Merged
Conversation
- Add Setting model for key-value configuration storage - Create migration and seeder for push notification settings - Add admin-only /settings route for configuring push notifications - Integrate push notification 2FA into login flow - Check if push notifications are enabled - Send notification to external service - Wait for user approval (case-insensitive) - Handle no-device-found errors with registration link - Update ldap.conf generation to include AUTH_BACKENDS and NOTIFICATION_URL - Add Settings link to admin sidebar navigation - Update database schema documentation
- Create new Settings admin documentation page with screenshot - Document push notification 2FA configuration and workflow - Update system architecture diagram to include Push Notification Service - Add detailed authentication flow with 2FA sequence diagram - Include link to MieWeb Auth App repository - Update admin index to reference System Settings
- Add ApiKey database model with argon2 hashing and prefix storage - Create database migration with indexes for performance - Implement cryptographic key generation (256-bit entropy) - Add requireApiKey middleware for Bearer token authentication - Build complete CRUD routes at /apikeys endpoint - Create responsive UI with mobile card view and desktop table view - Add one-time key display with copy-to-clipboard functionality - Refactor layout with fixed top navbar and collapsible sidebar - Optimize sidebar width (200-250px auto) and eliminate extra scrolling - Add Bootstrap Icons for improved visual design - Include usage examples with curl commands Security features: - Keys hashed with argon2 (never stored in plain text) - First 8 characters stored as prefix for efficient lookup - Keys shown only once at creation - Last usage timestamp tracking - Per-user key management (non-admin access) UI improvements: - Fixed navbar at top with hamburger menu for mobile - Sidebar collapses properly on mobile viewports - Breadcrumbs left-aligned in navbar - Responsive card/table dual layout pattern - Proper text wrapping for long strings (keys, UUIDs) - Clean spacing and no layout overflow issues
- Remove bi-key icon from API Keys sidebar entry for consistency - Update requireAuth middleware to accept both session and API key auth - Remove redundant requireApiKey middleware to eliminate duplication - API key authentication now handled uniformly through requireAuth
runleveldev
force-pushed
the
push-notification-2fa
branch
from
c9eb1d7 to
6db74ac
Compare
Routes were checking req.session.user and req.session.isAdmin, but API key authentication only set req.user and req.isAdmin. This caused routes to fail with 'username undefined' errors when using API keys. Updated requireAuth middleware to populate req.session properties when authenticating via API key, ensuring full compatibility with existing routes.
- Add new api-keys.mdx documentation page with complete guide on: - Creating and managing API keys - Security best practices - Usage examples with curl - Comparison with session-based authentication - Troubleshooting common issues - Update command-line.mdx to reference API keys as recommended auth method - Include 5 screenshots showing: - Empty API keys list - Create API key form - Success page with one-time key display - API keys list with created key - API key details page - Position API keys doc between web UI and command-line docs (sidebar_position: 3)
- Remove all references to session cookies and cookie-based authentication - API keys are now the only documented authentication method for API usage - Update all curl examples to use Authorization: Bearer header - Simplify authentication section to focus solely on API keys - Update prerequisites to require API key - Renumber sections after removing cookie authentication steps - Update troubleshooting section to remove cookie-related issues
- Remove usage examples and instructions from all API key views - Keep only essential field descriptions and warnings - All documentation and examples now live in the documentation site - Views are now focused on the UI functionality only
- Remove screenshots showing usage examples and instructions - Capture updated views with only essential information - Screenshots now match the cleaned-up UI without embedded documentation
runleveldev
force-pushed
the
push-notification-2fa
branch
from
6db74ac to
a9d43bd
Compare
- Add PasswordResetToken model with token generation, validation, and cleanup - Create password reset router with full workflow (request → email → reset) - Add email utility with SMTP URL parsing and sendPasswordResetEmail - Create password reset views (request form, reset form) - Add setPassword method to User model for secure password updates - Update login page with 'Forgot your password?' link - Add SMTP configuration to settings page (smtp_url, smtp_noreply_address) - Create migrations for PasswordResetTokens table and SMTP settings - Implement 1-hour token expiration with crypto.randomBytes for security
- Add Email Configuration section with SMTP setup instructions - Document password reset flow and requirements - Update settings page screenshot showing SMTP fields - Include example SMTP URL formats and security options - Add warnings about SMTP configuration requirements
cmyers-mieweb
approved these changes
Jan 23, 2026
Collaborator
cmyers-mieweb
left a comment
cmyers-mieweb
left a comment
There was a problem hiding this comment.
Looks good, currently in use in production
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request introduces several new features and improvements related to authentication, security, and user interface styling. The most significant changes include the addition of API key authentication, support for password reset tokens, a flexible settings system, and a refreshed sidebar and navigation style.
Authentication and Security Enhancements:
requireAuthmiddleware, allowing users to authenticate using a Bearer token in theAuthorizationheader. This includes key validation, user association, admin detection, and usage tracking.ApiKeySequelize model with methods for key validation and usage recording, and created the corresponding database migration for theApiKeystable, including indexes for performance. [1] [2]PasswordResetTokenmodel, including secure token generation, validation, and cleanup logic, and added a migration for thePasswordResetTokenstable. [1] [2]setPasswordmethod to theUsermodel to support secure password updates.Settings Infrastructure:
Settingmodel for application-wide key-value settings, with helper methods to get/set settings and batch retrieval, and created a migration for theSettingstable. [1] [2]User Interface Updates:
style.cssfor improved appearance, mobile responsiveness, and accessibility, including updates to sidebar colors, spacing, and active states. [1] [2] [3]Other:
middlewares/index.jsfile for improved readability.