[PR #6540] [MERGED] Add session token authentication to API init() #25198

Closed
opened 2026-04-16 18:27:04 -05:00 by GiteaMirror · 0 comments
Owner

📋 Pull Request Information

Original PR: https://github.com/actualbudget/actual/pull/6540
Author: @BCNelson
Created: 1/4/2026
Status: Merged
Merged: 1/14/2026
Merged by: @matt-fidd

Base: masterHead: bcn/feat/api-session-login


📝 Commits (2)

  • 2ce2ec2 add session token authentication to API init()
  • 529650b add release notes for session token authentication

📊 Changes

2 files changed (+52 additions, -4 deletions)

View changed files

📝 packages/loot-core/src/server/main.ts (+46 -4)
upcoming-release-notes/6540.md (+6 -0)

📄 Description

Summary

  • Add sessionToken option to InitConfig for direct token-based authentication
  • Refactor InitConfig to use TypeScript union types that enforce exactly one auth method
  • Validate session tokens on init and throw clear errors for invalid/expired tokens

Usage

// Session token auth (new)
await api.init({
  serverURL: 'https://actual.example.com',
  sessionToken: 'my-session-token-uuid',
  dataDir: '/data'
});

// Password auth (existing - still works)
await api.init({
  serverURL: 'https://actual.example.com',
  password: 'mypassword',
  dataDir: '/data'
});

TypeScript will error if both password and sessionToken are provided.

Summary by CodeRabbit

  • Refactor

    • Unified initialization config to explicitly support server, session-token, password, and local-only modes.
    • init flow now derives runtime paths and modes from the new config shapes and preserves verbose/local behavior.
  • Bug Fixes

    • Improved authentication handling: validates session tokens at startup, clears invalid tokens, and falls back to password sign-in when appropriate; clearer errors for invalid/expired tokens and offline cases.

✏️ Tip: You can customize this high-level summary in your review settings.


🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/actualbudget/actual/pull/6540 **Author:** [@BCNelson](https://github.com/BCNelson) **Created:** 1/4/2026 **Status:** ✅ Merged **Merged:** 1/14/2026 **Merged by:** [@matt-fidd](https://github.com/matt-fidd) **Base:** `master` ← **Head:** `bcn/feat/api-session-login` --- ### 📝 Commits (2) - [`2ce2ec2`](https://github.com/actualbudget/actual/commit/2ce2ec2e11083cad6c8ea3a8a9135704a8d90c3e) add session token authentication to API init() - [`529650b`](https://github.com/actualbudget/actual/commit/529650b5fab67afd74e81b60ca3b292a84b84dc5) add release notes for session token authentication ### 📊 Changes **2 files changed** (+52 additions, -4 deletions) <details> <summary>View changed files</summary> 📝 `packages/loot-core/src/server/main.ts` (+46 -4) ➕ `upcoming-release-notes/6540.md` (+6 -0) </details> ### 📄 Description ## Summary - Add `sessionToken` option to `InitConfig` for direct token-based authentication - Refactor `InitConfig` to use TypeScript union types that enforce exactly one auth method - Validate session tokens on init and throw clear errors for invalid/expired tokens ## Usage ```typescript // Session token auth (new) await api.init({ serverURL: 'https://actual.example.com', sessionToken: 'my-session-token-uuid', dataDir: '/data' }); // Password auth (existing - still works) await api.init({ serverURL: 'https://actual.example.com', password: 'mypassword', dataDir: '/data' }); ``` TypeScript will error if both `password` and `sessionToken` are provided. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Refactor** * Unified initialization config to explicitly support server, session-token, password, and local-only modes. * init flow now derives runtime paths and modes from the new config shapes and preserves verbose/local behavior. * **Bug Fixes** * Improved authentication handling: validates session tokens at startup, clears invalid tokens, and falls back to password sign-in when appropriate; clearer errors for invalid/expired tokens and offline cases. <sub>✏️ Tip: You can customize this high-level summary in your review settings.</sub> <!-- end of auto-generated comment: release notes by coderabbit.ai --> --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-04-16 18:27:04 -05:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/actual#25198