mirror of
https://github.com/nesquena/hermes-webui.git
synced 2026-05-25 03:00:23 +00:00
Dutch AI Agency
732c995d91
Settings password silently no-opped when HERMES_WEBUI_PASSWORD was set: the env var takes precedence in api.auth.get_password_hash(), but the UI happily POSTed _set_password and returned a green "Saved" toast while every subsequent login still required the env-var password. Same for Disable Auth (_clear_password=true). Backend (api/routes.py): - GET /api/settings now exposes password_env_var: bool so the UI knows the field is shadowed. - POST /api/settings refuses _set_password and _clear_password with HTTP 409 + a clear message naming HERMES_WEBUI_PASSWORD when the env var is set. Short-circuits BEFORE save_settings() so settings.json is not touched. Frontend (static/index.html, static/panels.js, static/i18n.js): - Added settingsPasswordEnvLock banner div in the System pane. - panels.js reads settings.password_env_var, disables the password field, swaps in a localized "locked" placeholder, reveals the banner, and hides the Disable Auth button (its POST would 409 anyway). - New i18n keys password_env_var_locked and password_env_var_locked_placeholder added to all 9 locales (en, ja, ru, es, de, zh, zh-Hant, pt, ko). Tests: - tests/test_issue1560_password_env_var_lock.py: requirement-pinning (handler exposes flag, 409 on set/clear, banner div, panels.js wiring, i18n in all 9 locales, env var name in messages, live HTTP smoke when env unset). - tests/test_1560_password_env_var_no_op.py: behavioral via FakeHandler (real status codes for env-set/unset/blank, settings.json hash unchanged after 409, panels.js disable+banner+placeholder+disable-auth-hidden). Both files run clean: 23 passed in 2.04s. test_issue1139_password_remote.py unaffected (4/4 still pass).