From ef80c6f19ebfd294b13198e3d7b8f26d6cc16a03 Mon Sep 17 00:00:00 2001
From: shuki <shuki@shuki>
Date: Fri, 6 Mar 2026 23:50:43 +0200
Subject: [PATCH] Fix web dashboard: exempt static assets from auth, fix
 user-mode uninstall

- Auth middleware now skips /static/ paths and WebSocket upgrades,
  fixing the blank splash screen (xterm.css and textual.js were 401'd)
- Uninstall script now properly stops and removes the user systemd
  service (~/.config/systemd/user/gniza-web.service) in user mode

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 scripts/uninstall.sh | 23 +++++++++++++++++------
 tui/__main__.py      |  8 ++++++++
 2 files changed, 25 insertions(+), 6 deletions(-)

diff --git a/scripts/uninstall.sh b/scripts/uninstall.sh
index 90e3fcb..32daf5f 100755
--- a/scripts/uninstall.sh
+++ b/scripts/uninstall.sh
@@ -67,12 +67,23 @@ else
 fi
 
 # ── Remove web service ───────────────────────────────────────
-if systemctl is-active gniza-web &>/dev/null || [[ -f /etc/systemd/system/gniza-web.service ]]; then
-    echo "Removing GNIZA web service..."
-    systemctl stop gniza-web 2>/dev/null || true
-    systemctl disable gniza-web 2>/dev/null || true
-    rm -f /etc/systemd/system/gniza-web.service
-    systemctl daemon-reload
+if [[ "$MODE" == "root" ]]; then
+    if systemctl is-active gniza-web &>/dev/null || [[ -f /etc/systemd/system/gniza-web.service ]]; then
+        info "Removing GNIZA web service (system)..."
+        systemctl stop gniza-web 2>/dev/null || true
+        systemctl disable gniza-web 2>/dev/null || true
+        rm -f /etc/systemd/system/gniza-web.service
+        systemctl daemon-reload
+    fi
+else
+    _user_service="$HOME/.config/systemd/user/gniza-web.service"
+    if systemctl --user is-active gniza-web &>/dev/null || [[ -f "$_user_service" ]]; then
+        info "Removing GNIZA web service (user)..."
+        systemctl --user stop gniza-web 2>/dev/null || true
+        systemctl --user disable gniza-web 2>/dev/null || true
+        rm -f "$_user_service"
+        systemctl --user daemon-reload 2>/dev/null || true
+    fi
 fi
 
 # ── Remove symlink ───────────────────────────────────────────
diff --git a/tui/__main__.py b/tui/__main__.py
index f7a03b5..9f861f4 100644
--- a/tui/__main__.py
+++ b/tui/__main__.py
@@ -122,8 +122,16 @@ def main():
 
         # Add HTTP Basic Auth if API key is configured
         if web_key:
+            _PUBLIC_PATHS = ("/static/", "/favicon.ico")
+
             @aio_web.middleware
             async def basic_auth_middleware(request, handler):
+                # Allow static assets and WebSocket upgrades without auth
+                if (
+                    any(request.path.startswith(p) for p in _PUBLIC_PATHS)
+                    or request.headers.get("Upgrade", "").lower() == "websocket"
+                ):
+                    return await handler(request)
                 auth_header = request.headers.get("Authorization", "")
                 if auth_header.startswith("Basic "):
                     try: