From b1a98437e42464031b676b7e24178ca15cc4d62e Mon Sep 17 00:00:00 2001
From: Chenlei Hu <huchenlei@proton.me>
Date: Sun, 27 Apr 2025 22:04:19 -0400
Subject: [PATCH] [Auth] Warn insecure context on login (#3663)

Co-authored-by: github-actions <github-actions@github.com>
---
 src/components/dialog/content/SignInContent.vue | 5 +++++
 src/locales/en/main.json                        | 3 ++-
 src/locales/es/main.json                        | 1 +
 src/locales/fr/main.json                        | 1 +
 src/locales/ja/main.json                        | 1 +
 src/locales/ko/main.json                        | 1 +
 src/locales/ru/main.json                        | 1 +
 src/locales/zh/main.json                        | 1 +
 src/scripts/app.ts                              | 7 -------
 9 files changed, 13 insertions(+), 8 deletions(-)

diff --git a/src/components/dialog/content/SignInContent.vue b/src/components/dialog/content/SignInContent.vue
index c993670cf..34abe80d8 100644
--- a/src/components/dialog/content/SignInContent.vue
+++ b/src/components/dialog/content/SignInContent.vue
@@ -17,6 +17,10 @@
       </p>
     </div>
 
+    <Message v-if="!isSecureContext" severity="warn" class="mb-4">
+      {{ t('auth.login.insecureContextWarning') }}
+    </Message>
+
     <!-- Form -->
     <SignInForm v-if="isSignIn" @submit="signInWithEmail" />
     <template v-else>
@@ -106,6 +110,7 @@ const { onSuccess } = defineProps<{
 
 const { t } = useI18n()
 const authService = useFirebaseAuthService()
+const isSecureContext = window.isSecureContext
 const isSignIn = ref(true)
 const toggleState = () => {
   isSignIn.value = !isSignIn.value
diff --git a/src/locales/en/main.json b/src/locales/en/main.json
index ce38a0c48..8641d16d9 100644
--- a/src/locales/en/main.json
+++ b/src/locales/en/main.json
@@ -1113,7 +1113,8 @@
       "andText": "and",
       "privacyLink": "Privacy Policy",
       "success": "Login successful",
-      "failed": "Login failed"
+      "failed": "Login failed",
+      "insecureContextWarning": "This connection is insecure (HTTP) - your credentials may be intercepted by attackers if you proceed to login."
     },
     "signup": {
       "title": "Create an account",
diff --git a/src/locales/es/main.json b/src/locales/es/main.json
index da75108c3..97721d7bd 100644
--- a/src/locales/es/main.json
+++ b/src/locales/es/main.json
@@ -18,6 +18,7 @@
       "failed": "Inicio de sesión fallido",
       "forgotPassword": "¿Olvidaste tu contraseña?",
       "forgotPasswordError": "No se pudo enviar el correo electrónico para restablecer la contraseña",
+      "insecureContextWarning": "Esta conexión no es segura (HTTP): tus credenciales pueden ser interceptadas por atacantes si continúas con el inicio de sesión.",
       "loginButton": "Iniciar sesión",
       "loginWithGithub": "Iniciar sesión con Github",
       "loginWithGoogle": "Iniciar sesión con Google",
diff --git a/src/locales/fr/main.json b/src/locales/fr/main.json
index e1c546fb3..86caf8faa 100644
--- a/src/locales/fr/main.json
+++ b/src/locales/fr/main.json
@@ -18,6 +18,7 @@
       "failed": "Échec de la connexion",
       "forgotPassword": "Mot de passe oublié?",
       "forgotPasswordError": "Échec de l'envoi de l'e-mail de réinitialisation du mot de passe",
+      "insecureContextWarning": "Cette connexion n'est pas sécurisée (HTTP) - vos identifiants pourraient être interceptés par des attaquants si vous continuez à vous connecter.",
       "loginButton": "Se connecter",
       "loginWithGithub": "Se connecter avec Github",
       "loginWithGoogle": "Se connecter avec Google",
diff --git a/src/locales/ja/main.json b/src/locales/ja/main.json
index e9aab053a..f29ccb338 100644
--- a/src/locales/ja/main.json
+++ b/src/locales/ja/main.json
@@ -18,6 +18,7 @@
       "failed": "ログイン失敗",
       "forgotPassword": "パスワードを忘れましたか？",
       "forgotPasswordError": "パスワードリセット用メールの送信に失敗しました",
+      "insecureContextWarning": "この接続は安全ではありません（HTTP）- このままログインを続けると、認証情報が攻撃者に傍受される可能性があります。",
       "loginButton": "ログイン",
       "loginWithGithub": "Githubでログイン",
       "loginWithGoogle": "Googleでログイン",
diff --git a/src/locales/ko/main.json b/src/locales/ko/main.json
index 8802d80cb..f5a5be1c9 100644
--- a/src/locales/ko/main.json
+++ b/src/locales/ko/main.json
@@ -18,6 +18,7 @@
       "failed": "로그인 실패",
       "forgotPassword": "비밀번호를 잊으셨나요?",
       "forgotPasswordError": "비밀번호 재설정 이메일 전송에 실패했습니다",
+      "insecureContextWarning": "이 연결은 안전하지 않습니다(HTTP) - 로그인을 계속하면 자격 증명이 공격자에게 가로채질 수 있습니다.",
       "loginButton": "로그인",
       "loginWithGithub": "Github로 로그인",
       "loginWithGoogle": "구글로 로그인",
diff --git a/src/locales/ru/main.json b/src/locales/ru/main.json
index e0953186d..4b48b2411 100644
--- a/src/locales/ru/main.json
+++ b/src/locales/ru/main.json
@@ -18,6 +18,7 @@
       "failed": "Вход не удался",
       "forgotPassword": "Забыли пароль?",
       "forgotPasswordError": "Не удалось отправить письмо для сброса пароля",
+      "insecureContextWarning": "Это соединение небезопасно (HTTP) — ваши учетные данные могут быть перехвачены злоумышленниками, если вы продолжите вход.",
       "loginButton": "Войти",
       "loginWithGithub": "Войти через Github",
       "loginWithGoogle": "Войти через Google",
diff --git a/src/locales/zh/main.json b/src/locales/zh/main.json
index 3815c989c..9bbc8caac 100644
--- a/src/locales/zh/main.json
+++ b/src/locales/zh/main.json
@@ -18,6 +18,7 @@
       "failed": "登录失败",
       "forgotPassword": "忘记密码？",
       "forgotPasswordError": "发送重置密码邮件失败",
+      "insecureContextWarning": "此连接不安全（HTTP）—如果继续登录，您的凭据可能会被攻击者拦截。",
       "loginButton": "登录",
       "loginWithGithub": "使用Github登录",
       "loginWithGoogle": "使用Google登录",
diff --git a/src/scripts/app.ts b/src/scripts/app.ts
index 26b9e41d1..9c67b181e 100644
--- a/src/scripts/app.ts
+++ b/src/scripts/app.ts
@@ -1190,13 +1190,6 @@ export class ComfyApp {
 
     let comfyOrgAuthToken =
       (await useFirebaseAuthStore().getIdToken()) ?? undefined
-    // Check if we're in a secure context before using the auth token
-    if (comfyOrgAuthToken && !window.isSecureContext) {
-      comfyOrgAuthToken = undefined
-      console.warn(
-        'Auth token not used: Not in a secure context. Authentication requires a secure connection.'
-      )
-    }
 
     try {
       while (this.#queueItems.length) {