fix(frontend): detect auto-login disabled from FastAPI nested detail field

[Eltortilla1]

Summary

Fixes #13766 — login screen never displayed (infinite loading spinner) when LANGFLOW_AUTO_LOGIN=false.

• When AUTO_LOGIN=false the backend returns HTTP 403 with { "detail": { "auto_login": false } }. The previous check read error.response?.data?.auto_login, which is undefined because FastAPI wraps error payloads under detail. As a result autoLoginDisabledByBackend was always false, causing an infinite retry loop in handleAutoLoginError and the login page never rendering.
• Fix reads error.response?.data?.detail?.auto_login === false first (FastAPI error shape), with a fallback to the top-level field for forward-compatibility.
• Extends AutoLoginErrorResponse to correctly type the detail field.

Test plan

• Start backend with LANGFLOW_AUTO_LOGIN=false, LANGFLOW_SUPERUSER, LANGFLOW_SUPERUSER_PASSWORD set
• Open http://localhost:3000 — login screen appears immediately (no infinite spinner)
• No repeated auto_login or refresh requests visible in Network tab
• Login with the configured superuser credentials succeeds
• Verify LANGFLOW_AUTO_LOGIN=true still auto-logs in without credentials (no regression)
• New unit tests pass: autologin-disabled-detection.test.ts (7 tests)

Summary by CodeRabbit

• Bug Fixes

  • Fixed auto-login disabled detection to correctly handle both nested and top-level error response formats from the backend, ensuring consistent behavior across different scenarios.

• Tests

  • Added regression tests for auto-login disabled detection to cover various backend response formats and prevent future compatibility issues.

[coderabbitai]

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 5ba9dded-2015-43b8-ad96-b005c4d64017

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

Walkthrough

Extends AutoLoginErrorResponse with an optional nested detail object containing auto_login and message. The retry-disabling condition in the auto-login failure handler now checks both the legacy top-level data.auto_login === false and the new data.detail.auto_login === false. A regression test file validates all detection paths including edge cases.

Changes

Auto-login detection for FastAPI nested error shape

Layer / File(s)	Summary
AutoLoginErrorResponse type extension and retry condition src/frontend/src/controllers/API/queries/auth/use-get-autologin.ts	Adds optional detail?: { auto_login?: boolean; message?: string } to AutoLoginErrorResponse. The retry-disabling guard now ORs data.auto_login === false with data.detail.auto_login === false to handle both the legacy flat shape and FastAPI's nested error payload.
Regression tests for auto-login disabled detection src/frontend/src/controllers/API/queries/auth/__tests__/autologin-disabled-detection.test.ts	New Jest test suite defines a local mirror of isAutoLoginDisabledByBackend and covers: FastAPI nested auto_login false/true/absent, the previously buggy path where data.auto_login reads undefined for FastAPI errors, the flat { auto_login: false } forward-compatible shape, and undefined/empty-object edge inputs.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Suggested labels

lgtm

Suggested reviewers

• jordanrfrazier
• Adam-Aghili

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error, 3 warnings)

Check name	Status	Explanation	Resolution
Test Coverage For New Implementations	❌ Error	Test file exists with proper naming convention and includes 7 cases, but the test at lines 53-60 doesn't verify function behavior—it only asserts data.auto_login is undefined without calling isAuto...	Add expect(isAutoLoginDisabledByBackend(data)).toBe(true); to the test at line 59 to verify the fixed functionality correctly handles nested FastAPI error payloads.
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Test Quality And Coverage	⚠️ Warning	Test quality issues found: (1) Test #4 (lines 54-59) is incomplete - it does not call the function being tested, violating the requirement that tests validate behavior; (2) Tests only validate a lo...	Complete test #4 by adding expect(isAutoLoginDisabledByBackend(data)).toBe(true) assertion. Add integration tests that verify the actual useGetAutoLogin hook detects auto_login disabled and skips retry logic when FastAPI returns nested...
Test File Naming And Structure	⚠️ Warning	Test file has correct naming/structure (*.test.ts, Jest, descriptive names, organized), but one test at lines 54-59 is incomplete—it only checks data.auto_login is undefined, not that isAutoLoginDi...	Add expect(isAutoLoginDisabledByBackend(data)).toBe(true) to the "Previous buggy path" test to verify the function correctly detects disabled auto-login in the nested FastAPI format.

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title accurately describes the main change: detecting auto-login disabled status from FastAPI's nested detail field, which directly addresses the core issue in the changeset.
Linked Issues check	✅ Passed	The pull request successfully addresses all primary coding objectives from issue #13766: it updates the frontend to correctly detect auto-login disabled status from nested FastAPI responses, preventing infinite retry loops and allowing the login screen to display.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to fixing the auto-login detection issue: updates to AutoLoginErrorResponse TypeScript interface and auto-login error handling logic, plus comprehensive test coverage for the fix.
Excessive Mock Usage Warning	✅ Passed	The test file uses zero mocks, testing pure detection logic with real objects instead. This demonstrates appropriate test design: mocks are avoided for core logic, used only for external dependenci...

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

src/frontend/src/controllers/API/queries/auth/__tests__/autologin-disabled-detection.test.ts (2)

23-27: 🧹 Nitpick | 🔵 Trivial | 🏗️ Heavy lift

Consider extracting the detection logic into a testable function.

The helper duplicates the production logic from use-get-autologin.ts. While the comment states this is intentional to make tests break when logic changes, this creates a maintenance risk: if someone incorrectly modifies both the production code and this test helper, the tests will pass even with broken behavior.

A more robust approach would be to extract the detection logic into a separate exported function in the production code and import it here. This ensures tests validate the actual production code path.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@src/frontend/src/controllers/API/queries/auth/__tests__/autologin-disabled-detection.test.ts`
around lines 23 - 27, The helper function `isAutoLoginDisabledByBackend` in the
test file duplicates the production logic from `use-get-autologin.ts`, creating
maintenance risk. Extract the detection logic that checks if
`data?.detail?.auto_login === false || data?.auto_login === false` into a
separate exported function in the production code file `use-get-autologin.ts`,
then remove the duplicate implementation from the test file and instead import
and use that exported function. This ensures the test validates the actual
production code path rather than a duplicated copy.

Source: Coding guidelines

---

29-78: 🧹 Nitpick | 🔵 Trivial | 🏗️ Heavy lift

Test coverage validates the isolated logic but not the production code path.

These tests validate the helper function's logic but don't test the actual useGetAutoLogin hook where the detection logic lives inline (lines 67-69 of use-get-autologin.ts). Consider adding integration tests that mock axios responses and verify the hook's behavior end-to-end.

This would provide stronger confidence that the fix works in the actual production flow, especially since the detection logic isn't extracted as a separate function.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@src/frontend/src/controllers/API/queries/auth/__tests__/autologin-disabled-detection.test.ts`
around lines 29 - 78, Add integration tests for the useGetAutoLogin hook that
mock axios error responses and verify the end-to-end behavior of the auto login
disabled detection. The current test file validates the
isAutoLoginDisabledByBackend helper function in isolation, but the actual
detection logic lives inline within the useGetAutoLogin hook (in
use-get-autologin.ts at lines 67-69). Create tests that mock axios to return
FastAPI error responses with the nested detail shape and flat shape, then assert
that the hook correctly handles these responses and sets the
autoLoginDisabledByBackend state appropriately.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@src/frontend/src/controllers/API/queries/auth/__tests__/autologin-disabled-detection.test.ts`:
- Around line 53-60: The test in the "Previous buggy path — data.auto_login
directly (undefined for FastAPI errors)" describe block only verifies that the
bug exists (data.auto_login is undefined) but does not actually test the
function behavior. Enhance the test by calling the isAutoLoginDisabledByBackend
function with the data object and asserting that it returns true, since the
nested detail.auto_login property is false. This will verify that the function
correctly handles the FastAPI nested error response shape despite the old code's
incorrect direct data.auto_login access.

---

Nitpick comments:
In
`@src/frontend/src/controllers/API/queries/auth/__tests__/autologin-disabled-detection.test.ts`:
- Around line 23-27: The helper function `isAutoLoginDisabledByBackend` in the
test file duplicates the production logic from `use-get-autologin.ts`, creating
maintenance risk. Extract the detection logic that checks if
`data?.detail?.auto_login === false || data?.auto_login === false` into a
separate exported function in the production code file `use-get-autologin.ts`,
then remove the duplicate implementation from the test file and instead import
and use that exported function. This ensures the test validates the actual
production code path rather than a duplicated copy.
- Around line 29-78: Add integration tests for the useGetAutoLogin hook that
mock axios error responses and verify the end-to-end behavior of the auto login
disabled detection. The current test file validates the
isAutoLoginDisabledByBackend helper function in isolation, but the actual
detection logic lives inline within the useGetAutoLogin hook (in
use-get-autologin.ts at lines 67-69). Create tests that mock axios to return
FastAPI error responses with the nested detail shape and flat shape, then assert
that the hook correctly handles these responses and sets the
autoLoginDisabledByBackend state appropriately.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: ff1ac53d-2abd-4576-a6f1-c5c884850af4

📥 Commits

Reviewing files that changed from the base of the PR and between 2b7b113 and bc73224.

📒 Files selected for processing (2)

• src/frontend/src/controllers/API/queries/auth/__tests__/autologin-disabled-detection.test.ts
• src/frontend/src/controllers/API/queries/auth/use-get-autologin.ts

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Complete the test to verify the function behavior.

This test only documents that data.auto_login is undefined (the bug), but it doesn't verify that isAutoLoginDisabledByBackend correctly handles the FastAPI nested shape. The test should call the function and assert it returns true for this case.

🧪 Suggested fix

  describe("Previous buggy path — data.auto_login directly (undefined for FastAPI errors)", () => {
    it("returns false when only data is present without detail (old incorrect read)", () => {
-     // This simulates what the OLD code read: data.auto_login === undefined
      const data = { detail: { auto_login: false } } as AutoLoginErrorResponse;
-     // Accessing data.auto_login (old code) gives undefined, which !== false
+     // The OLD code read data.auto_login (undefined), which !== false, causing the bug
+     // The FIXED code reads data.detail.auto_login (false), correctly detecting disabled state
      expect(data.auto_login).toBeUndefined();
+     expect(isAutoLoginDisabledByBackend(data)).toBe(true);
    });
  });

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@src/frontend/src/controllers/API/queries/auth/__tests__/autologin-disabled-detection.test.ts`
around lines 53 - 60, The test in the "Previous buggy path — data.auto_login
directly (undefined for FastAPI errors)" describe block only verifies that the
bug exists (data.auto_login is undefined) but does not actually test the
function behavior. Enhance the test by calling the isAutoLoginDisabledByBackend
function with the data object and asserting that it returns true, since the
nested detail.auto_login property is false. This will verify that the function
correctly handles the FastAPI nested error response shape despite the old code's
incorrect direct data.auto_login access.

Source: Coding guidelines