[human-auth] iPhone Safari cannot render takeover stream/snapshot (no /takeover requests emitted)

[tsubasakong]

Summary

In Human Auth portal, opening the auth link from Telegram on iPhone Safari does not render takeover screen content correctly (blue question-mark placeholder / blank), and tapping Refresh Snapshot has no visible effect.

Server-side logs show iPhone only requests the page itself (/human-auth/...) but does not call takeover endpoints (/takeover/snapshot, /takeover/stream, /takeover/action).

Environment

• OpenPocket: 0.2.2
• Gateway mode: node dist/cli.js gateway start
• Device under control: Android Emulator emulator-5554
• Human-auth public URL via ngrok
• iPhone browser:
  • Mozilla/5.0 (iPhone; CPU iPhone OS 18_7 like Mac OS X) ... Version/26.2 Mobile/15E148 Safari/604.1
  • Mozilla/5.0 (iPhone; CPU iPhone OS 18_7 like Mac OS X) ... Version/26.2.1 Mobile/23C71 Safari/604.1

Reproduction

1. Start gateway and let agent trigger an OAuth human-auth request (e.g. U-Haul login).
2. Open the human-auth link from Telegram on iPhone, then “Open in Safari”.
3. Observe takeover section status text (e.g. Preparing stream... / Remote takeover not started).
4. Tap Open Live Stream and/or Refresh Snapshot.

Actual

• On iPhone Safari, takeover image is not rendered (often blue question-mark placeholder).
• Refresh Snapshot appears ineffective.
• Access logs for request IDs show iPhone only hits:
  • GET /human-auth/<requestId>?token=... -> 200
• No iPhone calls to:
  • /v1/human-auth/requests/<requestId>/takeover/snapshot
  • /v1/human-auth/requests/<requestId>/takeover/stream
  • /v1/human-auth/requests/<requestId>/takeover/action

Expected

• iPhone Safari should at least fetch and render snapshot fallback.
• Refresh Snapshot should trigger /takeover/snapshot and update image.
• If stream cannot be rendered, UI should still show static/refreshing screenshots reliably.

Evidence

Request IDs observed

• auth-1771998572060-7bae0081e0e6445b
• auth-1771998863416-6004c48daf757361

Log pattern

• iPhone Safari repeatedly:
  • GET /human-auth/auth-1771998863416-6004c48daf757361?... -> 200
• But no iPhone /takeover/* records for the same request.

Control check (server is healthy)

Using the same request/token from desktop/Mac succeeds:

• GET /takeover/snapshot -> 200
• POST /takeover/action -> 200
• GET /takeover/stream -> 200

So backend/takeover runtime is operational; failure is specific to iPhone Safari page behavior/path.

Impact

• Human auth flow becomes effectively unusable for emulator-only sensitive steps on mobile Safari.
• User cannot complete login/input tasks via takeover even though link opens.

Suspected Root Cause

• iOS Safari + Telegram open flow may not execute portal takeover JS reliably (or uses stale/cached page variants).
• The page can load, but takeover JS event path does not fire network requests.
• Timeout windows (default 5 min for oauth) amplify the failure impact.

Suggested Fixes

1. Add explicit non-JS fallback controls (plain links/forms) for snapshot/frame endpoint so screenshot can render without JS.
2. Add visible takeover diagnostics in UI:
   • last snapshot request timestamp
   • last HTTP status/error
3. Add proactive startup probe and error banner:
   • if no takeover request is sent within N seconds after tap, show actionable browser guidance.
4. Consider extending OAuth human-auth timeout for mobile flows.

Acceptance Criteria

• On iPhone Safari, opening a fresh auth link renders a takeover image within 2 seconds (stream or snapshot fallback).
• Tapping Refresh Snapshot creates a corresponding /takeover/snapshot log entry from iPhone UA and updates image.
• No blue-question-mark blank state persists without a clear on-screen error reason.

[tsubasakong]

[tsubasakong]

/fix