Conversation
Add human-readable auth IDs, configurable auth passwords, and an auth URL endpoint: - Replace random nanoid with human-id (e.g. apple-banana-something-words) - Add clientAuthPasswords config for pre-approved auth credentials - Server generates temporary auth IDs for clickable auth URLs (/.devtools/auth?id=xxx) - Terminal prompt shows auth URL and aborts on timeout (60s), URL usage, or new auth request - Add BroadcastChannel to sync auth updates across browser tabs - Add password input UI to ViewBuiltinClientAuthNotice for manual auth entry - Add auth-state.ts module to manage pending auth state and temp ID consumption All tests pass, build succeeds, and the feature is fully functional. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
@vitejs/devtools
@vitejs/devtools-kit
@vitejs/devtools-rolldown
@vitejs/devtools-rpc
@vitejs/devtools-self-inspect
commit: |
Add an "Auth Tokens" tab to the self-inspect debug panel that lists all trusted clients with their auth ID, user agent, origin, and trust date. Each token can be revoked individually. - Add get-auth-tokens and revoke-auth-token RPC functions - Export getInternalContext from @vitejs/devtools for cross-package access - Add AuthTokensList component and auth page to self-inspect UI Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
antfu
changed the title
- Unify wording: clientAuthPasswords → clientAuthTokens, "password" → "token" in UI - Add revokeAuthToken() utility that removes token from storage and notifies all connected clients using that token via auth:revoked broadcast event - One token can be used by multiple clients; revoking disconnects all of them - Client-side handler in rpc-ws.ts listens for auth:revoked and shows auth notice - Self-inspect revoke RPC now uses the shared revokeAuthToken utility Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
/internal export - Attach revokeAuthToken as a method on DevToolsInternalContext instead of a standalone exported function - Create @vitejs/devtools/internal sub-export for getInternalContext - Remove getInternalContext and revokeAuthToken from main entry point - Add alias and tsconfig path for @vitejs/devtools/internal - Update self-inspect to import from @vitejs/devtools/internal Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- When auth is revoked, close the current tab and panel in embedded mode - Force dock mode to 'float' when unauthorized (regardless of settings) - Standalone mode also clears selected entry on revocation Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
When unauthorized, DockEmbedded now renders in float mode by checking isRpcTrusted rather than modifying panel.store.mode. This preserves the user's mode preference while ensuring the unauthorized UI always shows in float mode. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Unify all auth terminology to use "authToken" consistently: - `authId` → `authToken` in interfaces, variables, and parameters - `clientAuthId` → `clientAuthToken` in session meta - `CONNECTION_AUTH_ID_KEY` → `CONNECTION_AUTH_TOKEN_KEY` - `__VITE_DEVTOOLS_CONNECTION_AUTH_ID__` → `__VITE_DEVTOOLS_CONNECTION_AUTH_TOKEN__` - `getTempAuthId` → `getTempAuthToken`, `refreshTempAuthId` → `refreshTempAuthToken` - `consumeTempAuthId` → `consumeTempAuthToken` - Updated export snapshot for new human-id util Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add `requestTrustWithToken(token)` to DevToolsRpcClient interface that re-requests trust over the existing WS connection with a new token, avoiding page reload that would lose user app state. - BroadcastChannel auth-update handler now calls requestTrustWithToken - ViewBuiltinClientAuthNotice submit calls context.rpc.requestTrustWithToken - Token is persisted to localStorage/globalThis for future reconnections - Static RPC mode provides no-op implementation (always trusted) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
clientAuthTokens from config were being stored in trusted storage on auto-approve, which meant revoking them from self-inspect had no effect since the next auth request would re-match the config and re-store. Now config-based tokens only grant session-level trust (in-memory meta) without persisting to storage. Only terminal-approved and temp-token approved auth tokens are persisted. Also use delete instead of = undefined for immer draft cleanup on revoke. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Ari4ka
approved these changes
Mar 19, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
close #223
This PR implements human-readable auth IDs and multiple authentication modes for Vite DevTools:
Features:
human-idlibrary, generating IDs likeapple-banana-something-wordsfor better UXclientAuthPasswords: string[]config option to auto-approve matching clients without terminal prompts/.devtools/auth?id=xxx, printed in terminal promptImplementation details
human-idlibrary added as inlined dependency for smaller bundle sizeauth-state.tsmodule manages pending auth state, temporary IDs, and abort controller/auth-verifyendpoint consumes temp IDs and resolves pending auth requestsLinked Issues
Closes auth UX improvements
Additional context
This enables three flexible auth workflows: