How this works

This service books your SATS classes automatically the moment the 7-day booking window opens. It only ever books; you cancel or unbook directly in the official SATS app.

One-time setup

1. Log in. Use the app-level email and password your admin created with python run.py adduser <email>. This is separate from your SATS credentials.
2. Link SATS. On Account enter your SATS email and password once. The server exchanges them for a refresh token, stores only that encrypted, and discards the password.
3. (Optional) Link Telegram. Generate a 6-digit pairing code on Account, send /link <code> to the bot. Without Telegram, notifications fall back to email if SMTP is configured.

Adding classes to auto-booking

1. Go to Browse.
2. Pick a Göteborg club and a date.
3. Click Add to auto-booking on any class. That class's weekday and time become a recurring rule, starting from the date you picked.
4. To stop auto-booking a class, click Remove from list on its Browse row or Remove on Rules. This never cancels a booking that already happened — go to the official SATS app for that.

FAQ

Do you keep my SATS password?

No. It's used once to obtain an OIDC refresh token (valid ~42 days and rotated on every use). If the refresh token expires or SATS revokes it, you'll get a "SATS re-link required" notification and need to re-enter the password once. For the intervening weeks the server has no access to your password.

What if I book the class manually before your app does?

Before every booking attempt the scheduler asks SATS for your current bookings and skips anything you've already booked. If a race still happens, SATS rejects the duplicate and the scheduler records it as booked — no harm done.

What if I unbook a class in the SATS app after it's been booked?

Nothing. The scheduler records each booking once and never retries it. Next week's class has a different id and will be booked normally according to the rule.

How do I cancel a booked class?

In the official SATS app. This service never unbooks. You'll get a reminder notification roughly 30 min before the free-cancel cutoff (2 h before class start); cancel there if your plans change.

Is the CLI adduser reachable from the web?

No. adduser and resetpw are CLI-only branches of run.py. The web app has no user-creation endpoint. Only someone with shell access to the server can add accounts.

Why can I only book within 7 days?

That's SATS's rule — the booking window opens exactly 7 days before the class. If you create a rule today for a class 10 days out, the scheduler waits quietly; as soon as the window opens it books immediately.

Security

• Your SATS password is submitted once over HTTPS, exchanged for a refresh token, and then discarded.
• Refresh tokens are AES-GCM encrypted with a server-side master key stored outside the database.
• The app login uses argon2 password hashing, a signed session cookie bound to your browser for 8 h, and flask-wtf CSRF tokens on every form.
• After 5 failed logins to the same email within 15 min, further attempts are rejected with HTTP 429 until the window clears.