feat(auth): first-run password setup via web panel
When `webPassword` is null and the daemon starts headless (systemd, piped
SSH), no longer auto-generate a random password. Instead:
- Boot normally with the gate denying everything except /api/auth/setup
- Panel UI eagerly probes new /api/auth/state on load and renders a
first-run setup overlay (password + confirm) when needsSetup=true
- POST /api/auth/setup writes the chosen password and issues the auth
cookie in the same response, so the operator lands logged in
Interactive TTY behaviour (prompt at the console) is unchanged. The gate
middleware is now registered unconditionally so first-run mode is still
locked-down instead of wide-open.
This commit is contained in:
Matt Sijbers
@@ -374,6 +374,21 @@
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<div id="setupOverlay" class="login-overlay" hidden>
|
||||
<div class="login-box">
|
||||
<h2>Brass & Sigil</h2>
|
||||
<p>First-run setup. Pick an admin password — this is the credential you'll use to sign in from now on.</p>
|
||||
<div class="input-wrap">
|
||||
<input id="setupPassword" type="password" autocomplete="new-password" placeholder="New password (min 8 chars)" />
|
||||
</div>
|
||||
<div class="input-wrap">
|
||||
<input id="setupConfirm" type="password" autocomplete="new-password" placeholder="Confirm password" />
|
||||
</div>
|
||||
<button id="setupSubmit">Set password & continue</button>
|
||||
<div id="setupError" class="login-error"></div>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<script type="module" src="/app.js"></script>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
Reference in New Issue
Block a user