From 431c22a16a64448c3ee70078ab403f7cb046c6e5 Mon Sep 17 00:00:00 2001 From: Tam Nhu Tran Date: Tue, 7 Apr 2026 05:19:44 -0400 Subject: [PATCH] fix(dashboard): gate remote read-only auth --- src/commands/docker/up-subcommand.ts | 2 +- src/web-server/routes/auth-routes.ts | 24 +++---- .../commands/docker-up-subcommand.test.ts | 3 +- .../auth-check-remote-access.test.ts | 6 +- .../shared/localhost-disclaimer.tsx | 40 ++++++++--- .../components/auth/require-auth.test.tsx | 71 +++++++++++++++++++ .../shared/localhost-disclaimer.test.tsx | 47 ++++++++++++ ui/tests/unit/pages/login-page.test.tsx | 17 +++-- 8 files changed, 176 insertions(+), 34 deletions(-) create mode 100644 ui/tests/unit/components/auth/require-auth.test.tsx create mode 100644 ui/tests/unit/components/shared/localhost-disclaimer.test.tsx diff --git a/src/commands/docker/up-subcommand.ts b/src/commands/docker/up-subcommand.ts index fcbb4242..fa7c7bf3 100644 --- a/src/commands/docker/up-subcommand.ts +++ b/src/commands/docker/up-subcommand.ts @@ -40,7 +40,7 @@ export async function handleUp(args: string[]): Promise { if (parsed.host) { console.log( info( - 'Remote access requires dashboard auth. Run inside the container:\n docker exec -it ccs-cliproxy ccs config auth setup' + 'Full remote management requires dashboard auth. Without it, remote access stays read-only.\nRun inside the container:\n docker exec -it ccs-cliproxy ccs config auth setup' ) ); } diff --git a/src/web-server/routes/auth-routes.ts b/src/web-server/routes/auth-routes.ts index d3bd0bcf..6fcd3e22 100644 --- a/src/web-server/routes/auth-routes.ts +++ b/src/web-server/routes/auth-routes.ts @@ -42,7 +42,17 @@ export function resolveDashboardAccessState( const isLocalAccess = isLoopbackRemoteAddress(remoteAddress); const authConfigured = Boolean(authConfig.username && authConfig.password_hash); - if (authConfig.enabled && authConfigured) { + if (!authConfig.enabled) { + return { + authRequired: false, + authEnabled: false, + authConfigured, + isLocalAccess, + accessMode: 'open', + }; + } + + if (authConfigured) { return { authRequired: true, authEnabled: true, @@ -52,19 +62,9 @@ export function resolveDashboardAccessState( }; } - if (!authConfig.enabled && isLocalAccess) { - return { - authRequired: false, - authEnabled: false, - authConfigured, - isLocalAccess: true, - accessMode: 'open', - }; - } - return { authRequired: true, - authEnabled: authConfig.enabled, + authEnabled: true, authConfigured, isLocalAccess, accessMode: 'setup', diff --git a/tests/unit/commands/docker-up-subcommand.test.ts b/tests/unit/commands/docker-up-subcommand.test.ts index ba290b6c..9aace1f1 100644 --- a/tests/unit/commands/docker-up-subcommand.test.ts +++ b/tests/unit/commands/docker-up-subcommand.test.ts @@ -38,7 +38,8 @@ describe('docker up subcommand', () => { expect(rendered).toContain('Docker stack is running on docker-box.'); expect(rendered).toContain('Dashboard port: 4000'); expect(rendered).toContain('CLIProxy port: 9317'); - expect(rendered).toContain('Remote access requires dashboard auth'); + expect(rendered).toContain('Full remote management requires dashboard auth'); + expect(rendered).toContain('Without it, remote access stays read-only.'); expect(capture.errorLines).toEqual([]); expect(process.exitCode).toBe(0); } finally { diff --git a/tests/unit/web-server/auth-check-remote-access.test.ts b/tests/unit/web-server/auth-check-remote-access.test.ts index 2f1ac17c..fc115673 100644 --- a/tests/unit/web-server/auth-check-remote-access.test.ts +++ b/tests/unit/web-server/auth-check-remote-access.test.ts @@ -54,18 +54,18 @@ describe('resolveDashboardAccessState', () => { }); }); - it('shows setup state for remote access when auth is disabled', () => { + it('keeps remote access open when auth is disabled', () => { expect( resolveDashboardAccessState( { enabled: false, username: '', password_hash: '', session_timeout_hours: 24 }, '192.168.2.100' ) ).toEqual({ - authRequired: true, + authRequired: false, authEnabled: false, authConfigured: false, isLocalAccess: false, - accessMode: 'setup', + accessMode: 'open', }); }); diff --git a/ui/src/components/shared/localhost-disclaimer.tsx b/ui/src/components/shared/localhost-disclaimer.tsx index 78d5c6e1..5890da43 100644 --- a/ui/src/components/shared/localhost-disclaimer.tsx +++ b/ui/src/components/shared/localhost-disclaimer.tsx @@ -1,24 +1,48 @@ import { Shield, X } from 'lucide-react'; import { useState } from 'react'; +import { useAuth } from '@/contexts/auth-context'; export function LocalhostDisclaimer() { const [dismissed, setDismissed] = useState(false); + const { authEnabled, isLocalAccess, loading } = useAuth(); - if (dismissed) return null; + if (dismissed || loading) return null; + + const isRemoteReadonly = !isLocalAccess && !authEnabled; + const wrapperClasses = isRemoteReadonly + ? 'w-full border-t border-amber-200 bg-amber-50 px-4 py-2 text-amber-900 transition-colors duration-200 dark:border-amber-800 dark:bg-amber-900/20 dark:text-amber-200' + : 'w-full border-t border-yellow-200 bg-yellow-50 px-4 py-2 text-yellow-800 transition-colors duration-200 dark:border-yellow-800 dark:bg-yellow-900/20 dark:text-yellow-200'; + const dismissClasses = isRemoteReadonly + ? 'text-amber-600 hover:bg-amber-100 hover:text-amber-800 dark:text-amber-400 dark:hover:bg-amber-800/30' + : 'text-yellow-600 hover:bg-yellow-100 hover:text-yellow-800 dark:text-yellow-400 dark:hover:bg-yellow-800/30'; + const message = isRemoteReadonly ? ( + <> + + Remote dashboard access is read-only until you run ccs config auth setup on the host. + + + Remote dashboard is read-only until host auth is configured. + + + ) : ( + <> + + This dashboard runs locally. All data stays on your machine. + + Local dashboard - data stays on your device. + + ); return ( -
+
-
+
- - This dashboard runs locally. All data stays on your machine. - - Local dashboard - data stays on your device. + {message}
} /> + }> + dashboard page
} /> + + + + ); +} + +describe('RequireAuth', () => { + beforeEach(() => { + useAuthMock.mockReset(); + }); + + it('allows remote readonly sessions through without redirecting to login', () => { + useAuthMock.mockReturnValue({ + authRequired: false, + isAuthenticated: false, + username: null, + loading: false, + authEnabled: false, + authConfigured: false, + isLocalAccess: false, + accessMode: 'open', + login: vi.fn(), + logout: vi.fn(), + }); + + renderGuard(); + + expect(screen.getByText('dashboard page')).toBeVisible(); + expect(screen.queryByText('login page')).toBeNull(); + }); + + it('redirects unauthenticated users when dashboard auth is enabled', () => { + useAuthMock.mockReturnValue({ + authRequired: true, + isAuthenticated: false, + username: null, + loading: false, + authEnabled: true, + authConfigured: true, + isLocalAccess: false, + accessMode: 'login', + login: vi.fn(), + logout: vi.fn(), + }); + + renderGuard(); + + expect(screen.getByText('login page')).toBeVisible(); + expect(screen.queryByText('dashboard page')).toBeNull(); + }); +}); diff --git a/ui/tests/unit/components/shared/localhost-disclaimer.test.tsx b/ui/tests/unit/components/shared/localhost-disclaimer.test.tsx new file mode 100644 index 00000000..5525543e --- /dev/null +++ b/ui/tests/unit/components/shared/localhost-disclaimer.test.tsx @@ -0,0 +1,47 @@ +import { beforeEach, describe, expect, it, vi } from 'vitest'; +import { render, screen } from '@testing-library/react'; +import { LocalhostDisclaimer } from '@/components/shared/localhost-disclaimer'; + +const { useAuthMock } = vi.hoisted(() => ({ + useAuthMock: vi.fn(), +})); + +vi.mock('@/contexts/auth-context', () => ({ + useAuth: useAuthMock, +})); + +describe('LocalhostDisclaimer', () => { + beforeEach(() => { + useAuthMock.mockReset(); + }); + + it('shows the local safety copy for loopback sessions', () => { + useAuthMock.mockReturnValue({ + authEnabled: false, + isLocalAccess: true, + loading: false, + }); + + render(); + + expect( + screen.getByText('This dashboard runs locally. All data stays on your machine.') + ).toBeVisible(); + }); + + it('shows the remote read-only copy when auth is disabled for remote access', () => { + useAuthMock.mockReturnValue({ + authEnabled: false, + isLocalAccess: false, + loading: false, + }); + + render(); + + expect( + screen.getByText( + 'Remote dashboard access is read-only until you run ccs config auth setup on the host.' + ) + ).toBeVisible(); + }); +}); diff --git a/ui/tests/unit/pages/login-page.test.tsx b/ui/tests/unit/pages/login-page.test.tsx index 14dc5cbd..689e5992 100644 --- a/ui/tests/unit/pages/login-page.test.tsx +++ b/ui/tests/unit/pages/login-page.test.tsx @@ -1,7 +1,7 @@ import { beforeEach, describe, expect, it, vi } from 'vitest'; import i18n from '@/lib/i18n'; import { LoginPage } from '@/pages/login'; -import { render, screen, userEvent } from '@tests/setup/test-utils'; +import { render, screen, userEvent, waitFor } from '@tests/setup/test-utils'; const { navigateMock, useAuthMock } = vi.hoisted(() => ({ navigateMock: vi.fn(), @@ -40,13 +40,13 @@ describe('LoginPage', () => { await i18n.changeLanguage('en'); }); - it('renders a setup state for remote access when dashboard auth is unavailable', () => { + it('redirects away when dashboard auth is disabled for remote access', async () => { useAuthMock.mockReturnValue({ - authRequired: true, + authRequired: false, isAuthenticated: false, username: null, loading: false, - accessMode: 'setup', + accessMode: 'open', authEnabled: false, authConfigured: false, isLocalAccess: false, @@ -56,11 +56,10 @@ describe('LoginPage', () => { render(); - expect(screen.getByRole('heading', { name: 'Remote access needs host setup' })).toBeVisible(); - expect(screen.getByText('ccs config auth setup')).toBeVisible(); - expect(screen.getByText('No default credentials ship with CCS.')).toBeVisible(); - expect(screen.queryByLabelText('Username')).not.toBeInTheDocument(); - expect(screen.queryByRole('button', { name: 'Sign In' })).not.toBeInTheDocument(); + await waitFor(() => { + expect(navigateMock).toHaveBeenCalledWith('/settings', { replace: true }); + }); + expect(screen.queryByRole('heading', { name: 'Remote access needs host setup' })).toBeNull(); }); it('renders the incomplete setup copy when auth is enabled without credentials', () => {