Web terminal: attempt automatic authentication before prompting by alexey-milovidov · Pull Request #105059 · ClickHouse/ClickHouse · GitHub
Skip to content

Web terminal: attempt automatic authentication before prompting#105059

Merged
alexey-milovidov merged 4 commits into
masterfrom
webterminal-url-credentials
May 18, 2026
Merged

Web terminal: attempt automatic authentication before prompting#105059
alexey-milovidov merged 4 commits into
masterfrom
webterminal-url-credentials

Conversation

@alexey-milovidov

@alexey-milovidov alexey-milovidov commented May 15, 2026

Copy link
Copy Markdown
Member

Previously the web terminal always opened with a Username: / Password: prompt, or — when embedded in an iframe without a URL-supplied user — waited silently for credentials via postMessage. For embedding scenarios where the default user has an empty password (e.g. a vanilla single-node install), that is unnecessary friction.

With this change, the web terminal performs an initial connection attempt on load using the URL-supplied user parameter (or default when absent) and an empty password. If the server rejects the authentication (close code 1008), the existing fallback runs: the interactive Username: / Password: prompt, or postMessage-supplied credentials when embedded in an iframe without a URL user.

The URL password parameter is intentionally not supported — passwords in URLs end up in browser history, referrer headers, server access logs, and proxy logs.

Changelog category (leave one):

  • Improvement

Changelog entry:

The web terminal now attempts an automatic connection with the default credentials (or the URL-supplied user parameter) on load, falling back to the existing interactive prompt only if authentication fails. This makes it usable out-of-the-box on a fresh install and easier to embed in an iframe.

Version info

  • Merged into: 26.5.1.776

Previously the web terminal always opened with a 'Username:' / 'Password:'
prompt (or, when embedded in an iframe without a URL-supplied user, waited
silently for credentials via postMessage). For embedding scenarios where
the default user has an empty password, this is unnecessary friction.

Now the web terminal performs an initial connection attempt using the
URL-supplied user (or 'default') with an empty password. If the server
rejects it, the existing fallback runs: interactive prompt, or postMessage
when embedded without a URL user.
@clickhouse-gh

clickhouse-gh Bot commented May 15, 2026

Copy link
Copy Markdown
Contributor

@clickhouse-gh clickhouse-gh Bot added the pr-improvement Pull request with some product improvements label May 15, 2026
Comment thread programs/server/webterminal.html
`play.html` posts `webterminal-credentials` exactly once on iframe
`load`. With auto-auth running on startup, that message could arrive
while `waitingForCredentials` was still `false` and be silently
dropped; the subsequent `ws.onclose` flipped the flag to `true`, but
no second message ever came, leaving the embedded terminal stuck.

Pre-arm `waitingForCredentials` before the initial auto-auth attempt
when embedded without a URL-supplied user, so a one-shot parent
message is consumed regardless of timing (the in-flight connection
is replaced). Also clear `initialAutoAuth` when parent credentials
arrive, so a subsequent failure prompts interactively instead of
waiting for another (non-existent) parent message.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@alexey-milovidov

Copy link
Copy Markdown
Member Author

@alexey-milovidov alexey-milovidov self-assigned this May 18, 2026
@alexey-milovidov alexey-milovidov added this pull request to the merge queue May 18, 2026
Merged via the queue into master with commit 86cf571 May 18, 2026
166 checks passed
@alexey-milovidov alexey-milovidov deleted the webterminal-url-credentials branch May 18, 2026 21:13
@robot-ch-test-poll3 robot-ch-test-poll3 added the pr-synced-to-cloud The PR is synced to the cloud repo label May 18, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

pr-improvement Pull request with some product improvements pr-synced-to-cloud The PR is synced to the cloud repo

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants