How this works
This service books your SATS classes automatically the moment the 7-day booking window opens. It only ever books; you cancel or unbook directly in the official SATS app.
One-time setup
- Log in. Use the app-level email and password your admin
created with
python run.py adduser <email>. This is separate from your SATS credentials. - Link SATS. On Account enter your SATS email and password once. The server exchanges them for a refresh token, stores only that encrypted, and discards the password.
- (Optional) Link Telegram. Generate a 6-digit pairing code
on Account, send
/link <code>to the bot. Without Telegram, notifications fall back to email if SMTP is configured.
Adding classes to auto-booking
- Go to Browse.
- Pick a Göteborg club and a date.
- Click Add to auto-booking on any class. That class's weekday and time become a recurring rule, starting from the date you picked.
- To stop auto-booking a class, click Remove from list on its Browse row or Remove on Rules. This never cancels a booking that already happened — go to the official SATS app for that.
FAQ
- Do you keep my SATS password?
- No. It's used once to obtain an OIDC refresh token (valid ~42 days and rotated on every use). If the refresh token expires or SATS revokes it, you'll get a "SATS re-link required" notification and need to re-enter the password once. For the intervening weeks the server has no access to your password.
- What if I book the class manually before your app does?
- Before every booking attempt the scheduler asks SATS for your current bookings and skips anything you've already booked. If a race still happens, SATS rejects the duplicate and the scheduler records it as booked — no harm done.
- What if I unbook a class in the SATS app after it's been booked?
- Nothing. The scheduler records each booking once and never retries it. Next week's class has a different id and will be booked normally according to the rule.
- How do I cancel a booked class?
- In the official SATS app. This service never unbooks. You'll get a reminder notification roughly 30 min before the free-cancel cutoff (2 h before class start); cancel there if your plans change.
- Is the CLI
adduserreachable from the web? - No.
adduserandresetpware CLI-only branches ofrun.py. The web app has no user-creation endpoint. Only someone with shell access to the server can add accounts. - Why can I only book within 7 days?
- That's SATS's rule — the booking window opens exactly 7 days before the class. If you create a rule today for a class 10 days out, the scheduler waits quietly; as soon as the window opens it books immediately.
Security
- Your SATS password is submitted once over HTTPS, exchanged for a refresh token, and then discarded.
- Refresh tokens are AES-GCM encrypted with a server-side master key stored outside the database.
- The app login uses argon2 password hashing, a signed session cookie bound to your browser for 8 h, and flask-wtf CSRF tokens on every form.
- After 5 failed logins to the same email within 15 min, further attempts are rejected with HTTP 429 until the window clears.