fix: password setup, CSRF 403, reboot after install
Critical fixes: - Remove ensure_default_user() — no more auto-creating user with password123. Login page now shows "Create Password" form on first boot. User sets their own password during onboarding flow. - CSRF 403: increased retry delay from 300ms to 500ms for stale cookie recovery after remember-me session restore. - Reboot: multiple fallback methods (/sbin/reboot, sysrq, kill init) when USB is pulled and /usr/sbin isn't available. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
0f646a99d3
commit
967af7d96f
@ -115,10 +115,9 @@ async fn main() -> Result<()> {
|
|||||||
// Ensure a default user exists so login works after install/onboarding.
|
// Ensure a default user exists so login works after install/onboarding.
|
||||||
// In production, the default password is "password123" (shown during install).
|
// In production, the default password is "password123" (shown during install).
|
||||||
// In dev mode, the dev default password is used.
|
// In dev mode, the dev default password is used.
|
||||||
{
|
// Don't auto-create default user — let onboarding flow handle password setup
|
||||||
let auth = AuthManager::new(config.data_dir.clone());
|
// via auth.setup RPC. The Login page detects is_setup=false and shows
|
||||||
auth.ensure_default_user().await?;
|
// "Create Password" form instead of login form.
|
||||||
}
|
|
||||||
|
|
||||||
// Create server
|
// Create server
|
||||||
let server = Server::new(config.clone()).await?;
|
let server = Server::new(config.clone()).await?;
|
||||||
|
|||||||
@ -78,10 +78,10 @@ class RPCClient {
|
|||||||
}
|
}
|
||||||
throw new Error('Session expired')
|
throw new Error('Session expired')
|
||||||
}
|
}
|
||||||
// CSRF 403: retry once after short delay (cookie may have been
|
// CSRF 403: retry twice after delay (cookie may have been
|
||||||
// updated by a concurrent Set-Cookie response not yet visible to JS)
|
// updated by a concurrent Set-Cookie response not yet visible to JS)
|
||||||
if (response.status === 403 && attempt < maxRetries - 1) {
|
if (response.status === 403 && attempt < maxRetries - 1) {
|
||||||
await new Promise((r) => setTimeout(r, 300))
|
await new Promise((r) => setTimeout(r, 500))
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
const err = new Error(`HTTP ${response.status}: ${response.statusText}`)
|
const err = new Error(`HTTP ${response.status}: ${response.statusText}`)
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user