From 6b7743ecaf07e47972b8466265ee14336764fd73 Mon Sep 17 00:00:00 2001 From: Claude Date: Thu, 30 Apr 2026 18:15:11 +0300 Subject: [PATCH] =?UTF-8?q?tower=200.61.23=20/=20tower-ui=200.61.23=20?= =?UTF-8?q?=E2=80=94=20SSE=20auth=20via=20=3Ftoken=3D?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit NotificationBell + ActivityTab opened EventSource without auth (native EventSource API can't set Authorization headers). Phase G's canSeeOp guard correctly dropped every event for the resulting anonymous viewer, leaving the bell silent except for the one-shot backfill on mount. Backend: claimsFromRequest now falls back to ?token= query param when the Authorization header is absent. HTTPS-only ingress means the token stays inside the TLS tunnel; the 15-min access-token TTL bounds any leakage if it ever surfaces in browser history or proxy logs. Frontend: streamOperation + streamAllOperations append the access token via streamURL(). Plus token-expiry-aware reconnect: on EventSource error, debounce 5s, close, run authFetch('/me') to let the 0.61.18 refresh path renew the access token, then re-open with a fresh streamURL. Without this, the native auto-reconnect would loop forever with the now-stale token after 15 min. --- values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/values.yaml b/values.yaml index 486617f..68eee15 100644 --- a/values.yaml +++ b/values.yaml @@ -9,7 +9,7 @@ backend: # so every cluster that runs Tower needs the same imagePullSecret # provisioned out-of-band (until cluster-platform-v3 owns it). repository: registry.odoosky.cloud/odoosky/docker-mirror/tower - tag: "0.61.22" + tag: "0.61.23" pullPolicy: IfNotPresent imagePullSecrets: - name: docker-mirror-pull @@ -29,7 +29,7 @@ frontend: enabled: true image: repository: registry.odoosky.cloud/odoosky/docker-mirror/tower-ui - tag: "0.61.20" + tag: "0.61.23" pullPolicy: IfNotPresent imagePullSecrets: - name: docker-mirror-pull