Don't redirect non-auth-host /auth/ to auth site but show basic info on current host, and allow logging out. Adds a new host app for this purpose.

passkey/fastapi/auth_host.py

@@ -8,7 +8,15 @@ from passkey.util import hostutil, passphrase
 
 def is_ui_path(path: str) -> bool:
     """Check if the path is a UI endpoint."""
-    ui_paths = {"/", "/admin", "/admin/", "/auth/", "/auth/admin", "/auth/admin/"}
+    ui_paths = {
+        "/",
+        "/admin",
+        "/admin/",
+        "/auth",
+        "/auth/",
+        "/auth/admin",
+        "/auth/admin/",
+    }
     if path in ui_paths:
         return True
     # Treat reset token pages as UI (dynamic). Accept single-segment tokens.
@@ -30,6 +38,8 @@ def is_restricted_path(path: str) -> bool:
 
 def should_redirect_to_auth_host(path: str) -> bool:
     """Determine if the request should be redirected to the auth host."""
+    if path in {"/", "/auth", "/auth/"}:
+        return False
     return is_ui_path(path) or is_restricted_path(path)
 
 
@@ -47,7 +57,7 @@ def should_redirect_auth_path_to_root(path: str) -> bool:
     """Check if /auth/ UI path should be redirected to root on auth host."""
     if not path.startswith("/auth/"):
         return False
-    ui_paths = {"/auth/", "/auth/admin", "/auth/admin/"}
+    ui_paths = {"/auth", "/auth/", "/auth/admin", "/auth/admin/"}
     if path in ui_paths:
         return True
     # Check for reset token

passkey/fastapi/mainapp.py

@@ -76,6 +76,12 @@ async def frontapp(
 
     try:
         await get_session(auth, host=request.headers.get("host"))
+        cfg_host = hostutil.configured_auth_host()
+        if cfg_host:
+            cur_host = hostutil.normalize_host(request.headers.get("host"))
+            cfg_normalized = hostutil.normalize_host(cfg_host)
+            if cur_host and cfg_normalized and cur_host != cfg_normalized:
+                return FileResponse(frontend.file("host", "index.html"))
         return FileResponse(frontend.file("index.html"))
     except Exception:
         if auth: