fix(auth): blank password field no longer clears auth; add Disable Auth button
The previous logic treated a blank password field as intent to clear auth, which meant saving any other setting (model, send key, etc.) would silently disable password protection. New behavior: - Blank password field + Save Settings = no change to auth (do nothing) - Password field with content + Save = set/change password (unchanged) - 'Disable Auth' button = explicit confirmation-gated clear (new) UI changes: - index.html: updated description text to 'Leave blank to keep current setting'; added 'Disable Auth' button (amber, shown only when auth active) - panels.js: saveSettings() skips password logic entirely when field is blank; loadSettingsPanel() shows/hides both btnDisableAuth and btnSignOut based on auth_enabled; new disableAuth() function sends _clear_password:true after confirm() prompt and hides both auth buttons on success Server: no logic changes needed; _clear_password handling in save_settings() is now only triggered by the explicit Disable Auth action.
This commit is contained in:
Nathan Esquenazi
@@ -284,10 +284,11 @@
|
||||
</div>
|
||||
<div class="settings-field" style="border-top:1px solid var(--border);padding-top:12px;margin-top:8px">
|
||||
<label for="settingsPassword">Access Password</label>
|
||||
<div style="font-size:11px;color:var(--muted);margin-bottom:6px">Set a password to require login. Leave blank to disable auth.</div>
|
||||
<input type="password" id="settingsPassword" placeholder="Enter new password (or blank to disable)" style="width:100%;padding:8px;background:var(--code-bg);color:var(--text);border:1px solid var(--border2);border-radius:6px;font-size:13px">
|
||||
<div style="font-size:11px;color:var(--muted);margin-bottom:6px">Enter a new password to set or change it. Leave blank to keep current setting.</div>
|
||||
<input type="password" id="settingsPassword" placeholder="Enter new password…" style="width:100%;padding:8px;background:var(--code-bg);color:var(--text);border:1px solid var(--border2);border-radius:6px;font-size:13px">
|
||||
</div>
|
||||
<button class="sm-btn" onclick="saveSettings()" style="margin-top:12px;width:100%;padding:8px;font-weight:600">Save Settings</button>
|
||||
<button class="sm-btn" id="btnDisableAuth" onclick="disableAuth()" style="margin-top:6px;width:100%;padding:8px;font-weight:600;color:#e8a030;border-color:rgba(232,160,48,.3);display:none">Disable Auth</button>
|
||||
<button class="sm-btn" id="btnSignOut" onclick="signOut()" style="margin-top:6px;width:100%;padding:8px;font-weight:600;color:var(--accent);border-color:rgba(233,69,96,.3);display:none">Sign Out</button>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
@@ -652,11 +652,14 @@ async function loadSettingsPanel(){
|
||||
// Password field: always blank (we don't send hash back)
|
||||
const pwField=$('settingsPassword');
|
||||
if(pwField) pwField.value='';
|
||||
// Show sign-out button if auth is active
|
||||
// Show auth buttons only when auth is active
|
||||
try{
|
||||
const authStatus=await api('/api/auth/status');
|
||||
const active=authStatus.auth_enabled;
|
||||
const signOutBtn=$('btnSignOut');
|
||||
if(signOutBtn) signOutBtn.style.display=authStatus.auth_enabled?'':'none';
|
||||
if(signOutBtn) signOutBtn.style.display=active?'':'none';
|
||||
const disableBtn=$('btnDisableAuth');
|
||||
if(disableBtn) disableBtn.style.display=active?'':'none';
|
||||
}catch(e){}
|
||||
}catch(e){
|
||||
showToast('Failed to load settings: '+e.message);
|
||||
@@ -672,22 +675,15 @@ async function saveSettings(){
|
||||
if(model) body.default_model=model;
|
||||
if(workspace) body.default_workspace=workspace;
|
||||
if(sendKey) body.send_key=sendKey;
|
||||
// Password: if field has content, hash and save; if blank, clear auth
|
||||
if(pw!==undefined&&pw!==null){
|
||||
if(pw.trim()){
|
||||
// Hash client-side using the same algo as server (SHA-256 with state-dir salt)
|
||||
// We send the raw password to the server's dedicated endpoint instead
|
||||
try{
|
||||
await api('/api/settings',{method:'POST',body:JSON.stringify({...body,_set_password:pw.trim()})});
|
||||
window._sendKey=sendKey||'enter';
|
||||
showToast('Settings saved (password set — login now required)');
|
||||
toggleSettings();
|
||||
return;
|
||||
}catch(e){showToast('Save failed: '+e.message);return;}
|
||||
}else{
|
||||
// Blank = clear password (disable auth)
|
||||
body.password_hash=null;
|
||||
}
|
||||
// Password: only act if the field has content; blank = leave auth unchanged
|
||||
if(pw && pw.trim()){
|
||||
try{
|
||||
await api('/api/settings',{method:'POST',body:JSON.stringify({...body,_set_password:pw.trim()})});
|
||||
window._sendKey=sendKey||'enter';
|
||||
showToast('Settings saved (password set — login now required)');
|
||||
toggleSettings();
|
||||
return;
|
||||
}catch(e){showToast('Save failed: '+e.message);return;}
|
||||
}
|
||||
try{
|
||||
await api('/api/settings',{method:'POST',body:JSON.stringify(body)});
|
||||
@@ -708,6 +704,21 @@ async function signOut(){
|
||||
}
|
||||
}
|
||||
|
||||
async function disableAuth(){
|
||||
if(!confirm('Disable password protection? Anyone will be able to access this instance.')) return;
|
||||
try{
|
||||
await api('/api/settings',{method:'POST',body:JSON.stringify({_clear_password:true})});
|
||||
showToast('Auth disabled — password protection removed');
|
||||
// Hide both auth buttons since auth is now off
|
||||
const disableBtn=$('btnDisableAuth');
|
||||
if(disableBtn) disableBtn.style.display='none';
|
||||
const signOutBtn=$('btnSignOut');
|
||||
if(signOutBtn) signOutBtn.style.display='none';
|
||||
}catch(e){
|
||||
showToast('Failed to disable auth: '+e.message);
|
||||
}
|
||||
}
|
||||
|
||||
// Close settings on overlay click (not panel click)
|
||||
document.addEventListener('click',e=>{
|
||||
const overlay=$('settingsOverlay');
|
||||
|
||||
Reference in New Issue
Block a user