Skip to content

Cli web auth token#4456

Merged
DOsinga merged 3 commits intoblock:mainfrom
Evanfeenstra:cli-web-auth-token
Sep 29, 2025
Merged

Cli web auth token#4456
DOsinga merged 3 commits intoblock:mainfrom
Evanfeenstra:cli-web-auth-token

Conversation

@Evanfeenstra
Copy link
Contributor

@Evanfeenstra Evanfeenstra commented Aug 31, 2025

Pull Request Description

Adds an optional --auth-token option to the goose web cli. If defined, all the routes are protected (except the /api/health route).

The auth is implemented in two ways: basic auth for the goose-cli/static frontend, as well as a Authorization: Bearer xxx header, for api access to goose web.

This PR enables running goose web on a remote server, and accessing it securely via API

DOsinga
DOsinga approved these changes Sep 26, 2025
View reviewed changes
Copy link
Collaborator

@DOsinga DOsinga left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks for doing this and sorry for the slow repsonse. in general our thinking is that we'll turn goosed into an api server for this sort of thing, but for now this should work well

@Evanfeenstra Evanfeenstra force-pushed the cli-web-auth-token branch 2 times, most recently from 927f0ac to 85d24a6 Compare September 26, 2025 19:42
@Evanfeenstra Evanfeenstra requested a review from a team as a code owner September 26, 2025 19:42
@Evanfeenstra
auth on goose web routes
dddc041 
Signed-off-by: Evanfeenstra <evanfeenstra@gmail.com>
@Evanfeenstra
fmt
5e7ea59 
Signed-off-by: Evanfeenstra <evanfeenstra@gmail.com>
@Evanfeenstra
simplify
77eb7f4 
Signed-off-by: Evanfeenstra <evanfeenstra@gmail.com>
@DOsinga DOsinga merged commit 41d32c0 into block:main Sep 29, 2025
10 checks passed
zanesq added a commit that referenced this pull request Sep 30, 2025
@zanesq
Merge branch 'main' of github.com:block/goose into zane/create-recipe…
20227e3 
…-unification

* 'main' of github.com:block/goose: (24 commits)
  feat(cli): add `path` & `limit` to `session list` command (#4878)
  Allow better concurrent access (#4896)
  fix: Windows prompt cursor positioning issue with ANSI escape sequences (#4464)
  Fix: LiteLLM API key field not showing in UI configuration (#4105)
  fix: path is duplicated on tool calls causing them to fail (#4658) (#4859)
  add new prompt to get all available tutorials (#4802)
  Add filtering for agentVisible: false messages on streaming providers (#4847)
  alexhancock/mcp-crate-cleanup (#4885)
  docs: rename sub-recipe to subrecipe (#4886)
  docs: new multi-model section with autopilot topic (#4864)
  make agent manager singleton (#4880)
  Cli web auth token (#4456)
  fix(token_counter): fix panic with GitHub Copilot (#4632)
  Revert "Internal MCP Crate Cleanup (#4800)" (#4883)
  remove 2 redundant comments and one that lies (#4866)
  Internal MCP Crate Cleanup (#4800)
  Fix #4612: Return non-zero exit code when CLI session ends with error (#4621)
  Dead code cleanup (#4873)
  fix: restoring test data and correcting name (#4875)
  Add .goosehints file to enforce lowercase branding in documentation (#4870)
  ...
matt-wirth added a commit to LiquidMetal-AI/goose that referenced this pull request Sep 30, 2025
@matt-wirth @angelahning
@emma-squared @katzdave @DOsinga @EbonyLouis @taniandjerry @angiejones @jamadeo @michaelneale @iandouglas @alexhancock @jsibbison-square @blackgirlbytes @jalateras @understood-the-assignment @Evanfeenstra @yingjiehe-xyz @dianed-square @AdemolaAri @demetrio108 @claude @thebristolsound @exitcode0 @GuiSim
MCP workaround (#1)
e6b522f 
* remove only-pr-labels (block#4842)

Signed-off-by: Angela Ning <aning@squareup.com>

* Docs: Add link to Plug & Play video for Reddit MCP (block#4852)

* Fix: Token count UI doesn't re-render if it's open. (block#4822)

* Update databricks flash model (block#4836)

* Session manager (block#4648)

Co-authored-by: Douwe Osinga <douwe@squareup.com>

* Add Hacktoberfest Guides (block#4830)

Co-authored-by: taniashiba <126204004+taniashiba@users.noreply.github.com>

* docs: goose x Hacktoberfest 2025 Blog (block#4855)

Co-authored-by: Tania Chakraborty <tchakraborty@block.xyz>
Co-authored-by: Angie Jones <jones.angie@gmail.com>

* fix: delete some flaky and not-useful tests (block#4861)

* can tell the system what shell it is using (block#4807)

* new subrecipe blog post banner (block#4862)

* docs: remove recipe generator link from next to extension search (block#4858)

* lowercase g in goose (block#4832)

* doc: file parameter recipe update (block#4594)

* Fiie input recipe ref doc (block#4869)

* Add .goosehints file to enforce lowercase branding in documentation (block#4870)

Co-authored-by: Angie Jones <jones.angie@gmail.com>

* fix: restoring test data and correcting name (block#4875)

* Dead code cleanup (block#4873)

Co-authored-by: Douwe Osinga <douwe@squareup.com>
Co-authored-by: Michael Neale <michael.neale@gmail.com>

* Fix block#4612: Return non-zero exit code when CLI session ends with error (block#4621)

Signed-off-by: jalateras <jima@comware.com.au>

* Internal MCP Crate Cleanup (block#4800)

* remove 2 redundant comments and one that lies (block#4866)

Co-authored-by: Douwe Osinga <douwe@squareup.com>

* Revert "Internal MCP Crate Cleanup (block#4800)" (block#4883)

* fix(token_counter): fix panic with GitHub Copilot (block#4632)

Signed-off-by: sings-to-bees-on-wednesdays <222684290+sings-to-bees-on-wednesdays@users.noreply.github.com>

main was broken. this seems important

* Cli web auth token (block#4456)

Signed-off-by: Evanfeenstra <evanfeenstra@gmail.com>

* make agent manager singleton (block#4880)

* docs: new multi-model section with autopilot topic (block#4864)

* docs: rename sub-recipe to subrecipe (block#4886)

* alexhancock/mcp-crate-cleanup (block#4885)

* Temporary workaround for mcp server

* Add filtering for agentVisible: false messages on streaming providers (block#4847)

* add new prompt to get all available tutorials (block#4802)

Signed-off-by: AdemolaAri <ademola.ari@gmail.com>

* Fix for auth in extension, fix for stale keychain

* fix: path is duplicated on tool calls causing them to fail (block#4658) (block#4859)

Signed-off-by: demetrio108 <demetrio108@protonmail.com>

* Fix: LiteLLM API key field not showing in UI configuration (block#4105)

Signed-off-by: jalateras <jima@comware.com.au>
Co-authored-by: Ebony Louis <55366651+EbonyLouis@users.noreply.github.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Jack Amadeo <jackamadeo@squareup.com>

* fix: Windows prompt cursor positioning issue with ANSI escape sequences (block#4464)

Signed-off-by: Matt Donovan <mattddonovan@protonmail.com>
Co-authored-by: Matt Donovan <mattddonovan@protonmail.com>

* Allow better concurrent access (block#4896)

Co-authored-by: Douwe Osinga <douwe@squareup.com>

* feat(cli): add `path` & `limit` to `session list` command (block#4878)

* Added CMD+T keyboard shortcut that takes you to the Home tab (block#4541)

Signed-off-by: Guillaume Simard <2000390+GuiSim@users.noreply.github.com>

---------

Signed-off-by: Angela Ning <aning@squareup.com>
Signed-off-by: jalateras <jima@comware.com.au>
Signed-off-by: Evanfeenstra <evanfeenstra@gmail.com>
Signed-off-by: AdemolaAri <ademola.ari@gmail.com>
Signed-off-by: demetrio108 <demetrio108@protonmail.com>
Signed-off-by: Matt Donovan <mattddonovan@protonmail.com>
Signed-off-by: Guillaume Simard <2000390+GuiSim@users.noreply.github.com>
Co-authored-by: Angela Ning <32008323+angelahning@users.noreply.github.com>
Co-authored-by: Emma Youndtsmith <90283317+emma-squared@users.noreply.github.com>
Co-authored-by: David Katz <dkatz@squareup.com>
Co-authored-by: Douwe Osinga <douwe@block.xyz>
Co-authored-by: Douwe Osinga <douwe@squareup.com>
Co-authored-by: Ebony Louis <55366651+EbonyLouis@users.noreply.github.com>
Co-authored-by: taniashiba <126204004+taniashiba@users.noreply.github.com>
Co-authored-by: taniandjerry <126204004+taniandjerry@users.noreply.github.com>
Co-authored-by: Tania Chakraborty <tchakraborty@block.xyz>
Co-authored-by: Angie Jones <jones.angie@gmail.com>
Co-authored-by: Jack Amadeo <jackamadeo@block.xyz>
Co-authored-by: Michael Neale <michael.neale@gmail.com>
Co-authored-by: w. ian douglas <ian.douglas@iandouglas.com>
Co-authored-by: Alex Hancock <alexhancock@block.xyz>
Co-authored-by: Jarrod Sibbison <72240382+jsibbison-square@users.noreply.github.com>
Co-authored-by: Rizel Scarlett <rizel@squareup.com>
Co-authored-by: Jim Alateras <jima@comware.com.au>
Co-authored-by: sings-to-bees-on-wednesdays <222684290+sings-to-bees-on-wednesdays@users.noreply.github.com>
Co-authored-by: Evan Feenstra <evanfeenstra@gmail.com>
Co-authored-by: Yingjie He <yingjiehe@squareup.com>
Co-authored-by: dianed-square <73617011+dianed-square@users.noreply.github.com>
Co-authored-by: Ademola Arigbabuwo <49918815+AdemolaAri@users.noreply.github.com>
Co-authored-by: Demetrio ⚡️ <35406575+demetrio108@users.noreply.github.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Jack Amadeo <jackamadeo@squareup.com>
Co-authored-by: Matt Donovan <mattddonovan@proton.me>
Co-authored-by: Matt Donovan <mattddonovan@protonmail.com>
Co-authored-by: Robert Mcgregor <38837341+exitcode0@users.noreply.github.com>
Co-authored-by: Guillaume Simard <2000390+GuiSim@users.noreply.github.com>
wpfleger96 added a commit to wpfleger96/goose that referenced this pull request Oct 1, 2025
@wpfleger96
Merge branch 'main' into wpfleger/restore-extensions-on-resume
9bacd60 
* main: (206 commits)
  Tiny: fix github casing  (block#4903)
  remove anyOf from create_task tool (block#4897)
  chore(deps): bump tracing-subscriber from 0.3.19 to 0.3.20 (block#4442)
  fix optional recipe schema zod validation (block#4900)
  Added CMD+T keyboard shortcut that takes you to the Home tab (block#4541)
  feat(cli): add `path` & `limit` to `session list` command (block#4878)
  Allow better concurrent access (block#4896)
  fix: Windows prompt cursor positioning issue with ANSI escape sequences (block#4464)
  Fix: LiteLLM API key field not showing in UI configuration (block#4105)
  fix: path is duplicated on tool calls causing them to fail (block#4658) (block#4859)
  add new prompt to get all available tutorials (block#4802)
  Add filtering for agentVisible: false messages on streaming providers (block#4847)
  alexhancock/mcp-crate-cleanup (block#4885)
  docs: rename sub-recipe to subrecipe (block#4886)
  docs: new multi-model section with autopilot topic (block#4864)
  make agent manager singleton (block#4880)
  Cli web auth token (block#4456)
  fix(token_counter): fix panic with GitHub Copilot (block#4632)
  Revert "Internal MCP Crate Cleanup (block#4800)" (block#4883)
  remove 2 redundant comments and one that lies (block#4866)
  ...
HikaruEgashira pushed a commit to HikaruEgashira/goose that referenced this pull request Oct 3, 2025
@Evanfeenstra @HikaruEgashira
Cli web auth token (block#4456)
bf0e6a3 
Signed-off-by: Evanfeenstra <evanfeenstra@gmail.com>
Signed-off-by: HikaruEgashira <hikaru-egashira@c-fo.com>
This was referenced Oct 8, 2025
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@DOsinga DOsinga DOsinga approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Evanfeenstra @DOsinga