Support chunked OpenHands session cookies

[ak684]

Summary

• Reassemble chunked OpenHands session cookies (keycloak_auth, keycloak_auth_1, ...) before validating UI requests against /api/v1/users/me
• Keep API-key and X-Session-API-Key auth behavior unchanged
• Add unit coverage for chunked cookie auth forwarding

Validation

• uv run ruff check openhands/automation/auth.py tests/test_auth.py
• uv run pytest tests/test_auth.py -k 'not AuthIntegration' (42 passed, 4 deselected; the full file still requires local Docker/Testcontainers)
• Human tested the changes on R01 OHE: before the patch, /automations/ loaded but /api/automation/v1?limit=50&offset=0 returned 401 {"detail":"Invalid or expired session cookie"} with chunked browser cookies. After applying the patched auth file as a temporary ConfigMap overlay, the same BBDC login and /automations/ UI flow returned 200 {"automations":[],"total":0} and rendered the real empty Automations state.

[github-actions]

🚀 Deploy Preview PR Created/Updated

A deploy preview has been created/updated for this PR.

Deploy PR: https://github.com/OpenHands/deploy/pull/4406
Automation SHA: 03a3c12aaf0a57c74e4d7ea444da37d412302457
Last updated: May 23, 2026, 07:40:55 AM ET

Once the deploy PR's CI passes, the automation service will be deployed to the feature environment.

[all-hands-bot]

🟡 Acceptable - Clean implementation that solves a real problem (cookie size limits). The code is backward compatible, well-tested, and ready to merge with one minor documentation suggestion.

[IMPROVEMENT OPPORTUNITIES]

• Add rationale for the MAX_SESSION_COOKIE_CHUNKS=8 limit

[RISK ASSESSMENT]

• [Overall PR] ⚠️ Risk Assessment: 🟡 MEDIUM
  This change touches authentication logic (high-impact area), but the implementation is simple, backward compatible, and well-tested. The chunking pattern matches standard browser cookie size workarounds (browsers typically have 4KB/cookie limits). No breaking changes detected.

VERDICT:
✅ Worth merging: Solves a real problem (large JWT tokens exceeding cookie size limits) with a clean, backward-compatible approach.

KEY INSIGHT:
The implementation correctly assumes contiguous chunks (stops at first None), which aligns with deterministic cookie chunking behavior. This is simpler and more pragmatic than handling sparse chunk arrays.

---

Was this automated review useful? React with 👍 or 👎 to this review to help us measure review quality.
Workflow run: https://github.com/OpenHands/automation/actions/runs/26331465699

[all-hands-bot]

🟡 Suggestion: Add a comment explaining the rationale for 8 chunks. For example:

Suggested change

	MAX_SESSION_COOKIE_CHUNKS = 8
	# Max 8 chunks (8 × 4KB browser limit = 32KB) handles even large JWT tokens
	MAX_SESSION_COOKIE_CHUNKS = 8

This helps future maintainers understand whether the limit is based on testing, browser constraints, or other factors.

[github-actions]

Coverage Report

File	Stmts	Miss	Cover	Missing
__init__.py	1	0	100%
app.py	151	83	45%	41, 44, 47, 53, 55, 58, 61–64, 67, 72–74, 76, 81–82, 84, 86–88, 90, 94, 96–97, 99–100, 103–109, 112–113, 116, 123–124, 127–128, 132, 140–141, 144, 151–152, 154, 157–158, 161, 166–174, 176–178, 284–286, 291–292, 294–295, 297, 300–302, 304–305, 307–308, 313–314, 318, 321, 323
auth.py	160	7	95%	88, 116, 125, 162, 335, 343–344
config.py	158	0	100%
constants.py	17	0	100%
db.py	67	29	56%	60, 74–75, 78–80, 82, 89, 92–93, 96, 104, 111, 144, 147–148, 152–153, 161, 169, 174, 201, 204–210
dispatcher.py	186	45	75%	70, 82, 84–85, 137, 199–202, 237, 240, 255–256, 262–264, 281–282, 288–292, 295–297, 307, 373–374, 399–406, 426, 441–442, 456–457, 466–467, 469
event_router.py	59	19	67%	83, 88, 119–121, 137–138, 156, 158, 160–161, 163, 173, 179–181, 184, 186, 188
exceptions.py	4	0	100%
execution.py	220	133	39%	39–41, 76–79, 87–91, 93, 101–103, 108–112, 114, 128–131, 133, 135, 137–140, 142–147, 149, 151–158, 160–161, 163, 199–201, 207–209, 220–223, 229–231, 271–275, 284, 292, 296, 298–299, 304–305, 310, 388–389, 473–475, 477–483, 486–487, 489, 491–493, 496, 499, 502–505, 507, 510–511, 514–516, 520–521, 525–528, 530, 538–539, 543–545, 547–553, 557, 559, 568–570, 572–574
filter_eval.py	50	2	96%	161–162
logger.py	55	17	69%	37, 50–51, 53–59, 74, 77, 101, 103–106
models.py	81	0	100%
preset_router.py	190	56	70%	143–145, 255–256, 261–268, 273, 276, 278–279, 291–294, 296–300, 305, 314, 386–388, 501–502, 507–514, 519, 522, 524–525, 537–540, 542–546, 551, 561
router.py	142	77	45%	92–93, 113, 115, 118, 120, 134, 147, 149–150, 152–153, 155–156, 159–161, 172–174, 194–196, 202–204, 208–209, 228–229, 231, 234, 259–262, 281, 284, 287, 294, 296, 330–332, 335–337, 341–342, 347, 351–354, 356, 364, 366–367, 372–373, 376, 378, 380–382, 385–388, 393, 395–396, 405, 426–428, 432
scheduler.py	60	9	85%	134–135, 172–173, 188–189, 199–200, 202
schemas.py	270	17	93%	32, 166, 172–174, 233–235, 237, 342–343, 346, 351, 356, 500, 508, 515
trigger_matcher.py	28	3	89%	72–74
uploads.py	107	59	44%	142–145, 153–155, 161–162, 165, 174–175, 178–179, 187–188, 190–193, 196–199, 201, 203–205, 207–210, 212–213, 215, 230, 236–237, 240, 243, 246, 249, 251, 264–265, 279, 282–284, 286–287, 289, 295–296, 309, 317–319, 323
watchdog.py	98	45	54%	55–57, 69–70, 162–163, 204–205, 207, 209, 218, 220–222, 224, 231–233, 235–237, 239–240, 242, 257, 259, 264–267, 269–274, 276–282, 284
webhook_router.py	80	48	40%	57, 82–83, 107–108, 110, 113–114, 116, 126, 128–132, 137, 139, 151, 154, 157, 164–165, 167, 180, 182–183, 188, 204, 206–207, 213–215, 217–218, 220, 235, 237–238, 243–244, 261, 263–264, 270–271, 273, 275
backends
__init__.py	13	0	100%
base.py	29	0	100%
cloud.py	130	62	52%	43–45, 50–52, 103, 116–118, 131–135, 142–143, 145, 147, 159–160, 229–230, 232–233, 235–238, 240–245, 247–255, 257–258, 260, 267–269, 272–273, 275, 282–284, 289–293, 295
local.py	43	0	100%
event_schemas
__init__.py	33	1	96%	53
bitbucket_data_center.py	16	0	100%
custom.py	33	5	84%	52–53, 64–66
detection.py	32	0	100%
github.py	125	4	96%	306, 311, 456, 483
jira_dc.py	16	0	100%
presets
__init__.py	0	0	100%
storage
__init__.py	6	0	100%
factory.py	15	1	93%	36
file_store.py	22	5	77%	21, 30, 35, 40, 64
google_cloud.py	72	11	84%	49, 97–102, 136–137, 190, 192
local.py	68	0	100%
s3.py	112	15	86%	56, 100, 102–103, 107, 109, 190, 213–215, 269–270, 275, 337–338
utils
__init__.py	5	0	100%
agent_server.py	53	0	100%
api_key.py	32	24	25%	40–41, 46–48, 50, 55, 60, 62–65, 67–68, 70–71, 73, 79, 81–82, 89, 91–92, 98
cron.py	45	6	86%	39, 45, 74, 80, 123, 140
log_context.py	10	0	100%
model_profiles.py	11	0	100%
run.py	84	14	83%	74–76, 183–184, 200–202, 207–209, 256, 262–263
sandbox.py	71	61	14%	49–50, 55–58, 60–62, 64–70, 80–81, 86–92, 115–116, 118–122, 124–128, 159–160, 162, 164–167, 172–173, 176, 180–181, 187–189, 194–196, 201–202, 210–212, 214
tarball_validation.py	48	0	100%
time.py	3	0	100%
webhook.py	57	9	84%	49, 54, 122, 132–134, 140, 203–204
TOTAL	3368	867	74%

[all-hands-bot]

🟢 Good taste - Clean, backward-compatible implementation that solves a real problem. The chunking logic is straightforward and the existing unresolved thread covers the one remaining documentation gap.

[RISK ASSESSMENT]

• [Overall PR] ⚠️ Risk Assessment: 🟡 MEDIUM
  This change touches authentication logic (high-impact area), but the implementation is simple, backward compatible, and well-tested. The chunking pattern correctly handles missing intermediate chunks by breaking early. Human-tested on R01 OHE confirms real-world functionality.

VERDICT:
✅ Worth merging: Implementation is correct and handles edge cases properly. Address the documentation comment from the previous review thread.

KEY INSIGHT:
The sequential chunk reading with early break elegantly handles both complete and partial chunk sequences without special cases.

---

Was this automated review useful? React with 👍 or 👎 to this review to help us measure review quality.
Workflow run: https://github.com/OpenHands/automation/actions/runs/26331671999

[all-hands-bot]

🟡 Suggestion: The previous review thread requesting a comment explaining the 8-chunk limit is still unresolved. Add a brief rationale:

Suggested change

	MAX_SESSION_COOKIE_CHUNKS = 8
	# Max 8 chunks (8 × 4KB browser limit = 32KB) handles even large JWT tokens
	MAX_SESSION_COOKIE_CHUNKS = 8

[all-hands-bot]

🟡 Suggestion: Consider adding edge case tests for:

• Single non-chunked cookie (already covered by test_authenticate_valid_cookie, but worth verifying explicitly)
• Maximum chunks (8 chunks)
• Missing intermediate chunk (e.g., keycloak_auth, keycloak_auth_2 without keycloak_auth_1 - should only read the base cookie)

Not blocking, but would strengthen confidence in the implementation.

[all-hands-bot]

🟢 Good taste - Clean, backward-compatible implementation that solves a real cookie-size problem.

Note: The unresolved threads requesting a comment about the 8-chunk limit (lines 40, 42) are actually already addressed in the current code - the explanatory comment is present at lines 40-42.

[RISK ASSESSMENT]

• [Overall PR] ⚠️ Risk Assessment: 🟡 MEDIUM

This change touches authentication logic (high-impact area), but the implementation is simple, well-tested, and backward compatible. The chunking logic correctly handles missing chunks by breaking early. Human testing on R01 OHE confirms it resolves the authentication issue with large session tokens.

---

Was this automated review useful? React with 👍 or 👎 to this review to help us measure review quality.
Workflow run: https://github.com/OpenHands/automation/actions/runs/26331952725