fix: CLI 윈도우 인증 토큰 전달 — 프론트 쿠키 → URL param → Rust session

SonAIengine · claude · SonAIengine · commit 1455c45de7bc · 2026-03-25T15:36:48.000+09:00
문제: CLI 별도 윈도우에서 메인 윈도우 쿠키 접근 불가 → XGEN API 401
해결:
- 사이드바 AI CLI 버튼: document.cookie에서 access_token 추출
- open_cli_window: token을 AppState에 저장 + URL query param으로 전달
- cli.html: URL param에서 token 읽기
- cli_send_message/cli_list_providers: session에 저장된 token fallback

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/scripts/patch-sidebar-cli.js b/scripts/patch-sidebar-cli.js
@@ -53,7 +53,13 @@ content = content.replace(
     const openCliWindow = async () => {
         try {
             const { invoke } = await import('@tauri-apps/api/core');
-            await invoke('open_cli_window');
+            // Pass auth token from cookie to CLI window
+            const getCookie = (name) => {
+                const match = document.cookie.match(new RegExp('(^| )' + name + '=([^;]+)'));
+                return match ? match[2] : null;
+            };
+            const token = getCookie('access_token') || undefined;
+            await invoke('open_cli_window', { xgenToken: token });
         } catch (e) {
             console.error('Failed to open CLI window:', e);
         }
diff --git a/src-cli/cli.html b/src-cli/cli.html
@@ -202,18 +202,10 @@
 let streamingText = '';
 let currentStreamEl = null;
 
-// Get auth token from main window via Tauri
-// We'll pass it from the cookie or localStorage
+// Get auth token from URL query param (passed by open_cli_window)
 function getToken() {
-  try {
-    // Try to get from cookie-like storage
-    const cookies = document.cookie.split(';').reduce((acc, c) => {
-      const [k, v] = c.trim().split('=');
-      acc[k] = v;
-      return acc;
-    }, {});
-    return cookies['access_token'] || null;
-  } catch { return null; }
+  const params = new URLSearchParams(window.location.search);
+  return params.get('token') || null;
 }
 
 // Load providers
diff --git a/src-tauri/src/commands/cli.rs b/src-tauri/src/commands/cli.rs
@@ -14,20 +14,36 @@ use crate::services::{LlmClient, XgenApiClient};
 use crate::services::llm_client::ChatMessage;
 use crate::state::AppState;
 
-/// Open AI CLI in a separate window
+/// Open AI CLI in a separate window with auth token
 #[tauri::command]
-pub async fn open_cli_window(app: AppHandle) -> Result<()> {
+pub async fn open_cli_window(
+    app: AppHandle,
+    state: tauri::State<'_, Arc<AppState>>,
+    xgen_token: Option<String>,
+) -> Result<()> {
+    // Store token in CLI session for later use
+    if let Some(token) = &xgen_token {
+        let mut session = state.cli_session.write().await;
+        session.xgen_token = Some(token.clone());
+    }
+
     // If window already exists, focus it
     if let Some(window) = app.get_webview_window("cli") {
         let _ = window.set_focus();
         return Ok(());
     }
 
-    // Create new CLI window
+    // Pass token as query param so cli.html can use it
+    let url = if let Some(token) = &xgen_token {
+        format!("cli.html?token={}", token)
+    } else {
+        "cli.html".to_string()
+    };
+
     let _window = WebviewWindowBuilder::new(
         &app,
         "cli",
-        tauri::WebviewUrl::App("cli.html".into()),
+        tauri::WebviewUrl::App(url.into()),
     )
     .title("XGEN AI CLI")
     .inner_size(700.0, 500.0)
@@ -72,8 +88,12 @@ pub async fn cli_send_message(
     let base_url = state.get_server_url().await
         .unwrap_or_else(|| "https://xgen.x2bee.com".to_string());
 
-    // Use token from frontend auth (passed from cookie)
-    let xgen_api = XgenApiClient::new(base_url, xgen_token);
+    // Use token: prefer passed token, fallback to session stored token
+    let token = xgen_token.or_else(|| {
+        let session = state.cli_session.try_read().ok();
+        session.and_then(|s| s.xgen_token.clone())
+    });
+    let xgen_api = XgenApiClient::new(base_url, token);
 
     // Create LLM client from XGEN backend config with optional provider/model
     let llm = LlmClient::from_xgen(
@@ -158,7 +178,11 @@ pub async fn cli_list_providers(
 ) -> Result<Value> {
     let base_url = state.get_server_url().await
         .unwrap_or_else(|| "https://xgen.x2bee.com".to_string());
-    let xgen_api = XgenApiClient::new(base_url, xgen_token);
+    let token = xgen_token.or_else(|| {
+        let session = state.cli_session.try_read().ok();
+        session.and_then(|s| s.xgen_token.clone())
+    });
+    let xgen_api = XgenApiClient::new(base_url, token);
     let providers = xgen_api.list_available_providers().await?;
     Ok(serde_json::to_value(providers).unwrap_or_default())
 }
diff --git a/src-tauri/src/state/app_state.rs b/src-tauri/src/state/app_state.rs
@@ -34,13 +34,15 @@ pub struct AppState {
 pub struct CliSession {
     pub session_id: String,
     pub messages: Vec<ChatMessage>,
+    pub xgen_token: Option<String>,
 }
 
 impl CliSession {
     pub fn new() -> Self {
         Self {
             session_id: uuid::Uuid::new_v4().to_string(),
             messages: Vec::new(),
+            xgen_token: None,
         }
     }
 

Original file line number	Diff line number	Diff line change
`@@ -34,13 +34,15 @@ pub struct AppState {`
`34`	`34`	`pub struct CliSession {`
`35`	`35`	`pub session_id: String,`
`36`	`36`	`pub messages: Vec<ChatMessage>,`
	`37`	`+ pub xgen_token: Option<String>,`
`37`	`38`	`}`
`38`	`39`
`39`	`40`	`impl CliSession {`
`40`	`41`	`pub fn new() -> Self {`
`41`	`42`	`Self {`
`42`	`43`	`session_id: uuid::Uuid::new_v4().to_string(),`
`43`	`44`	`messages: Vec::new(),`
	`45`	`+ xgen_token: None,`
`44`	`46`	`}`
`45`	`47`	`}`
`46`	`48`