fix: clicking MCP Server button logs users out automatically

[deon-sanchez]

Problem

When LANGFLOW_AUTO_LOGIN=false, clicking links that open in a new tab (e.g., MCP Server) would incorrectly show the login page even with a valid session. Refreshing the page would then correctly show authenticated content.

Root Cause

A race condition between auto-login validation and session validation:

1. New tab opens → useGetAutoLogin and useGetAuthSession run in parallel
2. useGetAutoLogin fails (expected when auto-login is disabled) and checks isAuthenticated from Zustand (defaults to false)
3. Before useGetAuthSession can validate cookies and set isAuthenticated=true, the error handler navigates to /login

Changes

1. src/frontend/src/pages/AppInitPage/index.tsx

Added: isSessionReady check that delays rendering protected routes until session validation completes when auto-login is disabled.

Reasoning: Ensures ProtectedRoute doesn't make redirect decisions based on the default isAuthenticated=false state before session validation has a chance to confirm the user's actual authentication status.

2. src/frontend/src/controllers/API/queries/auth/use-get-autologin.ts

Removed: The manualLoginNotAuthenticated branch that navigated to /login and called mutationLogout().

Reasoning:

• Stale state: It checked isAuthenticated which is false by default, before session validation could set it to true
• Redundant: ProtectedRoute already handles authentication redirects—having this logic in two places created a race condition
• Destructive: mutationLogout() was clearing valid session cookies before they could be validated
• Safe to remove: ProtectedRoute (now with proper timing) is the single source of truth for auth redirects

Result

When LANGFLOW_AUTO_LOGIN=false:

1. Auto-login fails → autoLogin=false
2. App waits for useGetAuthSession to validate session
3. Valid session → isAuthenticated=true → authenticated content renders
4. Invalid session → isAuthenticated=false → ProtectedRoute redirects to login

Testing Strategy

Setup: Ensure .env has LANGFLOW_AUTO_LOGIN=false

Test 1: New Tab Authentication (the fix)

1. Log in to Langflow
2. Navigate to a flow → click Share → MCP Server
3. Expected: New tab opens with MCP page, user remains authenticated
4. Before fix: Login page would show

Test 2: Unauthenticated User Still Redirects

1. Clear cookies/logout
2. Navigate directly to /mcp/folder/{folderId}
3. Expected: Redirects to login page with ?redirect= param

Test 3: Login Flow Still Works

1. Clear cookies/logout
2. Go to /login, enter credentials
3. Expected: Successfully logs in and redirects to dashboard

Test 4: Session Expiry

1. Log in, then manually delete the access token cookie
2. Refresh the page
3. Expected: Redirects to login

Test 5: Auto-Login Mode (regression check)

1. Set LANGFLOW_AUTO_LOGIN=true in .env
2. Restart backend
3. Open app in new tab
4. Expected: Auto-logs in without showing login page

[coderabbitai]

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

• 🔍 Trigger a full review

Walkthrough

These changes simplify authentication error handling by removing manual logout and redirect logic from the auto-login hook, while introducing session readiness state management to the app initialization page to better track overall application startup status.

Changes

Cohort / File(s)	Summary
Auto-login error handling src/frontend/src/controllers/API/queries/auth/use-get-autologin.ts	Removed navigation and logout-related imports and logic. Simplified handleAutoLoginError to remove manual login redirect/logout branch, retaining only autoLoginNotAuthenticated retry logic. Error handling now delegates to existing flows rather than performing explicit redirects.
App initialization state management src/frontend/src/pages/AppInitPage/index.tsx	Added useMemo hook and memoized readiness state derivation. Introduced autoLogin from auth store to compute isSessionReady. Extended useGetAuthSession to return isSessionFetched. Created isReady by combining isFetched, isExamplesFetched, and isSessionReady. Updated loading and outlet rendering logic to depend on isReady instead of individual fetch states.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 2 | ❌ 5

❌ Failed checks (1 error, 4 warnings)

Check name	Status	Explanation	Resolution
Test Coverage For New Implementations	❌ Error	PR modifies critical authentication logic in use-get-autologin.ts and AppInitPage/index.tsx that fix a race condition causing unintended logouts, but includes no corresponding test files for regression prevention or verification.	Add test files (*.test.ts or *.test.tsx) for both modified components to verify auto-login error handling, race condition resolution, and session readiness state logic work correctly.
Title check	⚠️ Warning	The PR title references clicking an MCP Server button causing automatic logout, but the actual changes involve simplifying auto-login error handling and refining session initialization logic—not MCP Server button behavior.	Update the title to accurately reflect the primary changes, such as: 'fix: simplify auto-login error handling and improve session readiness logic' or 'fix: resolve race condition in auto-login flow'.
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Test Quality And Coverage	⚠️ Warning	Pull request modifies critical authentication logic but lacks corresponding unit test coverage for use-get-autologin.ts hook and AppInitPage/index.tsx.	Create Jest unit test files for use-get-autologin.ts and AppInitPage/index.tsx following established codebase patterns, validating async behavior, retry logic, error handling, and race condition fix.
Test File Naming And Structure	⚠️ Warning	Pull request modifies critical authentication and session initialization files without corresponding test files, leaving retry logic, error handling, and race condition fixes untested.	Create test files at src/frontend/src/controllers/API/queries/auth/tests/use-get-autologin.test.ts and src/frontend/src/pages/AppInitPage/tests/index.test.tsx covering auto-login scenarios, retry logic, race conditions, and session state management.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Excessive Mock Usage Warning	✅ Passed	The custom check regarding excessive mock usage in tests is not applicable to this PR as only source files were modified without any test file changes.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch lfoss-3332

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Frontend Unit Test Coverage Report

Coverage Summary

Lines	Statements	Branches	Functions
	17.52% (5045/28790)	10.97% (2432/22168)	11.63% (733/6301)

Unit Test Results

Tests	Skipped	Failures	Errors	Time
2084	0 💤	0 ❌	0 🔥	27.138s ⏱️

[codecov]

Codecov Report

❌ Patch coverage is 0% with 13 lines in your changes missing coverage. Please review.
✅ Project coverage is 34.84%. Comparing base (f0dec81) to head (1139ab7).

Files with missing lines	Patch %	Lines
src/frontend/src/pages/AppInitPage/index.tsx	0.00%	12 Missing ⚠️
.../controllers/API/queries/auth/use-get-autologin.ts	0.00%	1 Missing ⚠️

❌ Your patch check has failed because the patch coverage (0.00%) is below the target coverage (40.00%). You can increase the patch coverage or adjust the target coverage.
❌ Your project check has failed because the head coverage (41.55%) is below the target coverage (60.00%). You can increase the head coverage or adjust the target coverage.

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #11448      +/-   ##
==========================================
- Coverage   34.84%   34.84%   -0.01%     
==========================================
  Files        1420     1420              
  Lines       68188    68184       -4     
  Branches     9977     9976       -1     
==========================================
- Hits        23762    23757       -5     
- Misses      43202    43203       +1     
  Partials     1224     1224              

Flag	Coverage Δ
frontend	16.04% <0.00%> (-0.02%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
.../controllers/API/queries/auth/use-get-autologin.ts	16.32% <0.00%> (-0.07%)	⬇️
src/frontend/src/pages/AppInitPage/index.tsx	0.00% <0.00%> (ø)

... and 1 file with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Cristhianzl]

lgtm