fix(dashboard): gate remote read-only auth

This commit is contained in:
Tam Nhu Tran
2026-04-07 05:19:44 -04:00
parent ff4a781990
commit 431c22a16a
8 changed files with 176 additions and 34 deletions
+1 -1
View File
@@ -40,7 +40,7 @@ export async function handleUp(args: string[]): Promise<void> {
if (parsed.host) {
console.log(
info(
'Remote access requires dashboard auth. Run inside the container:\n docker exec -it ccs-cliproxy ccs config auth setup'
'Full remote management requires dashboard auth. Without it, remote access stays read-only.\nRun inside the container:\n docker exec -it ccs-cliproxy ccs config auth setup'
)
);
}
+12 -12
View File
@@ -42,7 +42,17 @@ export function resolveDashboardAccessState(
const isLocalAccess = isLoopbackRemoteAddress(remoteAddress);
const authConfigured = Boolean(authConfig.username && authConfig.password_hash);
if (authConfig.enabled && authConfigured) {
if (!authConfig.enabled) {
return {
authRequired: false,
authEnabled: false,
authConfigured,
isLocalAccess,
accessMode: 'open',
};
}
if (authConfigured) {
return {
authRequired: true,
authEnabled: true,
@@ -52,19 +62,9 @@ export function resolveDashboardAccessState(
};
}
if (!authConfig.enabled && isLocalAccess) {
return {
authRequired: false,
authEnabled: false,
authConfigured,
isLocalAccess: true,
accessMode: 'open',
};
}
return {
authRequired: true,
authEnabled: authConfig.enabled,
authEnabled: true,
authConfigured,
isLocalAccess,
accessMode: 'setup',
@@ -38,7 +38,8 @@ describe('docker up subcommand', () => {
expect(rendered).toContain('Docker stack is running on docker-box.');
expect(rendered).toContain('Dashboard port: 4000');
expect(rendered).toContain('CLIProxy port: 9317');
expect(rendered).toContain('Remote access requires dashboard auth');
expect(rendered).toContain('Full remote management requires dashboard auth');
expect(rendered).toContain('Without it, remote access stays read-only.');
expect(capture.errorLines).toEqual([]);
expect(process.exitCode).toBe(0);
} finally {
@@ -54,18 +54,18 @@ describe('resolveDashboardAccessState', () => {
});
});
it('shows setup state for remote access when auth is disabled', () => {
it('keeps remote access open when auth is disabled', () => {
expect(
resolveDashboardAccessState(
{ enabled: false, username: '', password_hash: '', session_timeout_hours: 24 },
'192.168.2.100'
)
).toEqual({
authRequired: true,
authRequired: false,
authEnabled: false,
authConfigured: false,
isLocalAccess: false,
accessMode: 'setup',
accessMode: 'open',
});
});
@@ -1,24 +1,48 @@
import { Shield, X } from 'lucide-react';
import { useState } from 'react';
import { useAuth } from '@/contexts/auth-context';
export function LocalhostDisclaimer() {
const [dismissed, setDismissed] = useState(false);
const { authEnabled, isLocalAccess, loading } = useAuth();
if (dismissed) return null;
if (dismissed || loading) return null;
const isRemoteReadonly = !isLocalAccess && !authEnabled;
const wrapperClasses = isRemoteReadonly
? 'w-full border-t border-amber-200 bg-amber-50 px-4 py-2 text-amber-900 transition-colors duration-200 dark:border-amber-800 dark:bg-amber-900/20 dark:text-amber-200'
: 'w-full border-t border-yellow-200 bg-yellow-50 px-4 py-2 text-yellow-800 transition-colors duration-200 dark:border-yellow-800 dark:bg-yellow-900/20 dark:text-yellow-200';
const dismissClasses = isRemoteReadonly
? 'text-amber-600 hover:bg-amber-100 hover:text-amber-800 dark:text-amber-400 dark:hover:bg-amber-800/30'
: 'text-yellow-600 hover:bg-yellow-100 hover:text-yellow-800 dark:text-yellow-400 dark:hover:bg-yellow-800/30';
const message = isRemoteReadonly ? (
<>
<span className="hidden sm:inline">
Remote dashboard access is read-only until you run ccs config auth setup on the host.
</span>
<span className="sm:hidden">
Remote dashboard is read-only until host auth is configured.
</span>
</>
) : (
<>
<span className="hidden sm:inline">
This dashboard runs locally. All data stays on your machine.
</span>
<span className="sm:hidden">Local dashboard - data stays on your device.</span>
</>
);
return (
<div className="w-full bg-yellow-50 dark:bg-yellow-900/20 border-t border-yellow-200 dark:border-yellow-800 px-4 py-2 transition-colors duration-200">
<div className={wrapperClasses}>
<div className="flex items-center justify-center gap-4">
<div className="flex items-center gap-2 text-sm text-yellow-800 dark:text-yellow-200">
<div className="flex items-center gap-2 text-sm">
<Shield className="w-4 h-4 flex-shrink-0" />
<span className="hidden sm:inline">
This dashboard runs locally. All data stays on your machine.
</span>
<span className="sm:hidden">Local dashboard - data stays on your device.</span>
{message}
</div>
<button
onClick={() => setDismissed(true)}
className="text-yellow-600 hover:text-yellow-800 dark:text-yellow-400 flex-shrink-0 p-1 rounded hover:bg-yellow-100 dark:hover:bg-yellow-800/30 transition-colors"
className={`flex-shrink-0 rounded p-1 transition-colors ${dismissClasses}`}
aria-label="Dismiss disclaimer"
>
<X className="w-4 h-4" />
@@ -0,0 +1,71 @@
import { beforeEach, describe, expect, it, vi } from 'vitest';
import { render, screen } from '@testing-library/react';
import { MemoryRouter, Route, Routes } from 'react-router-dom';
import { RequireAuth } from '@/components/auth/require-auth';
const { useAuthMock } = vi.hoisted(() => ({
useAuthMock: vi.fn(),
}));
vi.mock('@/contexts/auth-context', () => ({
useAuth: useAuthMock,
}));
function renderGuard(initialPath = '/') {
return render(
<MemoryRouter initialEntries={[initialPath]}>
<Routes>
<Route path="/login" element={<div>login page</div>} />
<Route element={<RequireAuth />}>
<Route path="/" element={<div>dashboard page</div>} />
</Route>
</Routes>
</MemoryRouter>
);
}
describe('RequireAuth', () => {
beforeEach(() => {
useAuthMock.mockReset();
});
it('allows remote readonly sessions through without redirecting to login', () => {
useAuthMock.mockReturnValue({
authRequired: false,
isAuthenticated: false,
username: null,
loading: false,
authEnabled: false,
authConfigured: false,
isLocalAccess: false,
accessMode: 'open',
login: vi.fn(),
logout: vi.fn(),
});
renderGuard();
expect(screen.getByText('dashboard page')).toBeVisible();
expect(screen.queryByText('login page')).toBeNull();
});
it('redirects unauthenticated users when dashboard auth is enabled', () => {
useAuthMock.mockReturnValue({
authRequired: true,
isAuthenticated: false,
username: null,
loading: false,
authEnabled: true,
authConfigured: true,
isLocalAccess: false,
accessMode: 'login',
login: vi.fn(),
logout: vi.fn(),
});
renderGuard();
expect(screen.getByText('login page')).toBeVisible();
expect(screen.queryByText('dashboard page')).toBeNull();
});
});
@@ -0,0 +1,47 @@
import { beforeEach, describe, expect, it, vi } from 'vitest';
import { render, screen } from '@testing-library/react';
import { LocalhostDisclaimer } from '@/components/shared/localhost-disclaimer';
const { useAuthMock } = vi.hoisted(() => ({
useAuthMock: vi.fn(),
}));
vi.mock('@/contexts/auth-context', () => ({
useAuth: useAuthMock,
}));
describe('LocalhostDisclaimer', () => {
beforeEach(() => {
useAuthMock.mockReset();
});
it('shows the local safety copy for loopback sessions', () => {
useAuthMock.mockReturnValue({
authEnabled: false,
isLocalAccess: true,
loading: false,
});
render(<LocalhostDisclaimer />);
expect(
screen.getByText('This dashboard runs locally. All data stays on your machine.')
).toBeVisible();
});
it('shows the remote read-only copy when auth is disabled for remote access', () => {
useAuthMock.mockReturnValue({
authEnabled: false,
isLocalAccess: false,
loading: false,
});
render(<LocalhostDisclaimer />);
expect(
screen.getByText(
'Remote dashboard access is read-only until you run ccs config auth setup on the host.'
)
).toBeVisible();
});
});
+8 -9
View File
@@ -1,7 +1,7 @@
import { beforeEach, describe, expect, it, vi } from 'vitest';
import i18n from '@/lib/i18n';
import { LoginPage } from '@/pages/login';
import { render, screen, userEvent } from '@tests/setup/test-utils';
import { render, screen, userEvent, waitFor } from '@tests/setup/test-utils';
const { navigateMock, useAuthMock } = vi.hoisted(() => ({
navigateMock: vi.fn(),
@@ -40,13 +40,13 @@ describe('LoginPage', () => {
await i18n.changeLanguage('en');
});
it('renders a setup state for remote access when dashboard auth is unavailable', () => {
it('redirects away when dashboard auth is disabled for remote access', async () => {
useAuthMock.mockReturnValue({
authRequired: true,
authRequired: false,
isAuthenticated: false,
username: null,
loading: false,
accessMode: 'setup',
accessMode: 'open',
authEnabled: false,
authConfigured: false,
isLocalAccess: false,
@@ -56,11 +56,10 @@ describe('LoginPage', () => {
render(<LoginPage />);
expect(screen.getByRole('heading', { name: 'Remote access needs host setup' })).toBeVisible();
expect(screen.getByText('ccs config auth setup')).toBeVisible();
expect(screen.getByText('No default credentials ship with CCS.')).toBeVisible();
expect(screen.queryByLabelText('Username')).not.toBeInTheDocument();
expect(screen.queryByRole('button', { name: 'Sign In' })).not.toBeInTheDocument();
await waitFor(() => {
expect(navigateMock).toHaveBeenCalledWith('/settings', { replace: true });
});
expect(screen.queryByRole('heading', { name: 'Remote access needs host setup' })).toBeNull();
});
it('renders the incomplete setup copy when auth is enabled without credentials', () => {