From 98eb54ac63d281450ba11b1dc5534c41662367ca Mon Sep 17 00:00:00 2001
From: svemagie <869694+svemagie@users.noreply.github.com>
Date: Sun, 8 Mar 2026 04:30:54 +0100
Subject: [PATCH] Auto-continue login flow to password screen

---
 README.md                                    |  4 +-
 package.json                                 |  4 +-
 scripts/patch-session-login-autocontinue.mjs | 74 ++++++++++++++++++++
 start.example.sh                             |  1 +
 4 files changed, 80 insertions(+), 3 deletions(-)
 create mode 100644 scripts/patch-session-login-autocontinue.mjs

diff --git a/README.md b/README.md
index f64e6f2a..77503224 100644
--- a/README.md
+++ b/README.md
@@ -4,6 +4,7 @@
 
 - The IndieKit admin uses root auth/session paths (for example: `/session/login`, `/auth`, `/auth/new-password`).
 - Legacy `/admin` request paths are normalized to root login redirects (for example `/admin/posts` -> `/session/login?redirect=/posts`) to avoid post-login dead-end targets.
+- Login page now auto-continues to the password consent screen by default. Add `?noautocontinue=1` to `/session/login` if you want to keep the manual button step.
 - Login uses `PASSWORD_SECRET` (bcrypt hash), not `INDIEKIT_PASSWORD`.
 - If no `PASSWORD_SECRET` exists yet, open `/auth/new-password` once to generate it.
 - If login is blocked because `PASSWORD_SECRET` is missing/invalid, set `INDIEKIT_ALLOW_PASSWORD_SETUP=1` temporarily, restart, generate a new hash via `/auth/new-password`, set `PASSWORD_SECRET` to that hash, then remove `INDIEKIT_ALLOW_PASSWORD_SETUP`.
@@ -70,7 +71,7 @@
 - `start.sh` is intentionally ignored by Git (`.gitignore`) so server secrets are not committed.
 - Use `start.example.sh` as the tracked template and keep real credentials in environment variables (or `.env` on the server).
 - Startup scripts parse `.env` with the `dotenv` parser (not shell `source`), so values containing spaces are handled safely.
-- Startup scripts run preflight + patch helpers before boot (`scripts/preflight-production-security.mjs`, `scripts/preflight-mongo-connection.mjs`, `scripts/patch-lightningcss.mjs`, `scripts/patch-endpoint-media-scope.mjs`, `scripts/patch-endpoint-media-sharp-runtime.mjs`, `scripts/patch-frontend-sharp-runtime.mjs`, `scripts/patch-endpoint-files-upload-route.mjs`, `scripts/patch-endpoint-files-upload-locales.mjs`, `scripts/patch-frontend-serviceworker-file.mjs`, `scripts/patch-conversations-collection-guards.mjs`, `scripts/patch-indieauth-devmode-guard.mjs`).
+- Startup scripts run preflight + patch helpers before boot (`scripts/preflight-production-security.mjs`, `scripts/preflight-mongo-connection.mjs`, `scripts/patch-lightningcss.mjs`, `scripts/patch-endpoint-media-scope.mjs`, `scripts/patch-endpoint-media-sharp-runtime.mjs`, `scripts/patch-frontend-sharp-runtime.mjs`, `scripts/patch-endpoint-files-upload-route.mjs`, `scripts/patch-endpoint-files-upload-locales.mjs`, `scripts/patch-frontend-serviceworker-file.mjs`, `scripts/patch-conversations-collection-guards.mjs`, `scripts/patch-indieauth-devmode-guard.mjs`, `scripts/patch-session-login-autocontinue.mjs`).
 - The production security preflight blocks startup on insecure auth/session configuration and catches empty-password bcrypt hashes.
 - One-time recovery mode is available with `INDIEKIT_ALLOW_PASSWORD_SETUP=1` to bootstrap/reset `PASSWORD_SECRET` when locked out. Remove this flag after setting a valid hash.
 - The media scope patch fixes a known upstream issue where file uploads can fail if the token scope is `create update delete` without explicit `media`.
@@ -81,3 +82,4 @@
 - The frontend serviceworker patch ensures `@indiekit/frontend/lib/serviceworker.js` exists at runtime to avoid ENOENT in the offline/service worker route.
 - The conversations guard patch prevents `Cannot read properties of undefined (reading 'find')` when the `conversation_items` collection is temporarily unavailable.
 - The indieauth dev-mode guard patch prevents accidental production auth bypass by requiring explicit `INDIEKIT_ALLOW_DEV_AUTH=1` to enable dev auto-login.
+- The session login auto-continue patch redirects from the intermediate `/session/login` screen to the password consent form automatically (with optional `?noautocontinue=1` override).
diff --git a/package.json b/package.json
index 9b03ea31..6ff22cac 100644
--- a/package.json
+++ b/package.json
@@ -4,8 +4,8 @@
   "description": "",
   "main": "index.js",
   "scripts": {
-    "postinstall": "node scripts/patch-lightningcss.mjs && node scripts/patch-endpoint-media-scope.mjs && node scripts/patch-endpoint-media-sharp-runtime.mjs && node scripts/patch-frontend-sharp-runtime.mjs && node scripts/patch-endpoint-files-upload-route.mjs && node scripts/patch-endpoint-files-upload-locales.mjs && node scripts/patch-frontend-serviceworker-file.mjs && node scripts/patch-conversations-collection-guards.mjs && node scripts/patch-indieauth-devmode-guard.mjs",
-    "serve": "export NODE_ENV=${NODE_ENV:-production} INDIEKIT_DEBUG=${INDIEKIT_DEBUG:-0} && node scripts/preflight-production-security.mjs && node scripts/preflight-mongo-connection.mjs && node scripts/patch-lightningcss.mjs && node scripts/patch-endpoint-media-scope.mjs && node scripts/patch-endpoint-media-sharp-runtime.mjs && node scripts/patch-frontend-sharp-runtime.mjs && node scripts/patch-endpoint-files-upload-route.mjs && node scripts/patch-endpoint-files-upload-locales.mjs && node scripts/patch-frontend-serviceworker-file.mjs && node scripts/patch-conversations-collection-guards.mjs && node scripts/patch-indieauth-devmode-guard.mjs && node node_modules/@indiekit/indiekit/bin/cli.js serve --config indiekit.config.mjs",
+    "postinstall": "node scripts/patch-lightningcss.mjs && node scripts/patch-endpoint-media-scope.mjs && node scripts/patch-endpoint-media-sharp-runtime.mjs && node scripts/patch-frontend-sharp-runtime.mjs && node scripts/patch-endpoint-files-upload-route.mjs && node scripts/patch-endpoint-files-upload-locales.mjs && node scripts/patch-frontend-serviceworker-file.mjs && node scripts/patch-conversations-collection-guards.mjs && node scripts/patch-indieauth-devmode-guard.mjs && node scripts/patch-session-login-autocontinue.mjs",
+    "serve": "export NODE_ENV=${NODE_ENV:-production} INDIEKIT_DEBUG=${INDIEKIT_DEBUG:-0} && node scripts/preflight-production-security.mjs && node scripts/preflight-mongo-connection.mjs && node scripts/patch-lightningcss.mjs && node scripts/patch-endpoint-media-scope.mjs && node scripts/patch-endpoint-media-sharp-runtime.mjs && node scripts/patch-frontend-sharp-runtime.mjs && node scripts/patch-endpoint-files-upload-route.mjs && node scripts/patch-endpoint-files-upload-locales.mjs && node scripts/patch-frontend-serviceworker-file.mjs && node scripts/patch-conversations-collection-guards.mjs && node scripts/patch-indieauth-devmode-guard.mjs && node scripts/patch-session-login-autocontinue.mjs && node node_modules/@indiekit/indiekit/bin/cli.js serve --config indiekit.config.mjs",
     "test": "echo \"Error: no test specified\" && exit 1"
   },
   "keywords": [],
diff --git a/scripts/patch-session-login-autocontinue.mjs b/scripts/patch-session-login-autocontinue.mjs
new file mode 100644
index 00000000..1fd44b64
--- /dev/null
+++ b/scripts/patch-session-login-autocontinue.mjs
@@ -0,0 +1,74 @@
+import { access, readFile, writeFile } from "node:fs/promises";
+
+const candidates = [
+  "node_modules/@indiekit/indiekit/views/session/login.njk",
+];
+
+const oldBlock = `  {{ button({
+    text: __("session.login.submit"),
+    classes: "button--block"
+  }) | indent(2) }}
+{% endblock %}`;
+
+const newBlock = `  {{ button({
+    text: __("session.login.submit"),
+    classes: "button--block"
+  }) | indent(2) }}
+
+  <noscript>
+    <p>After continuing, enter your password on the next page.</p>
+  </noscript>
+
+  <script>
+    if (!new URLSearchParams(window.location.search).has("noautocontinue")) {
+      window.addEventListener("load", () => {
+        const form = document.querySelector("main form[method='post']");
+        if (form) {
+          form.requestSubmit();
+        }
+      });
+    }
+  </script>
+{% endblock %}`;
+
+async function exists(path) {
+  try {
+    await access(path);
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+let checked = 0;
+let patched = 0;
+
+for (const filePath of candidates) {
+  if (!(await exists(filePath))) {
+    continue;
+  }
+
+  checked += 1;
+
+  const source = await readFile(filePath, "utf8");
+
+  if (source.includes("noautocontinue")) {
+    continue;
+  }
+
+  if (!source.includes(oldBlock)) {
+    continue;
+  }
+
+  const updated = source.replace(oldBlock, newBlock);
+  await writeFile(filePath, updated, "utf8");
+  patched += 1;
+}
+
+if (checked === 0) {
+  console.log("[postinstall] No session login templates found");
+} else if (patched === 0) {
+  console.log("[postinstall] session login auto-continue already patched");
+} else {
+  console.log(`[postinstall] Patched session login auto-continue in ${patched} file(s)`);
+}
diff --git a/start.example.sh b/start.example.sh
index 6116fc41..20d7ca54 100644
--- a/start.example.sh
+++ b/start.example.sh
@@ -55,5 +55,6 @@ unset DEBUG
 /usr/local/bin/node scripts/patch-frontend-serviceworker-file.mjs
 /usr/local/bin/node scripts/patch-conversations-collection-guards.mjs
 /usr/local/bin/node scripts/patch-indieauth-devmode-guard.mjs
+/usr/local/bin/node scripts/patch-session-login-autocontinue.mjs
 
 exec /usr/local/bin/node node_modules/@indiekit/indiekit/bin/cli.js serve --config indiekit.config.mjs