Summary
mashlib.js injects xlogin asynchronously then immediately boots the LOSOS shell. Panes that consult window.xlogin.authFetch in their render() capture an unrestored auth state → request goes out unsigned → 401 on owner-only resources after a hard reload.
Reproduce
- Logged-in xlogin session, pod with an owner-only resource (any
.acl file).
- Open
localhost:.../<resource> so the LOSOS shell mounts and the sharing-pane is the active tab.
- Hard-reload (Ctrl-Shift-R).
- Sharing-pane fetches the
.acl → 401 Unauthorized. Server log shows the request returning in ~0.5ms (no auth header).
Root cause
mashlib.js does:
- Append
<script src="…/xlogin"> (async, non-blocking).
- Top-level
await fetch(resource) + append pane <script>s.
await import('losos/shell.js').
The xlogin script downloads/executes in parallel with steps 2–3. On hard reload (cold cache) it isn't done by the time the shell calls pane.render. xlogin's authFetch silently falls back to plain fetch when window.xlogin._type is null (xlogin.js:637) → unsigned → 401.
Proposed fix
Move the wait into mashlib.js (the consumer that already injects xlogin and knows its lifecycle). LOSOS shell stays generic — zero auth-library awareness.
// near where xloginScript is appended:
var xloginLoaded = new Promise(r => {
xloginScript.addEventListener('load', r, { once: true })
xloginScript.addEventListener('error', r, { once: true })
})
document.head.appendChild(xloginScript)
// before `await import(base + 'losos/shell.js')`:
await xloginLoaded
if (window.xlogin && window.xlogin.ready) await window.xlogin.readywindow.xlogin.ready is the additive Promise added in melvincarvalho/xlogin#14 (live as xlogin@0.0.9). Resolves promptly for unauthenticated visitors (no session → no penalty).
~6 lines added to mashlib.js. No losos/ changes.
Out of scope
Acceptance
- Hard-reload of a logged-in tab serving an owner-only resource: sharing-pane renders permissions instead of 401.
- Anonymous visitors: no fixed-cap delay (the Promise resolves on script-load + ready).
losos/shell.js is unchanged at the gh-pages level.
Summary
mashlib.jsinjects xlogin asynchronously then immediately boots the LOSOS shell. Panes that consultwindow.xlogin.authFetchin theirrender()capture an unrestored auth state → request goes out unsigned → 401 on owner-only resources after a hard reload.Reproduce
.aclfile).localhost:.../<resource>so the LOSOS shell mounts and the sharing-pane is the active tab..acl→ 401 Unauthorized. Server log shows the request returning in ~0.5ms (no auth header).Root cause
mashlib.jsdoes:<script src="…/xlogin">(async, non-blocking).await fetch(resource)+ append pane<script>s.await import('losos/shell.js').The xlogin script downloads/executes in parallel with steps 2–3. On hard reload (cold cache) it isn't done by the time the shell calls
pane.render. xlogin'sauthFetchsilently falls back to plainfetchwhenwindow.xlogin._typeis null (xlogin.js:637) → unsigned → 401.Proposed fix
Move the wait into
mashlib.js(the consumer that already injects xlogin and knows its lifecycle). LOSOS shell stays generic — zero auth-library awareness.window.xlogin.readyis the additive Promise added inmelvincarvalho/xlogin#14(live asxlogin@0.0.9). Resolves promptly for unauthenticated visitors (no session → no penalty).~6 lines added to
mashlib.js. Nolosos/changes.Out of scope
losos/html.jscache-validity fix — covered by PR Sync losos/html.js cache-validity fix from upstream (#15 / linkedobjects/losos#16) #4 /linkedobjects/losos#16._extIIFE-time capture,window.nostrunconditional overwrite) — separate, lower priority.Acceptance
losos/shell.jsis unchanged at the gh-pages level.