Issue Station
Sign In
Tools hereToolbox

hermes - 💡(How to fix) Fix Dashboard SPA reload loop on /api/auth/me when running with --insecure (no OAuth provider)

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…

Error Message

This error repeats infinitely in the console until Escape is pressed twice to stop the reload loop.

Root Cause

The endpoint GET /api/auth/me in dashboard_auth/routes.py always checks request.state.session, which is None when the auth gate is not engaged (insecure mode, auth_required=False on app.state). It returns HTTP 401, which causes the SPA to attempt a redirect to /login. Since no OAuth provider is configured, the login page cannot complete the auth round-trip, resulting in an infinite redirect → reload cycle.

Code Example

hermes dashboard --host 0.0.0.0 --port 9119 --insecure

---

GET http://mini:1414/api/auth/me 401 (Unauthorized)

---

if not getattr(request.app.state, "auth_required", False):
    return {
        "user_id": "local",
        "email": "",
        "display_name": "Local User",
        "org_id": None,
        "provider": None,
        "expires_at": None,
    }
RAW_BUFFERClick to expand / collapse

Bug

When running hermes dashboard --insecure (without an OAuth auth provider), the SPA enters an infinite reload/redirect loop on certain tabs (e.g. Sessions).

Root cause

The endpoint GET /api/auth/me in dashboard_auth/routes.py always checks request.state.session, which is None when the auth gate is not engaged (insecure mode, auth_required=False on app.state). It returns HTTP 401, which causes the SPA to attempt a redirect to /login. Since no OAuth provider is configured, the login page cannot complete the auth round-trip, resulting in an infinite redirect → reload cycle.

Reproduction

  1. Start the dashboard without an OAuth provider: 
    hermes dashboard --host 0.0.0.0 --port 9119 --insecure
  2. Open the dashboard in a browser.
  3. Navigate to Config, change the web theme and save.
  4. Reload the page (Ctrl+R).
  5. The page enters an infinite reload/flicker loop (sessions page).

DevTools evidence

GET http://mini:1414/api/auth/me 401 (Unauthorized)

This error repeats infinitely in the console until Escape is pressed twice to stop the reload loop.

Suggested fix

In hermes_cli/dashboard_auth/routes.py, the api_auth_me handler should check request.app.state.auth_required first. When the auth gate is not active (insecure mode), return a 200 with an anonymous local session instead of raising 401:

if not getattr(request.app.state, "auth_required", False):
    return {
        "user_id": "local",
        "email": "",
        "display_name": "Local User",
        "org_id": None,
        "provider": None,
        "expires_at": None,
    }

This prevents the SPA from entering the 401→login redirect loop when no OAuth provider is configured.

Environment

  • Hermes Agent version: latest 0.15.0 (pip install, 2026-05-29)
  • OS: AlmaLinux 9.7
  • Binding: --host 0.0.0.0 --insecure

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING

hermes - 💡(How to fix) Fix Dashboard SPA reload loop on /api/auth/me when running with --insecure (no OAuth provider)