fix(auth): signal auth-required for remote access in /api/auth/check

The auth check endpoint always returned authRequired=false when auth
was disabled, even for remote clients. This caused the UI to render
the dashboard directly, where all data API calls return 403 silently.

Now detects remote access via isLoopbackRemoteAddress and sets
effectiveAuthRequired=true, so the UI properly redirects to the login
page. Also fixes misleading catch handler comment in auth-context.
This commit is contained in:
Tam Nhu Tran
2026-03-29 10:54:44 -04:00
parent 59be7f8682
commit 5a09547532
2 changed files with 11 additions and 4 deletions
+8 -2
View File
@@ -7,7 +7,7 @@ import { Router, type Request, type Response } from 'express';
import bcrypt from 'bcrypt';
import crypto from 'crypto';
import { getDashboardAuthConfig } from '../../config/unified-config-loader';
import { loginRateLimiter } from '../middleware/auth-middleware';
import { isLoopbackRemoteAddress, loginRateLimiter } from '../middleware/auth-middleware';
/**
* Timing-safe string comparison to prevent timing attacks.
@@ -94,9 +94,15 @@ router.post('/logout', (req: Request, res: Response) => {
*/
router.get('/check', (req: Request, res: Response) => {
const authConfig = getDashboardAuthConfig();
const isLocal = isLoopbackRemoteAddress(req.socket.remoteAddress);
// When auth is not configured and access is remote, the dashboard API
// endpoints return 403. Signal auth-required so the UI can show the
// login/setup page instead of a silently broken dashboard.
const effectiveAuthRequired = authConfig.enabled || !isLocal;
res.json({
authRequired: authConfig.enabled,
authRequired: effectiveAuthRequired,
authenticated: req.session?.authenticated ?? false,
username: req.session?.username ?? null,
});
+3 -2
View File
@@ -47,8 +47,9 @@ export function AuthProvider({ children }: { children: ReactNode }) {
setUsername(res.username);
})
.catch(() => {
// If auth check fails (e.g., 403 from remote access without auth configured),
// treat as auth required so the login page appears instead of a broken dashboard.
// If auth check fails (network error, server down, CORS issue),
// fail closed: require auth instead of granting access.
// Prevents silently broken dashboard when server is unreachable.
setAuthRequired(true);
setIsAuthenticated(false);
})