToken SSO login on root URL

Three bugs prevented sToken-based SSO login from working on /?sToken=...:

1. Race condition: useLoginOrchestration fired before apiEndpoint state
   was populated, causing connectUsingSession to bail on empty endpoint.
   Fix: gate orchestration on both isConfigLoaded AND apiEndpoint.

2. Full page reload: window.location.href='/' after tokenLogin stripped
   the sToken and caused a second load without credentials.
   Fix: replace with in-React post-connection setup + history.replaceState.

3. Missing session persistence: token_login() didn't save _loginSessionId
   to localStorage, so check_login() failed after page refresh.
   Fix: add localStorage.setItem in token_login() success path.

Resolves #6692(FR-2574)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: nowgnuesLee

react/src/components/LoginView.tsx

@@ -336,25 +336,20 @@ const LoginView: React.FC<{
     localStorage.removeItem('backendaiwebui.login.password');
   }, []);
 
-  const doGQLConnect = useCallback(
-    async (client: ReturnType<typeof createBackendAIClient>['client']) => {
-      // Read directly from Jotai store to get the latest config synchronously,
-      // including any merged webserver config from loadConfigFromWebServer().
-      // Using configRef.current here would return stale config because React
-      // hasn't re-rendered yet after the Jotai atom update.
-      const cfg = jotaiStore.get(loginConfigState) ?? configRef.current;
+  // Shared post-connection setup used by both the regular session login
+  // (doGQLConnect) and the sToken SSO path. Keeps the two flows consistent:
+  // login_attempt/last_login counters, saved-credentials cleanup, panel
+  // close, connected-event dispatch, and endpoint persistence.
+  const postConnectSetup = useCallback(
+    (client: ReturnType<typeof createBackendAIClient>['client']) => {
       const currentTime = Math.floor(Date.now() / 1000);
-
       (globalThis as any).backendaioptions.set(
         'last_login',
         currentTime,
         'general',
       );
       (globalThis as any).backendaioptions.set('login_attempt', 0, 'general');
 
-      const updatedEndpoints = await connectViaGQL(client, cfg, endpoints);
-      setEndpoints(updatedEndpoints);
-
       const event = new CustomEvent('backend-ai-connected', {
         detail: client,
       });
@@ -374,16 +369,15 @@ const LoginView: React.FC<{
       clearSavedLoginInfo();
       // Read the endpoint from the connected client to avoid stale closure
       // values. When handleLogin calls setApiEndpoint(ep) then immediately
-      // invokes connectUsingSession, the doGQLConnect closure still captures
-      // the OLD apiEndpoint (often "" on first launch). The client object
-      // always has the correct endpoint that was used for the connection.
+      // invokes connectUsingSession, the closure still captures the OLD
+      // apiEndpoint (often "" on first launch). The client object always
+      // has the correct endpoint that was used for the connection.
       const connectedEndpoint =
         (globalThis as any).backendaiclient?._config?.endpoint || apiEndpoint;
       localStorage.setItem('backendaiwebui.api_endpoint', connectedEndpoint);
       setPluginApiEndpoint(connectedEndpoint);
     },
     [
-      endpoints,
       close,
       clearSavedLoginInfo,
       apiEndpoint,
@@ -392,6 +386,22 @@ const LoginView: React.FC<{
     ],
   );
 
+  const doGQLConnect = useCallback(
+    async (client: ReturnType<typeof createBackendAIClient>['client']) => {
+      // Read directly from Jotai store to get the latest config synchronously,
+      // including any merged webserver config from loadConfigFromWebServer().
+      // Using configRef.current here would return stale config because React
+      // hasn't re-rendered yet after the Jotai atom update.
+      const cfg = jotaiStore.get(loginConfigState) ?? configRef.current;
+
+      const updatedEndpoints = await connectViaGQL(client, cfg, endpoints);
+      setEndpoints(updatedEndpoints);
+
+      postConnectSetup(client);
+    },
+    [endpoints, postConnectSetup],
+  );
+
   const connectUsingSession = useCallback(
     async (showError = true, endpointOverride?: string) => {
       const ep = (endpointOverride ?? apiEndpoint).trim();
@@ -455,11 +465,26 @@ const LoginView: React.FC<{
             endpoints,
           );
           setEndpoints(updatedEndpoints);
-          window.location.href = '/';
+
+          // tokenLogin already called connectViaGQL internally; reuse the
+          // shared post-connect helper to stay in sync with the regular
+          // session-login path (login_attempt/last_login, clearSavedLoginInfo,
+          // forceLoginApprovedRef reset, panel close, endpoint persistence).
+          postConnectSetup(client);
+
+          // Strip the sToken from the URL so it doesn't leak into browser
+          // history or get re-processed on refresh.
+          window.history.replaceState({}, '', '/');
           return;
-        } catch {
+        } catch (err) {
+          logger.error('tokenLogin failed', err);
           notification(t('eduapi.CannotAuthorizeSessionByToken'));
-          window.location.href = '/';
+          // Previously a hard reload cleared the UI; now we must restore
+          // the login panel ourselves so the user isn't stuck in a loading
+          // or blocked state.
+          setIsBlockPanelOpen(false);
+          open();
+          setIsLoading(false);
           return;
         }
       }

react/src/hooks/useLoginOrchestration.ts

@@ -204,9 +204,34 @@ export function useLoginOrchestration({
   });
 
   useEffect(() => {
+    // Wait until config is loaded before running the orchestration.
+    //
+    // When apiEndpoint is temporarily empty due to effect ordering
+    // (setApiEndpoint() in LoginView runs in a separate useEffect on the
+    // same render cycle), we want to avoid a premature silent session-login
+    // attempt because connectUsingSession would receive an empty endpoint
+    // and bail out before reaching the sToken check.
+    //
+    // However, an empty api_endpoint can also be intentional: the user may
+    // need to enter it manually in the login UI. In that case the
+    // orchestrator must still run so it can open the login panel.
+    //
+    // Therefore, only defer orchestration for a missing endpoint when a
+    // stored sToken exists (or one arrives via URL) and a silent login or
+    // SSO flow may be attempted. On Electron we still allow an empty
+    // apiEndpoint because the orchestrator falls back to the
+    // localStorage-persisted endpoint.
+    const isElectron = !!(globalThis as Record<string, unknown>).isElectron;
+    const hasStoredSessionToken =
+      typeof window !== 'undefined' &&
+      (window.localStorage.getItem('sToken') !== null ||
+        window.sessionStorage.getItem('sToken') !== null ||
+        new URLSearchParams(window.location.search).has('sToken'));
+
     if (!isConfigLoaded || hasRunRef.current) return;
+    if (!apiEndpoint && !isElectron && hasStoredSessionToken) return;
     hasRunRef.current = true;
 
     doOrchestrate();
-  }, [isConfigLoaded]);
+  }, [isConfigLoaded, apiEndpoint]);
 }

src/lib/backend.ai-client-esm.ts

@@ -1078,9 +1078,21 @@ class Client {
       const result = await this._wrapWithPromise(rqst);
       if (result.authenticated === true) {
         await this.get_manager_version();
+        // Persist the login session ID so that the session survives a
+        // page refresh — same as the regular login() path.
+        if (this._loginSessionId !== null && this._loginSessionId !== '') {
+          localStorage.setItem(
+            'backendaiwebui.sessionid',
+            this._loginSessionId,
+          );
+        }
         return this.check_login();
       } else if (result.authenticated === false) {
-        // Authentication failed.
+        // Authentication failed. Clear any stale session id that may have
+        // been persisted by a previous login so that subsequent
+        // check_login() calls don't confuse it with a live session.
+        // Mirrors the regular login() failure-path behavior.
+        localStorage.removeItem('backendaiwebui.sessionid');
         if (result.data && result.data.details) {
           return Promise.resolve({ fail_reason: result.data.details });
         } else {