Replace API secret login with first-run password flow#2
Merged
Conversation
User-facing change: the management secret no longer surfaces in the UI.
On first launch the backend boots into 'first-run' mode and the web UI
shows a 'create administrator password' screen (>=8 chars). After that,
returning visitors see a normal password login. Both screens exchange
the password for a long-lived management secret which the SPA caches
in localStorage and sends as Authorization: Bearer.
Backend
- Add public /v0/management/auth/{status,setup,login} routes plus an
authed /change_password endpoint. Setup and login are rate limited
per remote address (10 attempts / 60s) and password hashing uses
scrypt with a per-install random salt.
- managementAuthMiddleware now lets the public auth paths through
unauthenticated; the global enable check in proxy/server.ts does the
same so first-run still works when the API is otherwise disabled.
- Extend ManagementApiConfig with firstRunCompleted, passwordHash,
passwordSalt and passwordSetAt; the password fields are redacted by
the config GET endpoint alongside the secret itself.
- Default management API to enabled with firstRunCompleted=false so a
fresh install lands on the setup screen automatically.
- backend/index.ts no longer auto-generates a secret on first boot; it
prints a 'first run detected' banner instead and still honours the
CHAT2API_MANAGEMENT_SECRET escape hatch for headless setups.
Frontend
- ApiService.auth.{status,setup,login,changePassword} added.
- The 401 handler in the response interceptor now ignores /auth/* so a
failed login no longer blows away other state.
- Rewrite AuthProvider as a small state machine (loading / firstRun /
login / authenticated / offline) that talks to ApiService.auth. The
cached secret is validated against /config on boot.
- New PasswordSettings card surfaced under Settings - Security so the
operator can change the password (and optionally rotate the secret)
later without leaving the UI.
Docs: DEPLOYMENT.md updated to describe the new first-run flow.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
User-facing change: the management secret no longer surfaces in the UI. On first launch the backend boots into 'first-run' mode and the web UI shows a 'create administrator password' screen (>=8 chars). After that, returning visitors see a normal password login. Both screens exchange the password for a long-lived management secret which the SPA caches in localStorage and sends as Authorization: Bearer.
Backend
Frontend
Docs: DEPLOYMENT.md updated to describe the new first-run flow.