How this works

This service books your SATS classes automatically the moment the 7-day booking window opens. It only ever books; you cancel or unbook directly in the official SATS app.

One-time setup

1. Log in. Use the app-level email and password your admin created with python run.py adduser <email>. This is separate from your SATS credentials.
2. Link SATS. On Account enter your SATS email and password once. The server exchanges them for a refresh token, stores only that encrypted, and discards the password.

Adding classes to auto-booking

1. Go to Browse.
2. Pick a Göteborg club and a date.
3. Click Add to auto-booking on any class. That class's weekday and time become a recurring rule, starting from the date you picked.
4. To stop auto-booking a class, click Remove from list on its Browse row or Remove on Rules. This never cancels a booking that already happened — go to the official SATS app for that.

FAQ

Do you keep my SATS password?

No. It's used once to obtain an OIDC refresh token (valid ~42 days and rotated on every use). If the refresh token expires or SATS revokes it, the scheduler clears the stored token and you'll need to re-enter the password once on the Account page. For the intervening weeks the server has no access to your password.

What if I book the class manually before your app does?

Before every booking attempt the scheduler asks SATS for your current bookings and skips anything you've already booked. If a race still happens, SATS rejects the duplicate and the scheduler records it as booked — no harm done.

What if I unbook a class in the SATS app after it's been booked?

Nothing. The scheduler records each booking once and never retries it. Next week's class has a different id and will be booked normally according to the rule.

How do I cancel a booked class?

In the official SATS app. This service never unbooks. Free cancellation closes 2 h before class start; cancel there if your plans change.

Is the CLI adduser reachable from the web?

No. adduser and resetpw are CLI-only branches of run.py. The web app has no user-creation endpoint. Only someone with shell access to the server can add accounts.

Why can I only book within 7 days?

That's SATS's rule — the booking window opens exactly 7 days before the class. If you create a rule today for a class 10 days out, the scheduler waits quietly; as soon as the window opens it books immediately.

Security

• Your SATS password is submitted once over HTTPS, exchanged for a refresh token, and then discarded.
• Refresh tokens are AES-GCM encrypted with a server-side master key stored outside the database.
• The app login uses argon2 password hashing, a signed session cookie bound to your browser for 8 h, and flask-wtf CSRF tokens on every form.
• After 5 failed logins to the same email within 15 min, further attempts are rejected with HTTP 429 until the window clears.