* jwt permissions
* add old password to body req
* add model and migration
need to track the datetime that passwords were changed for the jwt
* auth api backend changes
- use os.open to create jwt secret with restrictive permissions (0o600: read/write for owner only)
- add backend validation for password strength
- add iat claim to jwt so the server can determine when a token was issued and reject any jwts issued before a user's password_changed_at timestamp, ensuring old tokens are invalidated after a password change
- set logout route to public to avoid 401 when logging out
- issue new jwt for users who change their own password so they stay logged in
* improve set password dialog
- add field to verify old password
- add password strength requirements
* frontend tweaks for password dialog
* i18n
* use verify endpoint for existing password verification
avoid /login side effects (creating a new session)
* public logout
* only check if password has changed on jwt refresh
* fix tests
Fix migration 030 by using raw sql to select usernames (avoid ORM selecting nonexistent columns)
* add multi device warning to password dialog
* remove password verification endpoint
Just send old_password + new password in one request, let the backend handle verification in a single operation
* update config for roles and add validator
* ensure admin and viewer are never overridden
* add class method to user to retrieve all allowed cameras
* enforce config roles in auth api endpoints
* add camera access api dependency functions
* protect review endpoints
* protect preview endpoints
* rename param name for better fastapi injection matching
* remove unneeded
* protect export endpoints
* protect event endpoints
* protect media endpoints
* update auth hook for allowed cameras
* update default app view
* ensure anonymous user always returns all cameras
* limit cameras in explore
* cameras is already a list
* limit cameras in review/history
* limit cameras in live view
* limit cameras in camera groups
* only show face library and classification in sidebar for admin
* remove check in delete reviews
since admin role is required, no need to check camera access. fixes failing test
* pass request with camera access for tests
* more async
* camera access tests
* fix proxy auth tests
* allowed cameras for review tests
* combine event tests and refactor for camera access
* fix post validation for roles
* don't limit roles in create user dialog
* fix triggers endpoints
no need to run require camera access dep since the required role is admin
* fix type
* create and edit role dialogs
* delete role dialog
* fix role change dialog
* update settings view for roles
* i18n changes
* minor spacing tweaks
* docs
* use badges and camera name label component
* clarify docs
* display all cameras badge for admin and viewer
* i18n fix
* use validator to prevent reserved and empty roles from being assigned
* split users and roles into separate tabs in settings
* tweak docs
* clarify docs
* change icon
* don't memoize roles
always recalculate on component render
* db migration
* db model
* assign admin role on password reset
* add role to jwt and api responses
* don't restrict api access for admins yet
* use json response
* frontend auth context
* update auth form for profile endpoint
* add access denied page
* add protected routes
* auth hook
* dialogs
* user settings view
* restrict viewer access to settings
* restrict camera functions for viewer role
* add password dialog to account menu
* spacing tweak
* migrator default to admin
* escape quotes in migrator
* ui tweaks
* tweaks
* colors
* colors
* fix merge conflict
* fix icons
* add api layer enforcement
* ui tweaks
* fix error message
* debug
* clean up
* remove print
* guard apis for admin only
* fix tests
* fix review tests
* use correct error responses from api in toasts
* add role to account menu
* reload the window on 401
* backend apis for auth
* add login page
* re-enable web linter
* fix login page routing
* bypass csrf for internal auth endpoint
* disable healthcheck in devcontainer target
* include login page in vite build
* redirect to login page on 401
* implement config for users and settings
* implement JWT actual secret
* add brute force protection on login
* add support for redirecting from auth failures on api calls
* return location for redirect
* default cookie name should pass regex test
* set hash iterations to current OWASP recommendation
* move users to database instead of config
* config option to reset admin password on startup
* user management UI
* check for deleted user on refresh
* validate username and fixes
* remove password constraint
* cleanup
* fix user check on refresh
* web fixes
* implement auth via new external port
* use x-forwarded-for to rate limit login attempts by ip
* implement logout and profile
* fixes
* lint fixes
* add support for user passthru from upstream proxies
* add support for specifying a logout url
* add documentation
* Update docs/docs/configuration/authentication.md
Co-authored-by: Nicolas Mowen <nickmowen213@gmail.com>
* Update docs/docs/configuration/authentication.md
Co-authored-by: Nicolas Mowen <nickmowen213@gmail.com>
---------
Co-authored-by: Nicolas Mowen <nickmowen213@gmail.com>
