Fix template errors: Starlette new API + remove hx-headers escaping

- TemplateResponse now uses (request, name, context) signature for Starlette 0.36+
- Replace per-button hx-headers with global htmx:configRequest token injection in base.html
- Fix JS cookie regex to handle leading semicolons correctly

Tested: login, auth redirect, profile create/view/delete all return correct status codes.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

manager/main.py

@@ -66,13 +66,13 @@ def _redirect_if_unauth(request: Request):
 
 @app.get("/login", response_class=HTMLResponse)
 async def login_page(request: Request):
-    return TEMPLATES.TemplateResponse("login.html", {"request": request})
+    return TEMPLATES.TemplateResponse(request, "login.html")
 
 
 @app.post("/login")
 async def login(request: Request, token: str = Form(...)):
     if token != AUTH_TOKEN:
-        return TEMPLATES.TemplateResponse("login.html", {"request": request, "error": "Invalid token"})
+        return TEMPLATES.TemplateResponse(request, "login.html", {"error": "Invalid token"})
     resp = RedirectResponse("/", status_code=303)
     resp.set_cookie("token", token, httponly=True, samesite="lax")
     return resp
@@ -95,8 +95,7 @@ async def index(request: Request):
     for p in all_profiles:
         p["running"] = pm.is_running(p["id"])
         p["config"] = json.loads(p.get("config") or "{}")
-    return TEMPLATES.TemplateResponse("index.html", {
-        "request": request,
+    return TEMPLATES.TemplateResponse(request, "index.html", {
         "profiles": all_profiles,
         "bot_types": pm.BOT_TYPES,
     })
@@ -115,8 +114,7 @@ async def profile_page(request: Request, profile_id: int):
     contacts = bot.contacts if bot else []
     groups = bot.groups if bot else []
     log_lines = bot.log_lines[-50:] if bot else []
-    return TEMPLATES.TemplateResponse("profile.html", {
-        "request": request,
+    return TEMPLATES.TemplateResponse(request, "profile.html", {
         "profile": profile,
         "contacts": contacts,
         "groups": groups,

manager/templates/base.html

@@ -5,6 +5,13 @@
   <meta name="viewport" content="width=device-width, initial-scale=1.0">
   <title>{% block title %}SimpleX Manager{% endblock %}</title>
   <script src="https://unpkg.com/htmx.org@1.9.12/dist/htmx.min.js"></script>
+  <script>
+    // Inject auth token into every HTMX request automatically
+    document.addEventListener('htmx:configRequest', function(evt) {
+      const m = document.cookie.match(/(?:^|;\s*)token=([^;]+)/);
+      if (m) evt.detail.headers['X-Token'] = m[1];
+    });
+  </script>
   <style>
     *, *::before, *::after { box-sizing: border-box; margin: 0; padding: 0; }
 

manager/templates/index.html

@@ -28,12 +28,10 @@
         <a href="/profile/{{ p.id }}" class="btn btn-ghost" style="padding: 6px 14px; font-size: 13px;">View</a>
         <button class="btn btn-success" style="padding: 6px 14px; font-size: 13px;"
                 hx-post="/api/profiles/{{ p.id }}/start"
-                hx-headers='{"X-Token": "{{ request.cookies.get(\"token\", \"\") }}"}'
                 hx-swap="none"
                 onclick="this.textContent='Starting…'">Start</button>
         <button class="btn btn-danger" style="padding: 6px 14px; font-size: 13px;"
                 hx-post="/api/profiles/{{ p.id }}/stop"
-                hx-headers='{"X-Token": "{{ request.cookies.get(\"token\", \"\") }}"}'
                 hx-swap="none"
                 onclick="this.textContent='Stopping…'">Stop</button>
       </div>
@@ -95,9 +93,10 @@ document.getElementById('create-form').addEventListener('submit', async (e) => {
   const welcome = fd.get('welcome_message')
   if (welcome) config.welcome_message = welcome
 
+  const token = document.cookie.match(/(?:^|;\s*)token=([^;]+)/)?.[1] || ''
   const resp = await fetch('/api/profiles', {
     method: 'POST',
-    headers: {'Content-Type': 'application/json', 'X-Token': document.cookie.match(/token=([^;]+)/)?.[1] || ''},
+    headers: {'Content-Type': 'application/json', 'X-Token': token},
     body: JSON.stringify({name: fd.get('name'), bot_type: fd.get('bot_type'), config})
   })
   if (resp.ok) {

manager/templates/profile.html

@@ -24,13 +24,11 @@
     {% if profile.running %}
     <button class="btn btn-danger"
             hx-post="/api/profiles/{{ profile.id }}/stop"
-            hx-headers='{"X-Token": "{{ request.cookies.get(\"token\", \"\") }}"}'
             hx-swap="none"
             hx-on::after-request="location.reload()">Stop</button>
     {% else %}
     <button class="btn btn-success"
             hx-post="/api/profiles/{{ profile.id }}/start"
-            hx-headers='{"X-Token": "{{ request.cookies.get(\"token\", \"\") }}"}'
             hx-swap="none"
             hx-on::after-request="location.reload()">Start</button>
     {% endif %}
@@ -137,7 +135,6 @@
         <h2 style="margin:0;">Event Log</h2>
         <button class="btn btn-ghost" style="font-size:12px;padding:4px 10px;"
                 hx-get="/api/profiles/{{ profile.id }}/status"
-                hx-headers='{"X-Token": "{{ request.cookies.get(\"token\", \"\") }}"}'
                 hx-swap="none"
                 hx-on::after-request="refreshLog(event)">Refresh</button>
       </div>
@@ -153,9 +150,10 @@ document.getElementById('send-form').addEventListener('submit', async (e) => {
   const fd = new FormData(e.target)
   const result = document.getElementById('send-result')
   result.textContent = 'Sending…'
+  const token = document.cookie.match(/(?:^|;\s*)token=([^;]+)/)?.[1] || ''
   const resp = await fetch('/api/profiles/{{ profile.id }}/send', {
     method: 'POST',
-    headers: {'Content-Type': 'application/json', 'X-Token': document.cookie.match(/token=([^;]+)/)?.[1] || ''},
+    headers: {'Content-Type': 'application/json', 'X-Token': token},
     body: JSON.stringify({to: fd.get('to'), text: fd.get('text')})
   })
   const data = await resp.json()
@@ -174,9 +172,10 @@ function refreshLog(event) {
 
 function confirmDelete() {
   if (!confirm('Delete this profile? This cannot be undone.')) return
+  const token = document.cookie.match(/(?:^|;\s*)token=([^;]+)/)?.[1] || ''
   fetch('/api/profiles/{{ profile.id }}', {
     method: 'DELETE',
-    headers: {'X-Token': document.cookie.match(/token=([^;]+)/)?.[1] || ''}
+    headers: {'X-Token': token}
   }).then(() => location.href = '/')
 }