feat: update extension clients for PAT auth

2026-06-24 21:38:09 +02:00 · 2026-06-19 20:29:30 +05:30 · 2026-06-19 20:29:30 +05:30 · 8af4a3f9d5
commit 8af4a3f9d5
parent 1cc72a47be
5 changed files with 13 additions and 18 deletions
--- a/surfsense_browser_extension/routes/pages/ApiKeyForm.tsx
+++ b/surfsense_browser_extension/routes/pages/ApiKeyForm.tsx
@ -16,7 +16,7 @@ const ApiKeyForm = () => {

 	const validateForm = () => {
 		if (!apiKey) {
-			setError("API key is required");
+			setError("Personal access token is required");
 			return false;
 		}
 		setError("");
@ -39,11 +39,11 @@ const ApiKeyForm = () => {
 			setLoading(false);

 			if (response.ok) {
-				// Store the API key as the token
+				// Store the PAT as the bearer token for existing background handlers.
 				await storage.set("token", apiKey);
 				navigation("/");
 			} else {
-				setError("Invalid API key. Please check and try again.");
+				setError("Invalid personal access token. Please check and try again.");
 			}
 		} catch (error) {
 			setLoading(false);
@ -67,15 +67,15 @@ const ApiKeyForm = () => {

 				<div className="bg-gray-800/70 backdrop-blur-sm rounded-xl shadow-xl border border-gray-700 p-6">
 					<div className="space-y-6">
-						<h2 className="text-xl font-medium text-white">Enter your API Key</h2>
+						<h2 className="text-xl font-medium text-white">Enter your personal access token</h2>
 						<p className="text-gray-400 text-sm">
-							Your API key connects this extension to the SurfSense.
+							Your personal access token connects this extension to SurfSense.
 						</p>

 						<form onSubmit={handleSubmit} className="space-y-4">
 							<div className="space-y-2">
 								<label htmlFor="apiKey" className="text-sm font-medium text-gray-300">
-									API Key
+									Personal access token
 								</label>
 								<input
 									type="text"
@ -83,7 +83,7 @@ const ApiKeyForm = () => {
 									value={apiKey}
 									onChange={(e) => setApiKey(e.target.value)}
 									className="w-full px-3 py-2 bg-gray-900/50 border border-gray-700 rounded-md focus:outline-none focus:ring-2 focus:ring-teal-500 text-white placeholder:text-gray-500"
-									placeholder="Enter your API key"
+									placeholder="Enter your personal access token"
 								/>
 								{error && <p className="text-red-400 text-sm mt-1">{error}</p>}
 							</div>
@ -106,7 +106,7 @@ const ApiKeyForm = () => {

 						<div className="text-center mt-4">
 							<p className="text-sm text-gray-400">
-								Need an API key?{" "}
+								Need a personal access token?{" "}
 								<a
 									href="https://www.surfsense.com"
 									target="_blank"
--- a/surfsense_obsidian/README.md
+++ b/surfsense_obsidian/README.md
@ -51,7 +51,7 @@ Open **Settings → SurfSense** in Obsidian and fill in:
 | Setting | Value |
 | --- | --- |
 | Server URL | `https://surfsense.com` for SurfSense Cloud, or your self-hosted URL |
-| API token | Copy from the *Connectors → Obsidian* dialog in the SurfSense web app |
+| API token | Create a personal access token from the *Connectors → Obsidian* dialog or *User settings → API access* in the SurfSense web app |
 | Search space | Pick the search space this vault should sync into |
 | Vault name | Defaults to your Obsidian vault name; rename if you have multiple vaults |
 | Sync mode | *Auto* (recommended) or *Manual* |
@ -62,11 +62,6 @@ The connector row appears automatically inside SurfSense the first time the
 plugin successfully calls `/obsidian/connect`. You can manage or delete it
 from *Connectors → Obsidian* in the web app.

-> **Token lifetime.** The web app currently issues 24-hour JWTs. If you see
-> *"token expired"* in the plugin status bar, paste a fresh token from the
-> SurfSense web app. Long-lived personal access tokens are coming in a future
-> release.
-
 ## Mobile

 The plugin works on Obsidian for iOS and Android. Sync runs whenever the
--- a/surfsense_obsidian/src/api-client.ts
+++ b/surfsense_obsidian/src/api-client.ts
@ -22,11 +22,11 @@ import type {
 *
 * Auth + wire contract:
 *   - Every request carries `Authorization: Bearer <token>` only. No
- *     custom headers — the backend identifies the caller from the JWT
+ *     custom headers — the backend identifies the caller from the PAT
 *     and feature-detects the API via the `capabilities` array on
 *     `/health` and `/connect`.
 *   - 401 surfaces as `AuthError` so the orchestrator can show the
- *     "token expired, paste a fresh one" UX.
+ *     "token invalid or expired" UX.
 *   - HealthResponse / ConnectResponse use index signatures so any
 *     additive backend field (e.g. new capabilities) parses without
 *     breaking the decoder. This mirrors `ConfigDict(extra='ignore')`
--- a/surfsense_obsidian/src/main.ts
+++ b/surfsense_obsidian/src/main.ts
@ -248,7 +248,7 @@ export default class SurfSensePlugin extends Plugin {
 		const now = Date.now();
 		if (now - this.lastAuthToastAt < 10_000) return;
 		this.lastAuthToastAt = now;
-		new Notice("Surfsense: API token expired or invalid. Paste a fresh token in settings.", 8000);
+		new Notice("Surfsense: API token is invalid or expired. Check your token in settings.", 8000);
 	}

 	async loadSettings() {
--- a/surfsense_obsidian/src/settings.ts
+++ b/surfsense_obsidian/src/settings.ts
@ -67,7 +67,7 @@ export class SurfSenseSettingTab extends PluginSettingTab {
 		new Setting(containerEl)
 			.setName("API token")
 			.setDesc(
-				"Paste your Surfsense API token (expires after 24 hours; re-paste when you see an auth error).",
+				"Paste your Surfsense personal access token from the web app.",
 			)
 			.addText((text) => {
 				text.inputEl.type = "password";