fix(frontend): forward X-Pangolin-Token zum Backend (Browser-User 503-Fix)

[strausmann]

Bug

Browser-User ohne aktive Pangolin SSO-Session sahen 503 auf jeder UI-Route die Backend-Daten lädt — / (Dashboard), /printers, /jobs, /templates, /admin/*. Nur /healthz funktionierte (kein Backend-Call).

Root Cause

Pangolin Resource labels.strausmann.cloud (#123) ist mit Header-Auth konfiguriert die X-Pangolin-Token: <trust-token> als Custom Upstream-Header an Frontend injectet. Das Backend akzeptiert diesen Token über sso_trust_header als SSO-equivalentes Signal.

Aber: WithAuthFrom in frontend/internal/api/client.go:130 forwarded nur diese Headers ans Backend:

• ✅ X-Label-Hub-Key
• ✅ X-Pangolin-User
• ✅ Authorization
• ❌ X-Pangolin-Token fehlt

Konsequenz: Backend bekommt keinen Auth-Header → 401 → Frontend wirft 503.

Live-Beweis (vor Fix)

Request	Status
Frontend GET /healthz	200 OK ✅
Frontend GET / (Browser)	503 ❌
Frontend GET / mit X-Pangolin-User: strausmann	200 OK ✅
Frontend GET / mit X-Pangolin-Token: <token>	503 ❌
Backend GET /api/printers mit X-Pangolin-User	200 OK + JSON ✅

Fix

1-Zeilen-Change: X-Pangolin-Token zur Forwarding-Liste in WithAuthFrom hinzugefügt + Docstring präzisiert.

Test

Neuer Test TestWithAuthFromForwardsPangolinTokenHeader — RED vor Fix, GREEN danach.

=== RUN   TestWithAuthFromForwardsPangolinTokenHeader
--- PASS: TestWithAuthFromForwardsPangolinTokenHeader (0.00s)

Volle Suite + race: alle 4 Packages grün.

Test Plan

• CI grün (test + lint + privacy + oapi-codegen-drift)
• Nach Merge: Image-Build + Stack-Update auf hhdocker03
• Browser-Test: https://labels.strausmann.cloud/ liefert Dashboard

[Copilot]

Copilot was unable to review this pull request because the user who requested the review has reached their quota limit.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 87.75%. Comparing base (41bef28) to head (1168e30).
⚠️ Report is 3 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #130      +/-   ##
==========================================
+ Coverage   87.71%   87.75%   +0.04%     
==========================================
  Files          94       94              
  Lines        4574     4574              
  Branches      400      400              
==========================================
+ Hits         4012     4014       +2     
+ Misses        459      457       -2     
  Partials      103      103              

Components	Coverage Δ
Printer Backends (transport)	85.71% <ø> (ø)
Printer Models (drivers)	88.20% <ø> (ø)
Services	91.30% <ø> (ø)
REST API	83.31% <ø> (ø)
Pydantic Schemas	100.00% <ø> (ø)
Integration Plugins	100.00% <ø> (ø)
see 1 file with indirect coverage changes

Flag	Coverage Δ
backend	87.75% <ø> (+0.04%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

---

Continue to review full report in Codecov by Harness.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 41bef28...1168e30. Read the comment docs.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

Dieser Pull Request behebt einen 503-Fehler, der auftrat, wenn Browser-Benutzer ohne aktive Pangolin SSO-Session auf Backend-Daten zugreifen wollten. Durch das explizite Weiterleiten des 'X-Pangolin-Token'-Headers an das Backend wird sichergestellt, dass die Authentifizierung über den 'sso_trust_header'-Mechanismus korrekt funktioniert.

Highlights

• Header Forwarding Fix: Added 'X-Pangolin-Token' to the list of headers forwarded by the frontend to the backend in 'WithAuthFrom', resolving 503 errors for users without an active SSO session.
• Documentation Update: Updated the docstrings in 'client.go' to clarify the purpose of the 'X-Pangolin-Token' and its role as a trust-token for backend authentication.
• Regression Testing: Added a new test case 'TestWithAuthFromForwardsPangolinTokenHeader' to ensure the token is correctly propagated to the backend.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request adds support for forwarding the X-Pangolin-Token header in WithAuthFrom to allow browser users without an active SSO session to reach the UI. A corresponding unit test has been added to verify this behavior. I have no feedback to provide.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.