feat(FR-2627): migrate EduAppLauncher sToken path to STokenLoginBoundary#6864
Merged
graphite-app[bot] merged 1 commit intoApr 23, 2026
Conversation
This was referenced Apr 22, 2026
Contributor
Author
This was referenced Apr 22, 2026
Contributor
Coverage report for
|
St.❔ |
Category | Percentage | Covered / Total |
|---|---|---|---|
| 🔴 | Statements | 8.92% (+0.02% 🔼) |
1831/20519 |
| 🔴 | Branches | 8.07% (+0% 🔼) |
1165/14429 |
| 🔴 | Functions | 5.28% (+0% 🔼) |
294/5567 |
| 🔴 | Lines | 8.65% (+0.02% 🔼) |
1723/19908 |
Test suite run success
865 tests passing in 40 suites.
Report generated by 🧪jest coverage report action from 5716748
nowgnuesLee
force-pushed
the
04-22-feat_fr-2627_migrate_eduapplauncher_stoken_path_to_stokenloginboundary
branch
2 times, most recently
from
7b879f8 to
d798003
Compare
nowgnuesLee
force-pushed
the
04-22-feat_fr-2626_migrate_loginview_stoken_path_to_stokenloginboundary
branch
from
7c7561a to
fc0f377
Compare
nowgnuesLee
force-pushed
the
04-22-feat_fr-2627_migrate_eduapplauncher_stoken_path_to_stokenloginboundary
branch
2 times, most recently
from
b229d79 to
8e05574
Compare
nowgnuesLee
force-pushed
the
04-22-feat_fr-2626_migrate_loginview_stoken_path_to_stokenloginboundary
branch
from
fc0f377 to
f062859
Compare
nowgnuesLee
force-pushed
the
04-22-feat_fr-2627_migrate_eduapplauncher_stoken_path_to_stokenloginboundary
branch
from
8e05574 to
541721c
Compare
3 tasks
nowgnuesLee
force-pushed
the
04-22-feat_fr-2627_migrate_eduapplauncher_stoken_path_to_stokenloginboundary
branch
from
541721c to
41da011
Compare
5 tasks
Contributor
There was a problem hiding this comment.
Pull request overview
Routes for /edu-applauncher and /applauncher are updated so sToken-based authentication happens in STokenLoginBoundary before EduAppLauncher mounts, simplifying the launcher’s internal flow and moving URL-param parsing to a typed nuqs allowlist.
Changes:
- Wrap
/edu-applauncherand/applauncherroutes withSTokenLoginBoundary, sourcingsTokenviauseSToken()and allowlisted query params viauseQueryStates(). - Thread
sTokenandextraParamsdown throughEduAppLauncherPageintoEduAppLauncher(no more in-component URL parsing). - Simplify
EduAppLauncherstate machine/stepper by removing the authentication stage and related legacy logic.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| react/src/routes.tsx | Adds eduAppExtraParamSpec allowlist and wraps edu-app routes in STokenLoginBoundary, passing captured sToken/extraParams through. |
| react/src/pages/EduAppLauncherPage.tsx | Updates page components to accept and forward sToken/extraParams props into the lazy launcher. |
| react/src/components/EduAppLauncher.tsx | Removes token-login + URL parsing from the launcher, shifts to prop-based params, and drops the auth stage from the stepper/state machine. |
nowgnuesLee
force-pushed
the
04-22-feat_fr-2626_migrate_loginview_stoken_path_to_stokenloginboundary
branch
from
f062859 to
c9bf0d6
Compare
nowgnuesLee
force-pushed
the
04-22-feat_fr-2627_migrate_eduapplauncher_stoken_path_to_stokenloginboundary
branch
2 times, most recently
from
7fba64c to
907c539
Compare
nowgnuesLee
force-pushed
the
04-22-feat_fr-2626_migrate_loginview_stoken_path_to_stokenloginboundary
branch
2 times, most recently
from
6c16c60 to
c683412
Compare
nowgnuesLee
force-pushed
the
04-22-feat_fr-2627_migrate_eduapplauncher_stoken_path_to_stokenloginboundary
branch
from
907c539 to
87f643c
Compare
Merge activity
|
…ary (#6864) Resolves FR-2641, FR-2642 (under Story [FR-2627](https://lablup.atlassian.net/browse/FR-2627), Epic [FR-2616](https://lablup.atlassian.net/browse/FR-2616)) ## Summary Story 3 of Epic FR-2616: route `/edu-applauncher` and `/applauncher` now authenticate through `STokenLoginBoundary` before `EduAppLauncher` mounts. `_token_login` and the manual `backend-ai-connected` dispatch are removed from the component. ### Scope - **Route wrapping** (`react/src/routes.tsx`): both edu-app routes read `sToken` via `useSToken()` and URL params via `useQueryStates(eduAppExtraParamSpec)`, then wrap `EduAppLauncherPage` with `STokenLoginBoundary`. The URL is intentionally not stripped on success (the launcher still passes `sToken` prop through for `eduApp.get_user_credential` and other params drive the launch sequence). - **`EduAppLauncher` cleanup** (`react/src/components/EduAppLauncher.tsx`): - Removed `_token_login()` method and the URL parsing it owned. - Removed the manual `document.dispatchEvent(new CustomEvent('backend-ai-connected'))` call (the boundary now dispatches this exactly once). - **Removed the `auth` stage from `EduAppLaunchStage`** — authentication is no longer represented in the launcher's state machine or its stepper UI. Since the boundary runs `connectViaGQL` before `EduAppLauncher` mounts, the component always starts with a fully authenticated client. - **Deleted `_prepareProjectInformation()`** — `connectViaGQL` already populates `groups` / `groupIds` / `current_group` / `current_group_id` with a superset of the fields this helper fetched. - Proxy URL attach (`_attachProxyURL`) remains but is no longer labeled "auth"; failures now surface under the session step. - The stepper UI drops from 3 steps to 2 (`Preparing Session` → `Launching App`). - **`extraParams` allowlist** (`react/src/routes.tsx:eduAppExtraParamSpec`): added `api_version`, `date`, `endpoint`. These are part of the LMS signing envelope forwarded with `sToken` in the old URL-scan based `_token_login`; the nuqs migration replaced the scan with an explicit allowlist and had dropped them, causing manager-side auth hooks that validate the signature against these fields to reject `token_login` as tampered. ## Test plan - [x] `bash scripts/verify.sh` → `ALL PASS` - [ ] Manual: launch from LMS URL `/edu-applauncher?sToken=<signed>&app=jupyterlab&api_version=...&date=...&endpoint=...&session_id=...` and confirm: - `POST /server/token-login` body contains all extra keys (check DevTools Network tab) - Stepper shows 2 steps ("Preparing Session", "Launching App") — no "Authentication" step - Successful launch opens the app in a new tab - [ ] Regression scenarios covered by PR #6865 E2E: with / without `session_id`, invalid sToken surfaces stepper-integrated error **Checklist:** - [ ] Documentation - [ ] Minium required manager version - [ ] Specific setting for review (eg., KB link, endpoint or how to setup) - [x] Minimum requirements to check during review - [x] Test case(s) to demonstrate the difference of before/after ## Stack Story 3 of Epic FR-2616. See [dev plan](../blob/main/.specs/draft-stoken-login-boundary/dev-plan.md) for the full story breakdown. [FR-2627]: https://lablup.atlassian.net/browse/FR-2627 [FR-2616]: https://lablup.atlassian.net/browse/FR-2616
graphite-app
Bot
force-pushed
the
04-22-feat_fr-2626_migrate_loginview_stoken_path_to_stokenloginboundary
branch
from
c683412 to
79e6dc4
Compare
graphite-app
Bot
force-pushed
the
04-22-feat_fr-2627_migrate_eduapplauncher_stoken_path_to_stokenloginboundary
branch
from
87f643c to
5716748
Compare
Base automatically changed from
04-22-feat_fr-2626_migrate_loginview_stoken_path_to_stokenloginboundary
to
main
April 23, 2026 10:46
graphite-app
Bot
deleted the
04-22-feat_fr-2627_migrate_eduapplauncher_stoken_path_to_stokenloginboundary
branch
graphite-app Bot
pushed a commit
that referenced
this pull request
Apr 24, 2026
…6865) Resolves FR-2639 and FR-2643 (under Stories [FR-2626](https://lablup.atlassian.net/browse/FR-2626) / [FR-2627](https://lablup.atlassian.net/browse/FR-2627), Epic [FR-2616](https://lablup.atlassian.net/browse/FR-2616)) resolves #NNN (FR-MMM) <!-- replace NNN, MMM with the GitHub issue number and the corresponding Jira issue number. --> <!-- Please precisely, concisely, and concretely describe what this PR changes, the rationale behind codes, and how it affects the users and other developers. --> **Checklist:** (if applicable) - [ ] Documentation - [ ] Minium required manager version - [ ] Specific setting for review (eg., KB link, endpoint or how to setup) - [ ] Minimum requirements to check during review - [ ] Test case(s) to demonstrate the difference of before/after ## Stack Story 2/3 E2E regression for Epic FR-2616. Sits on top of the Story 2 (#6861) and Story 3 (#6864) implementation PRs. [FR-2626]: https://lablup.atlassian.net/browse/FR-2626?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ [FR-2627]: https://lablup.atlassian.net/browse/FR-2627?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ [FR-2616]: https://lablup.atlassian.net/browse/FR-2616?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Resolves FR-2641, FR-2642 (under Story FR-2627, Epic FR-2616)
Summary
Story 3 of Epic FR-2616: route
/edu-applauncherand/applaunchernow authenticate throughSTokenLoginBoundarybeforeEduAppLaunchermounts._token_loginand the manualbackend-ai-connecteddispatch are removed from the component.Scope
react/src/routes.tsx): both edu-app routes readsTokenviauseSToken()and URL params viauseQueryStates(eduAppExtraParamSpec), then wrapEduAppLauncherPagewithSTokenLoginBoundary. The URL is intentionally not stripped on success (the launcher still passessTokenprop through foreduApp.get_user_credentialand other params drive the launch sequence).EduAppLaunchercleanup (react/src/components/EduAppLauncher.tsx):_token_login()method and the URL parsing it owned.document.dispatchEvent(new CustomEvent('backend-ai-connected'))call (the boundary now dispatches this exactly once).authstage fromEduAppLaunchStage— authentication is no longer represented in the launcher's state machine or its stepper UI. Since the boundary runsconnectViaGQLbeforeEduAppLaunchermounts, the component always starts with a fully authenticated client._prepareProjectInformation()—connectViaGQLalready populatesgroups/groupIds/current_group/current_group_idwith a superset of the fields this helper fetched._attachProxyURL) remains but is no longer labeled "auth"; failures now surface under the session step.Preparing Session→Launching App).extraParamsallowlist (react/src/routes.tsx:eduAppExtraParamSpec): addedapi_version,date,endpoint. These are part of the LMS signing envelope forwarded withsTokenin the old URL-scan based_token_login; the nuqs migration replaced the scan with an explicit allowlist and had dropped them, causing manager-side auth hooks that validate the signature against these fields to rejecttoken_loginas tampered.Test plan
bash scripts/verify.sh→ALL PASS/edu-applauncher?sToken=<signed>&app=jupyterlab&api_version=...&date=...&endpoint=...&session_id=...and confirm:POST /server/token-loginbody contains all extra keys (check DevTools Network tab)session_id, invalid sToken surfaces stepper-integrated errorChecklist:
Stack
Story 3 of Epic FR-2616. See dev plan for the full story breakdown.