Summary
The shipped frontend attempts to resolve logged-in identity and logout behavior through /api/username and /logout, but neither backend entrypoint implements those routes.
Evidence
https://github.com/h9zdev/WireTapper/blob/main/templates/wifi-search.html#L1326-L1365 fetches /api/username and conditionally renders authenticated UI state from the response.- The same block constructs a logout link to
/logout at https://github.com/h9zdev/WireTapper/blob/main/templates/wifi-search.html#L1343-L1345.
- No matching route definitions for
/api/username or /logout exist in the backend entrypoints; route inventory in app.py and app-env.py contains no such handlers.
Why this matters
- The UI advertises an authenticated identity model that the backend does not actually implement.
- Operators and users receive false state cues such as
Online / Guest transitions driven by failed fetches rather than real auth state.
- Dead identity flows make the interface look functional while masking the absence of an actual trust boundary.
Attack or failure scenario
A user opens the app and sees identity or logout affordances that imply a session model exists. The backend has no corresponding handlers, so the UI silently falls back to guest state and the displayed auth posture diverges from reality.
Root cause
Frontend capability was mocked into the template without shipping the corresponding backend contract.
Recommended fix
- Remove the fake identity/logout workflow until a real session layer exists.
- If authentication is intended, implement backend handlers and server-side session enforcement before exposing identity state in the UI.
- Add end-to-end checks that fail when frontend routes reference missing backend endpoints.
Acceptance criteria
- The UI no longer references nonexistent
/api/username or /logout routes.
- Identity state reflects a real backend contract, not failed fetch fallback behavior.
- Regression checks cover frontend/backend route parity.
Suggested labels
- bug
- architecture
- production-readiness
- technical-debt
Priority
P1 (High)
Severity
High — the shipped UI claims an auth workflow that does not exist, creating false trust-boundary signals.
Confidence
Confirmed — the frontend references are explicit and the backend route inventory lacks matching handlers.
Summary
The shipped frontend attempts to resolve logged-in identity and logout behavior through
/api/usernameand/logout, but neither backend entrypoint implements those routes.Evidence
https://github.com/h9zdev/WireTapper/blob/main/templates/wifi-search.html#L1326-L1365fetches/api/usernameand conditionally renders authenticated UI state from the response./logoutathttps://github.com/h9zdev/WireTapper/blob/main/templates/wifi-search.html#L1343-L1345./api/usernameor/logoutexist in the backend entrypoints; route inventory inapp.pyandapp-env.pycontains no such handlers.Why this matters
Online/Guesttransitions driven by failed fetches rather than real auth state.Attack or failure scenario
A user opens the app and sees identity or logout affordances that imply a session model exists. The backend has no corresponding handlers, so the UI silently falls back to guest state and the displayed auth posture diverges from reality.
Root cause
Frontend capability was mocked into the template without shipping the corresponding backend contract.
Recommended fix
Acceptance criteria
/api/usernameor/logoutroutes.Suggested labels
Priority
P1 (High)
Severity
High — the shipped UI claims an auth workflow that does not exist, creating false trust-boundary signals.
Confidence
Confirmed — the frontend references are explicit and the backend route inventory lacks matching handlers.