feat: added option to have seperate password for basic auth#68
Merged
Conversation
There was a problem hiding this comment.
Pull request overview
Adds support for an optional, separate password for HTTP Basic auth (e.g., OPDS/WebDAV) while keeping the normal account password valid, including API + UI flows to set/clear it and persistence in the user record.
Changes:
- Add
basicAuthPasswordHashto the Users schema/repository and exposehasBasicAuthPasswordvia auth-related use cases/types. - Update Basic auth verification to accept either the account password or the optional separate Basic-auth password.
- Add
/api/auth/basic-passwordendpoints plus client/UI wiring to set/clear the separate Basic-auth password, with regression tests.
Reviewed changes
Copilot reviewed 28 out of 28 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| sake/tests/auth/authCleanup.test.ts | Extends auth regression tests to cover hasBasicAuthPassword and set/clear behavior. |
| sake/src/routes/api/basicAuth.ts | Updates Basic auth gate to fallback to separate Basic-auth password when account password doesn’t match. |
| sake/src/routes/api/auth/basic-password/+server.ts | New authenticated API endpoints to set/clear the separate Basic-auth password. |
| sake/src/lib/types/Auth/CurrentUser.ts | Adds hasBasicAuthPassword to the current-user contract. |
| sake/src/lib/types/Auth/BasicAuthPassword.ts | Adds response type for set/clear Basic-auth password endpoints. |
| sake/src/lib/server/infrastructure/repositories/UserRepository.ts | Persists/reads basicAuthPasswordHash and adds update method. |
| sake/src/lib/server/infrastructure/db/schema.ts | Adds basic_auth_password_hash column to Users table schema. |
| sake/src/lib/server/domain/entities/UserAccount.ts | Extends domain entity with basicAuthPasswordHash. |
| sake/src/lib/server/application/use-cases/SetBasicAuthPasswordUseCase.ts | New use case to validate + hash + store separate Basic-auth password. |
| sake/src/lib/server/application/use-cases/ClearBasicAuthPasswordUseCase.ts | New use case to clear separate Basic-auth password hash. |
| sake/src/lib/server/application/use-cases/LoginLocalAccountUseCase.ts | Returns hasBasicAuthPassword in login response user payload. |
| sake/src/lib/server/application/use-cases/GetCurrentUserUseCase.ts | Returns hasBasicAuthPassword in current-user response. |
| sake/src/lib/server/application/use-cases/BootstrapLocalAccountUseCase.ts | Includes hasBasicAuthPassword in bootstrap response (initialized false). |
| sake/src/lib/server/application/ports/UserRepositoryPort.ts | Extends repository port with setBasicAuthPasswordHash. |
| sake/src/lib/server/application/composition.ts | Wires new use cases into the application composition. |
| sake/src/lib/components/sidebar/SidebarSettingsModal/SidebarSettingsModal.svelte | Plumbs new callbacks/loading flags into settings modal. |
| sake/src/lib/components/sidebar/SidebarSettingsAccountPane/SidebarSettingsAccountPane.svelte | Adds UI to generate/set/remove separate Basic-auth password and display status. |
| sake/src/lib/components/sidebar/SidebarSettingsAccountPane/SidebarSettingsAccountPane.module.scss | Styles for the new Basic-auth section/buttons/inputs. |
| sake/src/lib/components/sidebar/Sidebar/sidebarSettingsController.svelte.ts | Adds controller actions/state to call new AuthService methods + refresh current user. |
| sake/src/lib/components/sidebar/Sidebar/Sidebar.svelte | Wires settings controller handlers/flags into the modal. |
| sake/src/lib/client/services/authService.ts | Adds client service methods to set/clear Basic-auth password. |
| sake/src/lib/client/routes/setBasicAuthPassword.ts | Adds client route wrapper for PUT /api/auth/basic-password. |
| sake/src/lib/client/routes/clearBasicAuthPassword.ts | Adds client route wrapper for DELETE /api/auth/basic-password. |
| sake/src/lib/client/base/routes.ts | Adds route constant for /auth/basic-password. |
| sake/README.md | Updates auth-related env/config description to reflect local accounts + optional Basic auth. |
| sake/drizzle/meta/0020_snapshot.json | Drizzle snapshot update including new Users column. |
| sake/drizzle/meta/_journal.json | Adds migration journal entry for the new Users column. |
| sake/drizzle/0020_users_basic_auth_password.sql | Adds SQL migration to add basic_auth_password_hash column. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+122
to
+130
| <input | ||
| id="basic-auth-password" | ||
| class="settings-basic-auth-input" | ||
| type="text" | ||
| bind:value={basicAuthPassword} | ||
| placeholder="Enter a new Basic authentication password" | ||
| autocomplete="new-password" | ||
| disabled={isSavingBasicAuthPassword || isRemovingBasicAuthPassword} | ||
| /> |
There was a problem hiding this comment.
The Basic authentication password input is rendered as type="text", which displays the password in clear text and reduces compatibility with password managers. Use type="password" (and consider adding spellcheck={false} / autocapitalize="none") to treat it as a credential field.
Comment on lines
+29
to
+33
| try { | ||
| const result = await setBasicAuthPasswordUseCase.execute({ | ||
| userId: locals.auth.user.id, | ||
| password: typeof body.password === 'string' ? body.password : '' | ||
| }); |
There was a problem hiding this comment.
Non-string or missing password values are coerced to an empty string ('') and passed to the use case, which leads to a generic "at least 8 characters" validation error. It would be clearer to validate the request shape here (e.g., require typeof body.password === 'string') and return a specific 400 error like "Password is required" / "Password must be a string".
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.