Skip to content

Fix configuration persistence and dashboard authentication issues #13

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
CryptoGnome merged 1 commit into from
Sep 28, 2025
Merged

Fix configuration persistence and dashboard authentication issues #13

CryptoGnome merged 1 commit into from
Sep 28, 2025

Conversation

@CryptoGnome
Copy link
Owner

@CryptoGnome CryptoGnome commented Sep 28, 2025

Fixes #5

Summary

  • Fixed dashboard password authentication not working
  • Fixed remote WebSocket settings not persisting
  • Improved configuration merging for nested objects
  • Added client-side authentication check

Changes

  1. Authentication System:

    • Replaced development mode bypass with proper authentication flow
    • Added client-side AuthCheck component
    • Fixed Edge Runtime compatibility issues in middleware

  2. Configuration Schema:

    • Added useRemoteWebSocket and websocketHost to server config schema
    • Updated defaults to include all server configuration fields

  3. Config Persistence:

    • Fixed config merger to properly handle nested server object
    • Fixed useWebSocketUrl hook data access

Testing

  • Build completes successfully
  • TypeScript compilation passes without errors
  • Manual testing should verify:
    • Dashboard password prompts when set
    • Remote WebSocket settings persist after save

🤖 Generated with Claude Code

@github-actions @CryptoGnome
Fix configuration persistence and dashboard authentication issues
023c44b 
- Added remote WebSocket settings (useRemoteWebSocket, websocketHost) to config schema
- Fixed middleware Edge Runtime compatibility by removing Node.js imports
- Implemented client-side authentication check with AuthCheck component
- Fixed config merging to properly handle nested server configuration
- Updated defaults to include all server configuration fields
- Fixed useWebSocketUrl hook to correctly access config data structure
- Improved authentication flow with password-required cookie mechanism

Co-authored-by: Crypto Gnome <[email protected]>
github-advanced-security[bot]
github-advanced-security bot found potential problems Sep 28, 2025
View reviewed changes
src/components/AuthCheck.tsx

// Set cookie to indicate if password is required
if (data.passwordRequired) {
document.cookie = 'password-required=true; path=/; max-age=86400'; // 24 hours

Check warning

Code scanning / CodeQL

Clear text transmission of sensitive cookie Medium

Sensitive cookie sent without enforcing SSL encryption.

Copilot Autofix

AI 5 months ago

To fix the problem, we need to ensure that any sensitive cookies set in the code, like password-required, include the secure attribute so they are only sent over HTTPS connections. Specifically, in src/components/AuthCheck.tsx, two places set or update the password-required cookie (lines 18 and 31). We should add the string ; secure to the cookie value in both cases. This change can be safely made by appending ; secure to the cookie string in both assignments to document.cookie. No new imports or methods are needed.

Suggested changeset 1
src/components/AuthCheck.tsx

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/src/components/AuthCheck.tsx b/src/components/AuthCheck.tsx
--- a/src/components/AuthCheck.tsx
+++ b/src/components/AuthCheck.tsx
@@ -15,7 +15,7 @@
 
         // Set cookie to indicate if password is required
         if (data.passwordRequired) {
-          document.cookie = 'password-required=true; path=/; max-age=86400'; // 24 hours
+          document.cookie = 'password-required=true; path=/; max-age=86400; secure'; // 24 hours
 
           // Check if we have a valid auth token
           const authToken = document.cookie
@@ -28,7 +28,7 @@
           }
         } else {
           // No password required, clear the cookie
-          document.cookie = 'password-required=false; path=/; max-age=86400';
+          document.cookie = 'password-required=false; path=/; max-age=86400; secure';
         }
       } catch (error) {
         console.error('Failed to check auth status:', error);
EOF
@@ -15,7 +15,7 @@

// Set cookie to indicate if password is required
if (data.passwordRequired) {
document.cookie = 'password-required=true; path=/; max-age=86400'; // 24 hours
document.cookie = 'password-required=true; path=/; max-age=86400; secure'; // 24 hours

// Check if we have a valid auth token
const authToken = document.cookie
@@ -28,7 +28,7 @@
}
} else {
// No password required, clear the cookie
document.cookie = 'password-required=false; path=/; max-age=86400';
document.cookie = 'password-required=false; path=/; max-age=86400; secure';
}
} catch (error) {
console.error('Failed to check auth status:', error);
Copilot is powered by AI and may make mistakes. Always verify output.
src/components/AuthCheck.tsx
}
} else {
// No password required, clear the cookie
document.cookie = 'password-required=false; path=/; max-age=86400';

Check warning

Code scanning / CodeQL

Clear text transmission of sensitive cookie Medium

Sensitive cookie sent without enforcing SSL encryption.

Copilot Autofix

AI 5 months ago

To fix the problem, we should append Secure to the cookie string whenever it is set, ensuring that browsers only send this cookie over HTTPS connections. In the context of the file src/components/AuthCheck.tsx, this involves updating line 31 where the cookie is being set, so that 'password-required=false; path=/; max-age=86400' becomes 'password-required=false; path=/; max-age=86400; Secure'. No new imports or methods are needed, as this is a simple string change and document.cookie supports this attribute natively.

Suggested changeset 1
src/components/AuthCheck.tsx

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/src/components/AuthCheck.tsx b/src/components/AuthCheck.tsx
--- a/src/components/AuthCheck.tsx
+++ b/src/components/AuthCheck.tsx
@@ -28,7 +28,7 @@
           }
         } else {
           // No password required, clear the cookie
-          document.cookie = 'password-required=false; path=/; max-age=86400';
+          document.cookie = 'password-required=false; path=/; max-age=86400; Secure';
         }
       } catch (error) {
         console.error('Failed to check auth status:', error);
EOF
@@ -28,7 +28,7 @@
}
} else {
// No password required, clear the cookie
document.cookie = 'password-required=false; path=/; max-age=86400';
document.cookie = 'password-required=false; path=/; max-age=86400; Secure';
}
} catch (error) {
console.error('Failed to check auth status:', error);
Copilot is powered by AI and may make mistakes. Always verify output.
@claude
Copy link

claude bot commented Sep 28, 2025

Code Review for PR #13

Security Review (CRITICAL) - PASSED

  • No new dependencies or packages added (verified)
  • No hardcoded secrets or API keys
  • No obfuscated or malicious code detected
  • Authentication implementation uses httpOnly cookies

Critical Issue Found

Authentication Token Weakness (src/app/api/auth/login/route.ts:36)
The auth token embeds the dashboard password in Base64 encoding which exposes the password in the cookie. Recommend using secure session tokens or JWT instead.

Medium Priority Issues

  1. Client Cookie Security (src/components/AuthCheck.tsx:18) - Missing security flags on client-side cookies
  2. API Config Public Access (src/middleware.ts:4) - /api/config exposed without authentication
  3. Error Information Leakage - Different error messages reveal system state

Positive Aspects

  • Fixes config persistence for nested server objects
  • Proper Edge Runtime compatibility
  • Clean component structure
  • Maintains backward compatibility

Recommendations

  1. HIGH: Replace password-in-token with secure sessions
  2. MEDIUM: Secure /api/config endpoint
  3. LOW: Add auth endpoint rate limiting

The PR addresses the reported issues effectively but needs the auth token security issue resolved before merging.

@CryptoGnome CryptoGnome merged commit 391d1c5 into main Sep 28, 2025
7 checks passed
@CryptoGnome CryptoGnome deleted the claude/issue-5-20250928-1133 branch September 29, 2025 12:03
cj4c0b1 pushed a commit to cj4c0b1/aster_lick_hunter_node that referenced this pull request Sep 30, 2025
@CryptoGnome
Merge pull request CryptoGnome#13 from CryptoGnome/claude/issue-5-202…
983671e 
…50928-1133

Fix configuration persistence and dashboard authentication issues
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

dashboardPassword not working..

1 participant

@CryptoGnome