fix(frontend): forward Remote-User zum Backend (vervollständigt PR #130)

[strausmann]

Fortsetzung von PR #130

Closes #131

PR #130 hatte X-Pangolin-Token zum Forwarding hinzugefügt — externes Header-Auth funktioniert damit. Aber Browser-User mit aktiver Pangolin SSO-Session bekommen weiterhin 503 weil das Backend für den SSO-Trust-Pfad beide Header braucht:

• X-Pangolin-Token (Trust-Signal) ✅ PR fix(frontend): forward X-Pangolin-Token zum Backend (Browser-User 503-Fix) #130
• Remote-User (Standard-SSO User-Identity, sso_user_header) ❌ fehlt

Forwarding nur einer von beiden → 401 vom Backend → Frontend wirft 503.

Fix

1-Zeilen-Change: Remote-User zur Forwarding-Liste hinzugefügt + Docstring präzisiert.

Test

Neuer Test TestWithAuthFromForwardsRemoteUserHeader — RED ohne Fix, GREEN damit. Alle 4 Header-Forwarding-Tests grün mit Race-Detector.

--- PASS: TestWithAuthFromForwardsAPIKeyHeader (0.01s)
--- PASS: TestWithAuthFromForwardsPangolinTokenHeader (0.01s)
--- PASS: TestWithAuthFromForwardsRemoteUserHeader (0.02s)
--- PASS: TestWithAuthFromForwardsPangolinHeader (0.02s)

Test Plan

• CI grün
• Image-Build durch
• Stack-Recreate auf hhdocker03
• Browser-Smoke: https://labels.strausmann.cloud/ zeigt Dashboard
• Cleanup-Followup: pangolin_pangolin_mgmt aus Frontend-Networks (separate Dockhand-Update, kein Repo-Change weil Compose in Dockhand-DB lebt)

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

Dieser Pull Request vervollständigt die Authentifizierungslogik für das Forwarding von Requests an das Backend. Da das Backend für den SSO-Trust-Pfad sowohl ein Trust-Signal als auch die Benutzeridentität benötigt, wurde der 'Remote-User'-Header in die Forwarding-Liste aufgenommen, um 401-Fehler und daraus resultierende 503-Statuscodes im Frontend zu beheben.

Highlights

• Header Forwarding Update: Added the 'Remote-User' header to the list of headers forwarded by the HubClient to ensure proper authentication with the backend.
• Documentation Improvement: Updated docstrings in client.go to clarify that both 'X-Pangolin-Token' and 'Remote-User' are required for successful SSO-trust path authentication.
• Regression Testing: Implemented 'TestWithAuthFromForwardsRemoteUserHeader' to verify that the 'Remote-User' header is correctly propagated to the backend.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request updates the frontend API client to forward the Remote-User header alongside existing authentication headers in WithAuthFrom, ensuring compatibility with the backend's SSO-trust path. A corresponding unit test has been added to verify this behavior. The feedback suggests adding a defensive nil check for the incoming http.Request parameter to prevent potential nil-pointer dereferences.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[gemini-code-assist]

Zur defensiven Programmierung sollte überprüft werden, ob r nil ist, um eine Nil-Pointer-Dereferenzierung (Panic) zu verhindern, falls die Methode mit einem nil-Request aufgerufen wird (z. B. in Tests oder Hintergrund-Tasks).

func (c *HubClient) WithAuthFrom(r *http.Request) *HubClient {
	if r == nil {
		return &HubClient{
			gen:         c.gen,
			hc:          c.hc,
			baseURL:     c.baseURL,
			authHeaders: nil,
		}
	}
	headers := make(map[string]string, 5)
	for _, h := range []string{"X-Label-Hub-Key", "X-Pangolin-User", "X-Pangolin-Token", "Remote-User", "Authorization"} {
		if v := r.Header.Get(h); v != "" {
			headers[h] = v
		}

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

This PR updates the frontend Hub API client to forward Pangolin’s Remote-User header to the backend and adds a regression test to ensure the header is propagated correctly.

Changes:

• Forward Remote-User in HubClient.WithAuthFrom alongside existing auth headers.
• Update WithAuthFrom doc comment to describe Standard-SSO behavior and requirements.
• Add a unit test verifying Remote-User forwarding to the backend.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File	Description
frontend/internal/api/client.go	Extends WithAuthFrom to propagate Remote-User and updates the associated documentation.
frontend/internal/api/client_test.go	Adds a test that verifies Remote-User is forwarded to backend requests.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 87.75%. Comparing base (5fb2038) to head (ab42f24).
⚠️ Report is 1 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #132      +/-   ##
==========================================
+ Coverage   87.71%   87.75%   +0.04%     
==========================================
  Files          94       94              
  Lines        4574     4574              
  Branches      400      400              
==========================================
+ Hits         4012     4014       +2     
+ Misses        459      457       -2     
  Partials      103      103              

Components	Coverage Δ
Printer Backends (transport)	85.71% <ø> (ø)
Printer Models (drivers)	88.20% <ø> (ø)
Services	91.30% <ø> (ø)
REST API	83.31% <ø> (ø)
Pydantic Schemas	100.00% <ø> (ø)
Integration Plugins	100.00% <ø> (ø)
see 1 file with indirect coverage changes

Flag	Coverage Δ
backend	87.75% <ø> (+0.04%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

---

Continue to review full report in Codecov by Harness.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 5fb2038...ab42f24. Read the comment docs.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.