administrator/frigate
1
0
Fork 0
mirror of https://github.com/blakeblackshear/frigate.git synced 2025-12-09 14:55:43 +03:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Authentication improvements (#21194)

Browse Source 
* jwt permissions

* add old password to body req

* add model and migration

need to track the datetime that passwords were changed for the jwt

* auth api backend changes

- use os.open to create jwt secret with restrictive permissions (0o600: read/write for owner only)
- add backend validation for password strength
- add iat claim to jwt so the server can determine when a token was issued and reject any jwts issued before a user's password_changed_at timestamp, ensuring old tokens are invalidated after a password change
- set logout route to public to avoid 401 when logging out
- issue new jwt for users who change their own password so they stay logged in

* improve set password dialog

- add field to verify old password
- add password strength requirements

* frontend tweaks for password dialog

* i18n

* use verify endpoint for existing password verification

avoid /login side effects (creating a new session)

* public logout

* only check if password has changed on jwt refresh

* fix tests

Fix migration 030 by using raw sql to select usernames (avoid ORM selecting nonexistent columns)

* add multi device warning to password dialog

* remove password verification endpoint

Just send old_password + new password in one request, let the backend handle verification in a single operation
This commit is contained in:
Josh Hawkins 2025-12-08 10:02:28 -06:00 committed by GitHub
parent 28b0ad782a
commit 152e585206
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
12 changed files with 554 additions and 101 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
docs/docs/configuration/reference.md
View File

@ -123,7 +123,7 @@ auth:
# Optional: Refresh time in seconds (default: shown below) # Optional: Refresh time in seconds (default: shown below)
# When the session is going to expire in less time than this setting, # When the session is going to expire in less time than this setting,
# it will be refreshed back to the session_length. # it will be refreshed back to the session_length.
refresh_time: 43200 # 12 hours refresh_time: 1800 # 30 minutes
# Optional: Rate limiting for login failures to help prevent brute force # Optional: Rate limiting for login failures to help prevent brute force
# login attacks (default: shown below) # login attacks (default: shown below)
# See the docs for more information on valid values # See the docs for more information on valid values

116
frigate/api/auth.py
View File

@ -55,8 +55,8 @@ def require_admin_by_default():
"/auth", "/auth",
"/auth/first_time_login", "/auth/first_time_login",
"/login", "/login",
# Authenticated user endpoints (allow_any_authenticated)
"/logout", "/logout",
# Authenticated user endpoints (allow_any_authenticated)
"/profile", "/profile",
# Public info endpoints (allow_public) # Public info endpoints (allow_public)
"/", "/",
@ -311,7 +311,10 @@ def get_jwt_secret() -> str:
) )
jwt_secret = secrets.token_hex(64) jwt_secret = secrets.token_hex(64)
try: try:
with open(jwt_secret_file, "w") as f: fd = os.open(
jwt_secret_file, os.O_WRONLY | os.O_CREAT | os.O_EXCL, 0o600
)
with os.fdopen(fd, "w") as f:
f.write(str(jwt_secret)) f.write(str(jwt_secret))
except Exception: except Exception:
logger.warning( logger.warning(
@ -356,9 +359,35 @@ def verify_password(password, password_hash):
return secrets.compare_digest(password_hash, compare_hash) return secrets.compare_digest(password_hash, compare_hash)
def validate_password_strength(password: str) -> tuple[bool, Optional[str]]:
"""
Validate password strength.
Returns a tuple of (is_valid, error_message).
"""
if not password:
return False, "Password cannot be empty"
if len(password) < 8:
return False, "Password must be at least 8 characters long"
if not any(c.isupper() for c in password):
return False, "Password must contain at least one uppercase letter"
if not any(c.isdigit() for c in password):
return False, "Password must contain at least one digit"
if not any(c in '!@#$%^&*(),.?":{}|<>' for c in password):
return False, "Password must contain at least one special character"
return True, None
def create_encoded_jwt(user, role, expiration, secret): def create_encoded_jwt(user, role, expiration, secret):
return jwt.encode( return jwt.encode(
{"alg": "HS256"}, {"sub": user, "role": role, "exp": expiration}, secret {"alg": "HS256"},
{"sub": user, "role": role, "exp": expiration, "iat": int(time.time())},
secret,
) )
@ -619,13 +648,27 @@ def auth(request: Request):
return fail_response return fail_response
# if the jwt cookie is expiring soon # if the jwt cookie is expiring soon
elif jwt_source == "cookie" and expiration - JWT_REFRESH <= current_time: if jwt_source == "cookie" and expiration - JWT_REFRESH <= current_time:
logger.debug("jwt token expiring soon, refreshing cookie") logger.debug("jwt token expiring soon, refreshing cookie")
# ensure the user hasn't been deleted
# Check if password has been changed since token was issued
# If so, force re-login by rejecting the refresh
try: try:
User.get_by_id(user) user_obj = User.get_by_id(user)
if user_obj.password_changed_at is not None:
token_iat = int(token.claims.get("iat", 0))
password_changed_timestamp = int(
user_obj.password_changed_at.timestamp()
)
if token_iat < password_changed_timestamp:
logger.debug(
"jwt token issued before password change, rejecting refresh"
)
return fail_response
except DoesNotExist: except DoesNotExist:
logger.debug("user not found")
return fail_response return fail_response
new_expiration = current_time + JWT_SESSION_LENGTH new_expiration = current_time + JWT_SESSION_LENGTH
new_encoded_jwt = create_encoded_jwt( new_encoded_jwt = create_encoded_jwt(
user, role, new_expiration, request.app.jwt_token user, role, new_expiration, request.app.jwt_token
@ -660,7 +703,7 @@ def profile(request: Request):
) )
@router.get("/logout", dependencies=[Depends(allow_any_authenticated())]) @router.get("/logout", dependencies=[Depends(allow_public())])
def logout(request: Request): def logout(request: Request):
auth_config: AuthConfig = request.app.frigate_config.auth auth_config: AuthConfig = request.app.frigate_config.auth
response = RedirectResponse("/login", status_code=303) response = RedirectResponse("/login", status_code=303)
@ -782,10 +825,63 @@ async def update_password(
HASH_ITERATIONS = request.app.frigate_config.auth.hash_iterations HASH_ITERATIONS = request.app.frigate_config.auth.hash_iterations
password_hash = hash_password(body.password, iterations=HASH_ITERATIONS) try:
User.set_by_id(username, {User.password_hash: password_hash}) user = User.get_by_id(username)
except DoesNotExist:
return JSONResponse(content={"message": "User not found"}, status_code=404)
return JSONResponse(content={"success": True}) # Require old_password when:
# 1. Non-admin user is changing another user's password (admin only action)
# 2. Any user is changing their own password
is_changing_own_password = current_username == username
is_non_admin = current_role != "admin"
if is_changing_own_password or is_non_admin:
if not body.old_password:
return JSONResponse(
content={"message": "Current password is required"},
status_code=400,
)
if not verify_password(body.old_password, user.password_hash):
return JSONResponse(
content={"message": "Current password is incorrect"},
status_code=401,
)
# Validate new password strength
is_valid, error_message = validate_password_strength(body.password)
if not is_valid:
return JSONResponse(
content={"message": error_message},
status_code=400,
)
password_hash = hash_password(body.password, iterations=HASH_ITERATIONS)
User.update(
{
User.password_hash: password_hash,
User.password_changed_at: datetime.now(),
}
).where(User.username == username).execute()
response = JSONResponse(content={"success": True})
# If user changed their own password, issue a new JWT to keep them logged in
if current_username == username:
JWT_COOKIE_NAME = request.app.frigate_config.auth.cookie_name
JWT_COOKIE_SECURE = request.app.frigate_config.auth.cookie_secure
JWT_SESSION_LENGTH = request.app.frigate_config.auth.session_length
expiration = int(time.time()) + JWT_SESSION_LENGTH
encoded_jwt = create_encoded_jwt(
username, current_role, expiration, request.app.jwt_token
)
# Set new JWT cookie on response
set_jwt_cookie(
response, JWT_COOKIE_NAME, encoded_jwt, expiration, JWT_COOKIE_SECURE
)
return response
@router.put( @router.put(

1
frigate/api/defs/request/app_body.py
View File

@ -11,6 +11,7 @@ class AppConfigSetBody(BaseModel):
class AppPutPasswordBody(BaseModel): class AppPutPasswordBody(BaseModel):
password: str password: str
old_password: Optional[str] = None
class AppPostUsersBody(BaseModel): class AppPostUsersBody(BaseModel):

2
frigate/config/auth.py
View File

@ -20,7 +20,7 @@ class AuthConfig(FrigateBaseModel):
default=86400, title="Session length for jwt session tokens", ge=60 default=86400, title="Session length for jwt session tokens", ge=60
) )
refresh_time: int = Field( refresh_time: int = Field(
default=43200, default=1800,
title="Refresh the session if it is going to expire in this many seconds", title="Refresh the session if it is going to expire in this many seconds",
ge=30, ge=30,
) )

1
frigate/models.py
View File

@ -133,6 +133,7 @@ class User(Model):
default="admin", default="admin",
) )
password_hash = CharField(null=False, max_length=120) password_hash = CharField(null=False, max_length=120)
password_changed_at = DateTimeField(null=True)
notification_tokens = JSONField() notification_tokens = JSONField()
@classmethod @classmethod

6
migrations/030_create_user_review_status.py
View File

@ -54,7 +54,9 @@ def migrate(migrator, database, fake=False, **kwargs):
# Migrate existing has_been_reviewed data to UserReviewStatus for all users # Migrate existing has_been_reviewed data to UserReviewStatus for all users
def migrate_data(): def migrate_data():
all_users = list(User.select()) # Use raw SQL to avoid ORM issues with columns that don't exist yet
cursor = database.execute_sql('SELECT "username" FROM "user"')
all_users = cursor.fetchall()
if not all_users: if not all_users:
return return
@ -63,7 +65,7 @@ def migrate(migrator, database, fake=False, **kwargs):
) )
reviewed_segment_ids = [row[0] for row in cursor.fetchall()] reviewed_segment_ids = [row[0] for row in cursor.fetchall()]
# also migrate for anonymous (unauthenticated users) # also migrate for anonymous (unauthenticated users)
usernames = [user.username for user in all_users] + ["anonymous"] usernames = [user[0] for user in all_users] + ["anonymous"]
for segment_id in reviewed_segment_ids: for segment_id in reviewed_segment_ids:
for username in usernames: for username in usernames:

42
migrations/032_add_password_changed_at.py Normal file
View File

@ -0,0 +1,42 @@
"""Peewee migrations -- 032_add_password_changed_at.py.
Some examples (model - class or model name)::
> Model = migrator.orm['model_name'] # Return model in current state by name
> migrator.sql(sql) # Run custom SQL
> migrator.python(func, *args, **kwargs) # Run python code
> migrator.create_model(Model) # Create a model (could be used as decorator)
> migrator.remove_model(model, cascade=True) # Remove a model
> migrator.add_fields(model, **fields) # Add fields to a model
> migrator.change_fields(model, **fields) # Change fields
> migrator.remove_fields(model, *field_names, cascade=True)
> migrator.rename_field(model, old_field_name, new_field_name)
> migrator.rename_table(model, new_table_name)
> migrator.add_index(model, *col_names, unique=False)
> migrator.drop_index(model, *col_names)
> migrator.add_not_null(model, *field_names)
> migrator.drop_not_null(model, *field_names)
> migrator.add_default(model, field_name, default)
"""
import peewee as pw
SQL = pw.SQL
def migrate(migrator, database, fake=False, **kwargs):
migrator.sql(
"""
ALTER TABLE user ADD COLUMN password_changed_at DATETIME NULL
"""
)
def rollback(migrator, database, fake=False, **kwargs):
migrator.sql(
"""
ALTER TABLE user DROP COLUMN password_changed_at
"""
)

19
web/public/locales/en/views/settings.json
View File

@ -712,6 +712,8 @@
"password": { "password": {
"title": "Password", "title": "Password",
"placeholder": "Enter password", "placeholder": "Enter password",
"show": "Show password",
"hide": "Hide password",
"confirm": { "confirm": {
"title": "Confirm Password", "title": "Confirm Password",
"placeholder": "Confirm Password" "placeholder": "Confirm Password"
@ -723,6 +725,13 @@
"strong": "Strong", "strong": "Strong",
"veryStrong": "Very Strong" "veryStrong": "Very Strong"
}, },
"requirements": {
"title": "Password requirements:",
"length": "At least 8 characters",
"uppercase": "At least one uppercase letter",
"digit": "At least one digit",
"special": "At least one special character (!@#$%^&*(),.?\":{}|<>)"
},
"match": "Passwords match", "match": "Passwords match",
"notMatch": "Passwords don't match" "notMatch": "Passwords don't match"
}, },
@ -733,6 +742,10 @@
"placeholder": "Re-enter new password" "placeholder": "Re-enter new password"
} }
}, },
"currentPassword": {
"title": "Current Password",
"placeholder": "Enter your current password"
},
"usernameIsRequired": "Username is required", "usernameIsRequired": "Username is required",
"passwordIsRequired": "Password is required" "passwordIsRequired": "Password is required"
}, },
@ -750,9 +763,13 @@
"passwordSetting": { "passwordSetting": {
"cannotBeEmpty": "Password cannot be empty", "cannotBeEmpty": "Password cannot be empty",
"doNotMatch": "Passwords do not match", "doNotMatch": "Passwords do not match",
"currentPasswordRequired": "Current password is required",
"incorrectCurrentPassword": "Current password is incorrect",
"passwordVerificationFailed": "Failed to verify password",
"updatePassword": "Update Password for {{username}}", "updatePassword": "Update Password for {{username}}",
"setPassword": "Set Password", "setPassword": "Set Password",
"desc": "Create a strong password to secure this account." "desc": "Create a strong password to secure this account.",
"multiDeviceWarning": "Any other devices where you are logged in will be required to re-login within {{refresh_time}}. You can also force all users to re-authenticate immediately by rotating your JWT secret."
}, },
"changeRole": { "changeRole": {
"title": "Change User Role", "title": "Change User Role",

31
web/src/components/menu/AccountSettings.tsx
View File

@ -42,19 +42,27 @@ export default function AccountSettings({ className }: AccountSettingsProps) {
const logoutUrl = config?.proxy?.logout_url || `${baseUrl}api/logout`; const logoutUrl = config?.proxy?.logout_url || `${baseUrl}api/logout`;
const [passwordDialogOpen, setPasswordDialogOpen] = useState(false); const [passwordDialogOpen, setPasswordDialogOpen] = useState(false);
const [passwordError, setPasswordError] = useState<string | null>(null);
const [isPasswordLoading, setIsPasswordLoading] = useState(false);
const Container = isDesktop ? DropdownMenu : Drawer; const Container = isDesktop ? DropdownMenu : Drawer;
const Trigger = isDesktop ? DropdownMenuTrigger : DrawerTrigger; const Trigger = isDesktop ? DropdownMenuTrigger : DrawerTrigger;
const Content = isDesktop ? DropdownMenuContent : DrawerContent; const Content = isDesktop ? DropdownMenuContent : DrawerContent;
const MenuItem = isDesktop ? DropdownMenuItem : DrawerClose; const MenuItem = isDesktop ? DropdownMenuItem : DrawerClose;
const handlePasswordSave = async (password: string) => { const handlePasswordSave = async (password: string, oldPassword?: string) => {
if (!profile?.username || profile.username === "anonymous") return; if (!profile?.username || profile.username === "anonymous") return;
setIsPasswordLoading(true);
axios axios
.put(`users/${profile.username}/password`, { password }) .put(`users/${profile.username}/password`, {
password,
old_password: oldPassword,
})
.then((response) => { .then((response) => {
if (response.status === 200) { if (response.status === 200) {
setPasswordDialogOpen(false); setPasswordDialogOpen(false);
setPasswordError(null);
setIsPasswordLoading(false);
toast.success(t("users.toast.success.updatePassword"), { toast.success(t("users.toast.success.updatePassword"), {
position: "top-center", position: "top-center",
}); });
@ -65,14 +73,10 @@ export default function AccountSettings({ className }: AccountSettingsProps) {
error.response?.data?.message || error.response?.data?.message ||
error.response?.data?.detail || error.response?.data?.detail ||
"Unknown error"; "Unknown error";
toast.error(
t("users.toast.error.setPasswordFailed", { // Keep dialog open and show error
errorMessage, setPasswordError(errorMessage);
}), setIsPasswordLoading(false);
{
position: "top-center",
},
);
}); });
}; };
@ -154,8 +158,13 @@ export default function AccountSettings({ className }: AccountSettingsProps) {
<SetPasswordDialog <SetPasswordDialog
show={passwordDialogOpen} show={passwordDialogOpen}
onSave={handlePasswordSave} onSave={handlePasswordSave}
onCancel={() => setPasswordDialogOpen(false)} onCancel={() => {
setPasswordDialogOpen(false);
setPasswordError(null);
}}
initialError={passwordError}
username={profile?.username} username={profile?.username}
isLoading={isPasswordLoading}
/> />
</Container> </Container>
); );

33
web/src/components/menu/GeneralSettings.tsx
View File

@ -116,13 +116,22 @@ export default function GeneralSettings({ className }: GeneralSettingsProps) {
const SubItemContent = isDesktop ? DropdownMenuSubContent : DialogContent; const SubItemContent = isDesktop ? DropdownMenuSubContent : DialogContent;
const Portal = isDesktop ? DropdownMenuPortal : DialogPortal; const Portal = isDesktop ? DropdownMenuPortal : DialogPortal;
const handlePasswordSave = async (password: string) => { const [passwordError, setPasswordError] = useState<string | null>(null);
const [isPasswordLoading, setIsPasswordLoading] = useState(false);
const handlePasswordSave = async (password: string, oldPassword?: string) => {
if (!profile?.username || profile.username === "anonymous") return; if (!profile?.username || profile.username === "anonymous") return;
setIsPasswordLoading(true);
axios axios
.put(`users/${profile.username}/password`, { password }) .put(`users/${profile.username}/password`, {
password,
old_password: oldPassword,
})
.then((response) => { .then((response) => {
if (response.status === 200) { if (response.status === 200) {
setPasswordDialogOpen(false); setPasswordDialogOpen(false);
setPasswordError(null);
setIsPasswordLoading(false);
toast.success( toast.success(
t("users.toast.success.updatePassword", { t("users.toast.success.updatePassword", {
ns: "views/settings", ns: "views/settings",
@ -138,15 +147,10 @@ export default function GeneralSettings({ className }: GeneralSettingsProps) {
error.response?.data?.message || error.response?.data?.message ||
error.response?.data?.detail || error.response?.data?.detail ||
"Unknown error"; "Unknown error";
toast.error(
t("users.toast.error.setPasswordFailed", { // Keep dialog open and show error
ns: "views/settings", setPasswordError(errorMessage);
errorMessage, setIsPasswordLoading(false);
}),
{
position: "top-center",
},
);
}); });
}; };
@ -554,8 +558,13 @@ export default function GeneralSettings({ className }: GeneralSettingsProps) {
<SetPasswordDialog <SetPasswordDialog
show={passwordDialogOpen} show={passwordDialogOpen}
onSave={handlePasswordSave} onSave={handlePasswordSave}
onCancel={() => setPasswordDialogOpen(false)} onCancel={() => {
setPasswordDialogOpen(false);
setPasswordError(null);
}}
initialError={passwordError}
username={profile?.username} username={profile?.username}
isLoading={isPasswordLoading}
/> />
</> </>
); );

370
web/src/components/overlay/SetPasswordDialog.tsx
View File

@ -1,5 +1,3 @@
"use client";
import { Button } from "../ui/button"; import { Button } from "../ui/button";
import { Input } from "../ui/input"; import { Input } from "../ui/input";
import { useState, useEffect } from "react"; import { useState, useEffect } from "react";
@ -13,38 +11,84 @@ import {
} from "../ui/dialog"; } from "../ui/dialog";
import { Label } from "../ui/label"; import { Label } from "../ui/label";
import { LuCheck, LuX } from "react-icons/lu"; import { LuCheck, LuX, LuEye, LuEyeOff, LuExternalLink } from "react-icons/lu";
import { useTranslation } from "react-i18next"; import { useTranslation } from "react-i18next";
import { useDocDomain } from "@/hooks/use-doc-domain";
import useSWR from "swr";
import { formatSecondsToDuration } from "@/utils/dateUtil";
import ActivityIndicator from "../indicators/activity-indicator";
type SetPasswordProps = { type SetPasswordProps = {
show: boolean; show: boolean;
onSave: (password: string) => void; onSave: (password: string, oldPassword?: string) => void;
onCancel: () => void; onCancel: () => void;
initialError?: string | null;
username?: string; username?: string;
isLoading?: boolean;
}; };
export default function SetPasswordDialog({ export default function SetPasswordDialog({
show, show,
onSave, onSave,
onCancel, onCancel,
initialError,
username, username,
isLoading = false,
}: SetPasswordProps) { }: SetPasswordProps) {
const { t } = useTranslation(["views/settings"]); const { t } = useTranslation(["views/settings", "common"]);
const { getLocaleDocUrl } = useDocDomain();
const { data: config } = useSWR("config");
const refreshSeconds: number | undefined =
config?.auth?.refresh_time ?? undefined;
const refreshTimeLabel = refreshSeconds
? formatSecondsToDuration(refreshSeconds)
: "30 minutes";
const [oldPassword, setOldPassword] = useState<string>("");
const [password, setPassword] = useState<string>(""); const [password, setPassword] = useState<string>("");
const [confirmPassword, setConfirmPassword] = useState<string>(""); const [confirmPassword, setConfirmPassword] = useState<string>("");
const [passwordStrength, setPasswordStrength] = useState<number>(0); const [passwordStrength, setPasswordStrength] = useState<number>(0);
const [error, setError] = useState<string | null>(null); const [error, setError] = useState<string | null>(null);
// Reset state when dialog opens/closes // visibility toggles for password fields
const [showOldPassword, setShowOldPassword] = useState<boolean>(false);
const [showPasswordVisible, setShowPasswordVisible] =
useState<boolean>(false);
const [showConfirmPassword, setShowConfirmPassword] =
useState<boolean>(false);
const [hasInitialized, setHasInitialized] = useState<boolean>(false);
// Password strength requirements
const requirements = {
length: password.length >= 8,
uppercase: /[A-Z]/.test(password),
digit: /\d/.test(password),
special: /[!@#$%^&*(),.?":{}|<>]/.test(password),
};
useEffect(() => { useEffect(() => {
if (show) { if (show) {
setPassword(""); if (!hasInitialized) {
setConfirmPassword(""); setOldPassword("");
setError(null); setPassword("");
setConfirmPassword("");
setError(null);
setHasInitialized(true);
}
} else {
setHasInitialized(false);
} }
}, [show]); }, [show, hasInitialized]);
useEffect(() => {
if (show && initialError) {
setError(initialError);
}
}, [show, initialError]);
// Password strength calculation
// Simple password strength calculation
useEffect(() => { useEffect(() => {
if (!password) { if (!password) {
setPasswordStrength(0); setPasswordStrength(0);
@ -52,30 +96,52 @@ export default function SetPasswordDialog({
} }
let strength = 0; let strength = 0;
// Length check if (requirements.length) strength += 1;
if (password.length >= 8) strength += 1; if (requirements.digit) strength += 1;
// Contains number if (requirements.special) strength += 1;
if (/\d/.test(password)) strength += 1; if (requirements.uppercase) strength += 1;
// Contains special char
if (/[!@#$%^&*(),.?":{}|<>]/.test(password)) strength += 1;
// Contains uppercase
if (/[A-Z]/.test(password)) strength += 1;
setPasswordStrength(strength); setPasswordStrength(strength);
// we know that these deps are correct
// eslint-disable-next-line react-hooks/exhaustive-deps
}, [password]); }, [password]);
const handleSave = () => { const handleSave = async () => {
if (!password) { if (!password) {
setError(t("users.dialog.passwordSetting.cannotBeEmpty")); setError(t("users.dialog.passwordSetting.cannotBeEmpty"));
return; return;
} }
// Validate all requirements
if (!requirements.length) {
setError(t("users.dialog.form.password.requirements.length"));
return;
}
if (!requirements.uppercase) {
setError(t("users.dialog.form.password.requirements.uppercase"));
return;
}
if (!requirements.digit) {
setError(t("users.dialog.form.password.requirements.digit"));
return;
}
if (!requirements.special) {
setError(t("users.dialog.form.password.requirements.special"));
return;
}
if (password !== confirmPassword) { if (password !== confirmPassword) {
setError(t("users.dialog.passwordSetting.doNotMatch")); setError(t("users.dialog.passwordSetting.doNotMatch"));
return; return;
} }
onSave(password); // Require old password when changing own password (username is provided)
if (username && !oldPassword) {
setError(t("users.dialog.passwordSetting.currentPasswordRequired"));
return;
}
onSave(password, oldPassword || undefined);
}; };
const getStrengthLabel = () => { const getStrengthLabel = () => {
@ -112,39 +178,199 @@ export default function SetPasswordDialog({
<DialogDescription> <DialogDescription>
{t("users.dialog.passwordSetting.desc")} {t("users.dialog.passwordSetting.desc")}
</DialogDescription> </DialogDescription>
<p className="text-sm text-muted-foreground">
{t("users.dialog.passwordSetting.multiDeviceWarning", {
refresh_time: refreshTimeLabel,
ns: "views/settings",
})}
</p>
<p className="text-sm text-primary-variant">
<a
href={getLocaleDocUrl(
"configuration/authentication#jwt-token-secret",
)}
target="_blank"
rel="noopener noreferrer"
className="inline-flex items-center text-primary"
>
{t("readTheDocumentation", { ns: "common" })}
<LuExternalLink className="ml-2 size-3" />
</a>
</p>
</DialogHeader> </DialogHeader>
<div className="space-y-4 pt-4"> <div className="space-y-4 pt-4">
{username && (
<div className="space-y-2">
<Label htmlFor="old-password">
{t("users.dialog.form.currentPassword.title")}
</Label>
<div className="relative">
<Input
id="old-password"
className="h-10 pr-10"
type={showOldPassword ? "text" : "password"}
value={oldPassword}
onChange={(event) => {
setOldPassword(event.target.value);
setError(null);
}}
placeholder={t(
"users.dialog.form.currentPassword.placeholder",
)}
/>
<Button
type="button"
variant="ghost"
size="sm"
tabIndex={-1}
aria-label={
showOldPassword
? t("users.dialog.form.password.hide", {
ns: "views/settings",
})
: t("users.dialog.form.password.show", {
ns: "views/settings",
})
}
className="absolute right-0 top-0 h-full px-3 py-2 hover:bg-transparent"
onClick={() => setShowOldPassword(!showOldPassword)}
>
{showOldPassword ? (
<LuEyeOff className="size-4" />
) : (
<LuEye className="size-4" />
)}
</Button>
</div>
</div>
)}
<div className="space-y-2"> <div className="space-y-2">
<Label htmlFor="password"> <Label htmlFor="password">
{t("users.dialog.form.newPassword.title")} {t("users.dialog.form.newPassword.title")}
</Label> </Label>
<Input <div className="relative">
id="password" <Input
className="h-10" id="password"
type="password" className="h-10 pr-10"
value={password} type={showPasswordVisible ? "text" : "password"}
onChange={(event) => { value={password}
setPassword(event.target.value); onChange={(event) => {
setError(null); setPassword(event.target.value);
}} setError(null);
placeholder={t("users.dialog.form.newPassword.placeholder")} }}
autoFocus placeholder={t("users.dialog.form.newPassword.placeholder")}
/> autoFocus
/>
<Button
type="button"
variant="ghost"
size="sm"
tabIndex={-1}
aria-label={
showPasswordVisible
? t("users.dialog.form.password.hide", {
ns: "views/settings",
})
: t("users.dialog.form.password.show", {
ns: "views/settings",
})
}
className="absolute right-0 top-0 h-full px-3 py-2 hover:bg-transparent"
onClick={() => setShowPasswordVisible(!showPasswordVisible)}
>
{showPasswordVisible ? (
<LuEyeOff className="size-4" />
) : (
<LuEye className="size-4" />
)}
</Button>
</div>
{/* Password strength indicator */}
{password && ( {password && (
<div className="mt-2 space-y-1"> <div className="mt-2 space-y-2">
<div className="flex h-1.5 w-full overflow-hidden rounded-full bg-secondary-foreground"> <div className="flex h-1.5 w-full overflow-hidden rounded-full bg-secondary-foreground">
<div <div
className={`${getStrengthColor()} transition-all duration-300`} className={`${getStrengthColor()} transition-all duration-300`}
style={{ width: `${(passwordStrength / 3) * 100}%` }} style={{ width: `${(passwordStrength / 4) * 100}%` }}
/> />
</div> </div>
<p className="text-xs text-muted-foreground"> <p className="text-xs text-muted-foreground">
{t("users.dialog.form.password.strength.title")} {t("users.dialog.form.password.strength.title")}
<span className="font-medium">{getStrengthLabel()}</span> <span className="font-medium">{getStrengthLabel()}</span>
</p> </p>
<div className="space-y-1 rounded-md bg-muted/50 p-2">
<p className="text-xs font-medium text-muted-foreground">
{t("users.dialog.form.password.requirements.title")}
</p>
<ul className="space-y-1">
<li className="flex items-center gap-2 text-xs">
{requirements.length ? (
<LuCheck className="size-3.5 text-green-500" />
) : (
<LuX className="size-3.5 text-red-500" />
)}
<span
className={
requirements.length
? "text-green-600"
: "text-red-600"
}
>
{t("users.dialog.form.password.requirements.length")}
</span>
</li>
<li className="flex items-center gap-2 text-xs">
{requirements.uppercase ? (
<LuCheck className="size-3.5 text-green-500" />
) : (
<LuX className="size-3.5 text-red-500" />
)}
<span
className={
requirements.uppercase
? "text-green-600"
: "text-red-600"
}
>
{t("users.dialog.form.password.requirements.uppercase")}
</span>
</li>
<li className="flex items-center gap-2 text-xs">
{requirements.digit ? (
<LuCheck className="size-3.5 text-green-500" />
) : (
<LuX className="size-3.5 text-red-500" />
)}
<span
className={
requirements.digit ? "text-green-600" : "text-red-600"
}
>
{t("users.dialog.form.password.requirements.digit")}
</span>
</li>
<li className="flex items-center gap-2 text-xs">
{requirements.special ? (
<LuCheck className="size-3.5 text-green-500" />
) : (
<LuX className="size-3.5 text-red-500" />
)}
<span
className={
requirements.special
? "text-green-600"
: "text-red-600"
}
>
{t("users.dialog.form.password.requirements.special")}
</span>
</li>
</ul>
</div>
</div> </div>
)} )}
</div> </div>
@ -153,19 +379,44 @@ export default function SetPasswordDialog({
<Label htmlFor="confirm-password"> <Label htmlFor="confirm-password">
{t("users.dialog.form.password.confirm.title")} {t("users.dialog.form.password.confirm.title")}
</Label> </Label>
<Input <div className="relative">
id="confirm-password" <Input
className="h-10" id="confirm-password"
type="password" className="h-10 pr-10"
value={confirmPassword} type={showConfirmPassword ? "text" : "password"}
onChange={(event) => { value={confirmPassword}
setConfirmPassword(event.target.value); onChange={(event) => {
setError(null); setConfirmPassword(event.target.value);
}} setError(null);
placeholder={t( }}
"users.dialog.form.newPassword.confirm.placeholder", placeholder={t(
)} "users.dialog.form.newPassword.confirm.placeholder",
/> )}
/>
<Button
type="button"
variant="ghost"
size="sm"
tabIndex={-1}
aria-label={
showConfirmPassword
? t("users.dialog.form.password.hide", {
ns: "views/settings",
})
: t("users.dialog.form.password.show", {
ns: "views/settings",
})
}
className="absolute right-0 top-0 h-full px-3 py-2 hover:bg-transparent"
onClick={() => setShowConfirmPassword(!showConfirmPassword)}
>
{showConfirmPassword ? (
<LuEyeOff className="size-4" />
) : (
<LuEye className="size-4" />
)}
</Button>
</div>
{/* Password match indicator */} {/* Password match indicator */}
{password && confirmPassword && ( {password && confirmPassword && (
@ -204,6 +455,7 @@ export default function SetPasswordDialog({
aria-label={t("button.cancel", { ns: "common" })} aria-label={t("button.cancel", { ns: "common" })}
onClick={onCancel} onClick={onCancel}
type="button" type="button"
disabled={isLoading}
> >
{t("button.cancel", { ns: "common" })} {t("button.cancel", { ns: "common" })}
</Button> </Button>
@ -212,9 +464,25 @@ export default function SetPasswordDialog({
aria-label={t("button.save", { ns: "common" })} aria-label={t("button.save", { ns: "common" })}
className="flex flex-1" className="flex flex-1"
onClick={handleSave} onClick={handleSave}
disabled={!password || password !== confirmPassword} disabled={
isLoading ||
!password ||
password !== confirmPassword ||
(username && !oldPassword) ||
!requirements.length ||
!requirements.uppercase ||
!requirements.digit ||
!requirements.special
}
> >
{t("button.save", { ns: "common" })} {isLoading ? (
<div className="flex flex-row items-center gap-2">
<ActivityIndicator />
<span>{t("button.saving", { ns: "common" })}</span>
</div>
) : (
t("button.save", { ns: "common" })
)}
</Button> </Button>
</div> </div>
</div> </div>

32
web/src/views/settings/AuthenticationView.tsx
View File

@ -57,6 +57,8 @@ export default function AuthenticationView({
const [showCreateRole, setShowCreateRole] = useState(false); const [showCreateRole, setShowCreateRole] = useState(false);
const [showEditRole, setShowEditRole] = useState(false); const [showEditRole, setShowEditRole] = useState(false);
const [showDeleteRole, setShowDeleteRole] = useState(false); const [showDeleteRole, setShowDeleteRole] = useState(false);
const [passwordError, setPasswordError] = useState<string | null>(null);
const [isPasswordLoading, setIsPasswordLoading] = useState(false);
const [selectedUser, setSelectedUser] = useState<string>(); const [selectedUser, setSelectedUser] = useState<string>();
const [selectedUserRole, setSelectedUserRole] = useState<string>(); const [selectedUserRole, setSelectedUserRole] = useState<string>();
@ -70,12 +72,15 @@ export default function AuthenticationView({
}, [t]); }, [t]);
const onSavePassword = useCallback( const onSavePassword = useCallback(
(user: string, password: string) => { (user: string, password: string, oldPassword?: string) => {
setIsPasswordLoading(true);
axios axios
.put(`users/${user}/password`, { password }) .put(`users/${user}/password`, { password, old_password: oldPassword })
.then((response) => { .then((response) => {
if (response.status === 200) { if (response.status === 200) {
setShowSetPassword(false); setShowSetPassword(false);
setPasswordError(null);
setIsPasswordLoading(false);
toast.success(t("users.toast.success.updatePassword"), { toast.success(t("users.toast.success.updatePassword"), {
position: "top-center", position: "top-center",
}); });
@ -86,14 +91,10 @@ export default function AuthenticationView({
error.response?.data?.message || error.response?.data?.message ||
error.response?.data?.detail || error.response?.data?.detail ||
"Unknown error"; "Unknown error";
toast.error(
t("users.toast.error.setPasswordFailed", { // Keep dialog open and show error
errorMessage, setPasswordError(errorMessage);
}), setIsPasswordLoading(false);
{
position: "top-center",
},
);
}); });
}, },
[t], [t],
@ -563,8 +564,15 @@ export default function AuthenticationView({
</div> </div>
<SetPasswordDialog <SetPasswordDialog
show={showSetPassword} show={showSetPassword}
onCancel={() => setShowSetPassword(false)} onCancel={() => {
onSave={(password) => onSavePassword(selectedUser!, password)} setShowSetPassword(false);
setPasswordError(null);
}}
initialError={passwordError}
onSave={(password, oldPassword) =>
onSavePassword(selectedUser!, password, oldPassword)
}
isLoading={isPasswordLoading}
/> />
<DeleteUserDialog <DeleteUserDialog
show={showDelete} show={showDelete}