diff --git a/app/src/main/java/com/pinakes/app/data/network/NetworkModule.kt b/app/src/main/java/com/pinakes/app/data/network/NetworkModule.kt index d765f96..fe31609 100644 --- a/app/src/main/java/com/pinakes/app/data/network/NetworkModule.kt +++ b/app/src/main/java/com/pinakes/app/data/network/NetworkModule.kt @@ -28,7 +28,10 @@ class NetworkModule(private val session: SessionStore) { private val okHttpClient: OkHttpClient by lazy { val builder = OkHttpClient.Builder() - .addInterceptor(CleartextGuardInterceptor { session.allowInsecureHttp }) + // Also honour the transient onboarding opt-in: during discovery the instance isn't + // committed yet, so session.allowInsecureHttp is still false — pendingAllowInsecureHttp + // carries the toggle so the discovery probe to a plain-HTTP host isn't blocked. + .addInterceptor(CleartextGuardInterceptor { session.allowInsecureHttp || session.pendingAllowInsecureHttp }) .addInterceptor(AuthInterceptor(session)) .connectTimeout(20, TimeUnit.SECONDS) .readTimeout(30, TimeUnit.SECONDS) diff --git a/app/src/main/java/com/pinakes/app/data/repository/AuthRepository.kt b/app/src/main/java/com/pinakes/app/data/repository/AuthRepository.kt index e8c850b..c2f0aaa 100644 --- a/app/src/main/java/com/pinakes/app/data/repository/AuthRepository.kt +++ b/app/src/main/java/com/pinakes/app/data/repository/AuthRepository.kt @@ -30,6 +30,9 @@ class AuthRepository( * to continue based on [HealthPayload.appAccessEnabled] and the transport warning. */ suspend fun discover(rawInstanceUrl: String, allowInsecure: Boolean = false): ApiResult { + // Carry the onboarding toggle into the cleartext gate: the instance isn't committed + // yet, so the persisted flag is still false and would block a plain-HTTP probe. + session.pendingAllowInsecureHttp = allowInsecure val apiBaseUrl = NetworkModule.deriveApiBaseUrl(rawInstanceUrl, allowInsecure) val origin = NetworkModule.deriveOrigin(rawInstanceUrl, allowInsecure) val api = network.api(apiBaseUrl) diff --git a/app/src/main/java/com/pinakes/app/data/store/SessionStore.kt b/app/src/main/java/com/pinakes/app/data/store/SessionStore.kt index b7b8b3a..f73cb7a 100644 --- a/app/src/main/java/com/pinakes/app/data/store/SessionStore.kt +++ b/app/src/main/java/com/pinakes/app/data/store/SessionStore.kt @@ -48,6 +48,16 @@ class SessionStore(context: Context) { /** Whether the committed instance was accepted over insecure (plain HTTP) transport. */ val allowInsecureHttp: Boolean get() = prefs.getBoolean(KEY_ALLOW_INSECURE, false) + /** + * Transient "insecure HTTP allowed" flag for the ONBOARDING probe, before an instance is + * committed (so [allowInsecureHttp] isn't persisted yet). Set by AuthRepository.discover() + * from the onboarding toggle; read by the cleartext gate so the discovery request to a + * plain-HTTP host isn't blocked. In-memory only — a fresh process re-derives it from the + * next discover() call. The persisted flag takes over once the instance is committed. + */ + @Volatile + var pendingAllowInsecureHttp: Boolean = false + /** A stable per-install device id used in the login request. Generated once. */ val deviceId: String get() = prefs.getString(KEY_DEVICE_ID, null) ?: UUID.randomUUID().toString().also { @@ -88,6 +98,7 @@ class SessionStore(context: Context) { fun clearAll() { val savedDevice = deviceId prefs.edit().clear().putString(KEY_DEVICE_ID, savedDevice).apply() + pendingAllowInsecureHttp = false _authState.value = readAuthState() }