mirror of
https://github.com/tiennm99/ccs.git
synced 2026-07-16 08:17:11 +00:00
fix(dashboard): gate remote read-only auth
This commit is contained in:
@@ -40,7 +40,7 @@ export async function handleUp(args: string[]): Promise<void> {
|
||||
if (parsed.host) {
|
||||
console.log(
|
||||
info(
|
||||
'Remote access requires dashboard auth. Run inside the container:\n docker exec -it ccs-cliproxy ccs config auth setup'
|
||||
'Full remote management requires dashboard auth. Without it, remote access stays read-only.\nRun inside the container:\n docker exec -it ccs-cliproxy ccs config auth setup'
|
||||
)
|
||||
);
|
||||
}
|
||||
|
||||
@@ -42,7 +42,17 @@ export function resolveDashboardAccessState(
|
||||
const isLocalAccess = isLoopbackRemoteAddress(remoteAddress);
|
||||
const authConfigured = Boolean(authConfig.username && authConfig.password_hash);
|
||||
|
||||
if (authConfig.enabled && authConfigured) {
|
||||
if (!authConfig.enabled) {
|
||||
return {
|
||||
authRequired: false,
|
||||
authEnabled: false,
|
||||
authConfigured,
|
||||
isLocalAccess,
|
||||
accessMode: 'open',
|
||||
};
|
||||
}
|
||||
|
||||
if (authConfigured) {
|
||||
return {
|
||||
authRequired: true,
|
||||
authEnabled: true,
|
||||
@@ -52,19 +62,9 @@ export function resolveDashboardAccessState(
|
||||
};
|
||||
}
|
||||
|
||||
if (!authConfig.enabled && isLocalAccess) {
|
||||
return {
|
||||
authRequired: false,
|
||||
authEnabled: false,
|
||||
authConfigured,
|
||||
isLocalAccess: true,
|
||||
accessMode: 'open',
|
||||
};
|
||||
}
|
||||
|
||||
return {
|
||||
authRequired: true,
|
||||
authEnabled: authConfig.enabled,
|
||||
authEnabled: true,
|
||||
authConfigured,
|
||||
isLocalAccess,
|
||||
accessMode: 'setup',
|
||||
|
||||
@@ -38,7 +38,8 @@ describe('docker up subcommand', () => {
|
||||
expect(rendered).toContain('Docker stack is running on docker-box.');
|
||||
expect(rendered).toContain('Dashboard port: 4000');
|
||||
expect(rendered).toContain('CLIProxy port: 9317');
|
||||
expect(rendered).toContain('Remote access requires dashboard auth');
|
||||
expect(rendered).toContain('Full remote management requires dashboard auth');
|
||||
expect(rendered).toContain('Without it, remote access stays read-only.');
|
||||
expect(capture.errorLines).toEqual([]);
|
||||
expect(process.exitCode).toBe(0);
|
||||
} finally {
|
||||
|
||||
@@ -54,18 +54,18 @@ describe('resolveDashboardAccessState', () => {
|
||||
});
|
||||
});
|
||||
|
||||
it('shows setup state for remote access when auth is disabled', () => {
|
||||
it('keeps remote access open when auth is disabled', () => {
|
||||
expect(
|
||||
resolveDashboardAccessState(
|
||||
{ enabled: false, username: '', password_hash: '', session_timeout_hours: 24 },
|
||||
'192.168.2.100'
|
||||
)
|
||||
).toEqual({
|
||||
authRequired: true,
|
||||
authRequired: false,
|
||||
authEnabled: false,
|
||||
authConfigured: false,
|
||||
isLocalAccess: false,
|
||||
accessMode: 'setup',
|
||||
accessMode: 'open',
|
||||
});
|
||||
});
|
||||
|
||||
|
||||
@@ -1,24 +1,48 @@
|
||||
import { Shield, X } from 'lucide-react';
|
||||
import { useState } from 'react';
|
||||
import { useAuth } from '@/contexts/auth-context';
|
||||
|
||||
export function LocalhostDisclaimer() {
|
||||
const [dismissed, setDismissed] = useState(false);
|
||||
const { authEnabled, isLocalAccess, loading } = useAuth();
|
||||
|
||||
if (dismissed) return null;
|
||||
if (dismissed || loading) return null;
|
||||
|
||||
const isRemoteReadonly = !isLocalAccess && !authEnabled;
|
||||
const wrapperClasses = isRemoteReadonly
|
||||
? 'w-full border-t border-amber-200 bg-amber-50 px-4 py-2 text-amber-900 transition-colors duration-200 dark:border-amber-800 dark:bg-amber-900/20 dark:text-amber-200'
|
||||
: 'w-full border-t border-yellow-200 bg-yellow-50 px-4 py-2 text-yellow-800 transition-colors duration-200 dark:border-yellow-800 dark:bg-yellow-900/20 dark:text-yellow-200';
|
||||
const dismissClasses = isRemoteReadonly
|
||||
? 'text-amber-600 hover:bg-amber-100 hover:text-amber-800 dark:text-amber-400 dark:hover:bg-amber-800/30'
|
||||
: 'text-yellow-600 hover:bg-yellow-100 hover:text-yellow-800 dark:text-yellow-400 dark:hover:bg-yellow-800/30';
|
||||
const message = isRemoteReadonly ? (
|
||||
<>
|
||||
<span className="hidden sm:inline">
|
||||
Remote dashboard access is read-only until you run ccs config auth setup on the host.
|
||||
</span>
|
||||
<span className="sm:hidden">
|
||||
Remote dashboard is read-only until host auth is configured.
|
||||
</span>
|
||||
</>
|
||||
) : (
|
||||
<>
|
||||
<span className="hidden sm:inline">
|
||||
This dashboard runs locally. All data stays on your machine.
|
||||
</span>
|
||||
<span className="sm:hidden">Local dashboard - data stays on your device.</span>
|
||||
</>
|
||||
);
|
||||
|
||||
return (
|
||||
<div className="w-full bg-yellow-50 dark:bg-yellow-900/20 border-t border-yellow-200 dark:border-yellow-800 px-4 py-2 transition-colors duration-200">
|
||||
<div className={wrapperClasses}>
|
||||
<div className="flex items-center justify-center gap-4">
|
||||
<div className="flex items-center gap-2 text-sm text-yellow-800 dark:text-yellow-200">
|
||||
<div className="flex items-center gap-2 text-sm">
|
||||
<Shield className="w-4 h-4 flex-shrink-0" />
|
||||
<span className="hidden sm:inline">
|
||||
This dashboard runs locally. All data stays on your machine.
|
||||
</span>
|
||||
<span className="sm:hidden">Local dashboard - data stays on your device.</span>
|
||||
{message}
|
||||
</div>
|
||||
<button
|
||||
onClick={() => setDismissed(true)}
|
||||
className="text-yellow-600 hover:text-yellow-800 dark:text-yellow-400 flex-shrink-0 p-1 rounded hover:bg-yellow-100 dark:hover:bg-yellow-800/30 transition-colors"
|
||||
className={`flex-shrink-0 rounded p-1 transition-colors ${dismissClasses}`}
|
||||
aria-label="Dismiss disclaimer"
|
||||
>
|
||||
<X className="w-4 h-4" />
|
||||
|
||||
@@ -0,0 +1,71 @@
|
||||
import { beforeEach, describe, expect, it, vi } from 'vitest';
|
||||
import { render, screen } from '@testing-library/react';
|
||||
import { MemoryRouter, Route, Routes } from 'react-router-dom';
|
||||
import { RequireAuth } from '@/components/auth/require-auth';
|
||||
|
||||
const { useAuthMock } = vi.hoisted(() => ({
|
||||
useAuthMock: vi.fn(),
|
||||
}));
|
||||
|
||||
vi.mock('@/contexts/auth-context', () => ({
|
||||
useAuth: useAuthMock,
|
||||
}));
|
||||
|
||||
function renderGuard(initialPath = '/') {
|
||||
return render(
|
||||
<MemoryRouter initialEntries={[initialPath]}>
|
||||
<Routes>
|
||||
<Route path="/login" element={<div>login page</div>} />
|
||||
<Route element={<RequireAuth />}>
|
||||
<Route path="/" element={<div>dashboard page</div>} />
|
||||
</Route>
|
||||
</Routes>
|
||||
</MemoryRouter>
|
||||
);
|
||||
}
|
||||
|
||||
describe('RequireAuth', () => {
|
||||
beforeEach(() => {
|
||||
useAuthMock.mockReset();
|
||||
});
|
||||
|
||||
it('allows remote readonly sessions through without redirecting to login', () => {
|
||||
useAuthMock.mockReturnValue({
|
||||
authRequired: false,
|
||||
isAuthenticated: false,
|
||||
username: null,
|
||||
loading: false,
|
||||
authEnabled: false,
|
||||
authConfigured: false,
|
||||
isLocalAccess: false,
|
||||
accessMode: 'open',
|
||||
login: vi.fn(),
|
||||
logout: vi.fn(),
|
||||
});
|
||||
|
||||
renderGuard();
|
||||
|
||||
expect(screen.getByText('dashboard page')).toBeVisible();
|
||||
expect(screen.queryByText('login page')).toBeNull();
|
||||
});
|
||||
|
||||
it('redirects unauthenticated users when dashboard auth is enabled', () => {
|
||||
useAuthMock.mockReturnValue({
|
||||
authRequired: true,
|
||||
isAuthenticated: false,
|
||||
username: null,
|
||||
loading: false,
|
||||
authEnabled: true,
|
||||
authConfigured: true,
|
||||
isLocalAccess: false,
|
||||
accessMode: 'login',
|
||||
login: vi.fn(),
|
||||
logout: vi.fn(),
|
||||
});
|
||||
|
||||
renderGuard();
|
||||
|
||||
expect(screen.getByText('login page')).toBeVisible();
|
||||
expect(screen.queryByText('dashboard page')).toBeNull();
|
||||
});
|
||||
});
|
||||
@@ -0,0 +1,47 @@
|
||||
import { beforeEach, describe, expect, it, vi } from 'vitest';
|
||||
import { render, screen } from '@testing-library/react';
|
||||
import { LocalhostDisclaimer } from '@/components/shared/localhost-disclaimer';
|
||||
|
||||
const { useAuthMock } = vi.hoisted(() => ({
|
||||
useAuthMock: vi.fn(),
|
||||
}));
|
||||
|
||||
vi.mock('@/contexts/auth-context', () => ({
|
||||
useAuth: useAuthMock,
|
||||
}));
|
||||
|
||||
describe('LocalhostDisclaimer', () => {
|
||||
beforeEach(() => {
|
||||
useAuthMock.mockReset();
|
||||
});
|
||||
|
||||
it('shows the local safety copy for loopback sessions', () => {
|
||||
useAuthMock.mockReturnValue({
|
||||
authEnabled: false,
|
||||
isLocalAccess: true,
|
||||
loading: false,
|
||||
});
|
||||
|
||||
render(<LocalhostDisclaimer />);
|
||||
|
||||
expect(
|
||||
screen.getByText('This dashboard runs locally. All data stays on your machine.')
|
||||
).toBeVisible();
|
||||
});
|
||||
|
||||
it('shows the remote read-only copy when auth is disabled for remote access', () => {
|
||||
useAuthMock.mockReturnValue({
|
||||
authEnabled: false,
|
||||
isLocalAccess: false,
|
||||
loading: false,
|
||||
});
|
||||
|
||||
render(<LocalhostDisclaimer />);
|
||||
|
||||
expect(
|
||||
screen.getByText(
|
||||
'Remote dashboard access is read-only until you run ccs config auth setup on the host.'
|
||||
)
|
||||
).toBeVisible();
|
||||
});
|
||||
});
|
||||
@@ -1,7 +1,7 @@
|
||||
import { beforeEach, describe, expect, it, vi } from 'vitest';
|
||||
import i18n from '@/lib/i18n';
|
||||
import { LoginPage } from '@/pages/login';
|
||||
import { render, screen, userEvent } from '@tests/setup/test-utils';
|
||||
import { render, screen, userEvent, waitFor } from '@tests/setup/test-utils';
|
||||
|
||||
const { navigateMock, useAuthMock } = vi.hoisted(() => ({
|
||||
navigateMock: vi.fn(),
|
||||
@@ -40,13 +40,13 @@ describe('LoginPage', () => {
|
||||
await i18n.changeLanguage('en');
|
||||
});
|
||||
|
||||
it('renders a setup state for remote access when dashboard auth is unavailable', () => {
|
||||
it('redirects away when dashboard auth is disabled for remote access', async () => {
|
||||
useAuthMock.mockReturnValue({
|
||||
authRequired: true,
|
||||
authRequired: false,
|
||||
isAuthenticated: false,
|
||||
username: null,
|
||||
loading: false,
|
||||
accessMode: 'setup',
|
||||
accessMode: 'open',
|
||||
authEnabled: false,
|
||||
authConfigured: false,
|
||||
isLocalAccess: false,
|
||||
@@ -56,11 +56,10 @@ describe('LoginPage', () => {
|
||||
|
||||
render(<LoginPage />);
|
||||
|
||||
expect(screen.getByRole('heading', { name: 'Remote access needs host setup' })).toBeVisible();
|
||||
expect(screen.getByText('ccs config auth setup')).toBeVisible();
|
||||
expect(screen.getByText('No default credentials ship with CCS.')).toBeVisible();
|
||||
expect(screen.queryByLabelText('Username')).not.toBeInTheDocument();
|
||||
expect(screen.queryByRole('button', { name: 'Sign In' })).not.toBeInTheDocument();
|
||||
await waitFor(() => {
|
||||
expect(navigateMock).toHaveBeenCalledWith('/settings', { replace: true });
|
||||
});
|
||||
expect(screen.queryByRole('heading', { name: 'Remote access needs host setup' })).toBeNull();
|
||||
});
|
||||
|
||||
it('renders the incomplete setup copy when auth is enabled without credentials', () => {
|
||||
|
||||
Reference in New Issue
Block a user