# Token Extraction from Basic-Auth Protected Dashboard

When Hermes dashboard runs with `auth_providers: ["basic"]` and `auth_required: true`,
the SPA redirects `/` to `/login`, so the inline `__HERMES_SESSION_TOKEN__` is not
available in the HTML. Extract it via the password-login API instead.

## Prerequisites

- Dashboard running on the host (e.g. `:9119`)
- `HERMES_DASHBOARD_BASIC_AUTH_USERNAME` and `HERMES_DASHBOARD_BASIC_AUTH_PASSWORD` set in `~/.hermes/.env`
- `curl` and `python3` on the host

## Step-by-Step

```bash
# 1. Get credentials
USERNAME=$(grep "BASIC_AUTH_USERNAME" ~/.hermes/.env | cut -d= -f2)
PASSWORD=*** "BASIC_AUTH_PASSWORD" ~/.hermes/.env | cut -d= -f2)

# 2. Login — the "provider": "basic" field is REQUIRED
#    Without it the endpoint returns:
#    {"detail":[{"type":"missing","loc":["body","provider"],"msg":"Field required"}]}
curl -s -c /tmp/dash_cookies.txt \
  -H "Content-Type: application/json" \
  -d "{\"username\":\"$USERNAME\",\"password\":\"$PASSWORD\",\"provider\":\"basic\"}" \
  http://127.0.0.1:9119/auth/password-login
# Expected: {"ok":true,"next":"/"}

# 3. Extract the access token from the cookie jar
python3 << 'PYEOF'
import http.cookiejar
cj = http.cookiejar.MozillaCookieJar()
cj.load("/tmp/dash_cookies.txt")
for c in cj:
    if "session_at" in c.name:
        print("TOKEN:" + c.value + ":END")
PYEOF
```

## Cookie Format

The `hermes_session_at` cookie is HttpOnly, set on login with a 24-hour TTL.
Format: `base64url(JSON Web Token)`, ~114 characters, starts with `eyJ`.

Two cookies are set:
- `hermes_session_at` — access token (used for WebSocket auth)
- `hermes_session_rt` — refresh token (not needed for desktop)

## Writing to Desktop Connection File (fish-safe)

When the client machine uses `fish` shell (CachyOS/Arch), heredocs fail.
Use base64 piping via SSH:

```bash
# Build config JSON
CONFIG=$(python3 -c "
import json
config = {'mode': 'remote', 'remote': {
    'url': 'http://192.168.1.50:9119',
    'authMode': 'token',
    'token': {'encoding': 'plain', 'value': '$TOKEN'}
}, 'profiles': {}}
import sys, base64
sys.stdout.write(base64.b64encode(json.dumps(config).encode()).decode())
")

# Write to client
echo "$CONFIG" | ssh user@192.168.1.111 "base64 -d > /home/user/.config/Hermes/connection.json && echo OK"
```

## Verification

```bash
ssh user@192.168.1.111 "python3 -c '
import json
d = json.load(open(\"/home/user/.config/Hermes/connection.json\"))
print(\"authMode:\", d[\"remote\"][\"authMode\"])
print(\"token_len:\", len(d[\"remote\"][\"token\"][\"value\"]))
'"
```

Expected: `authMode: token` and `token_len: 114` (or similar JWT length).
