-
Notifications
You must be signed in to change notification settings - Fork 1.1k
docs: add authentication section to README #295
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Changes from 5 commits
e07beeb
1b55b5a
f7bd805
29e9ff6
e0f2025
1d8ff55
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|
@@ -184,15 +184,51 @@ The application will start at the port you specified in your .env | |||||||||||
|
|
||||||||||||
| ## Security & Tools Configuration | ||||||||||||
|
|
||||||||||||
| ### Authentication | ||||||||||||
|
|
||||||||||||
| Claude Code UI includes **built-in authentication** to protect your data when running on a server or VPS: | ||||||||||||
|
|
||||||||||||
| - **First-time setup**: When you first access the UI, you'll be prompted to create an admin account | ||||||||||||
| - **Single-user system**: Only one user account is supported (designed for personal use) | ||||||||||||
| - **JWT-based auth**: Secure token-based authentication with bcrypt password hashing | ||||||||||||
| - **Session persistence**: Stay logged in across browser sessions | ||||||||||||
amacsmith marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||||||||
|
|
||||||||||||
| > ⚠️ **Important for Remote/VPS Deployment**: If you're running Claude Code UI on a remote server or VPS, authentication is **essential** to prevent unauthorized access to your projects and Claude sessions. Make sure to: | ||||||||||||
| > 1. Set a strong password during initial setup (minimum 12 characters recommended, with a mix of uppercase, lowercase, numbers, and symbols) | ||||||||||||
amacsmith marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||||||||
| > 1. Set a strong password during initial setup (minimum 12 characters recommended, with a mix of uppercase, lowercase, numbers, and symbols) | |
| > 1. Set a strong password during initial setup (use at least 12 characters with a mix of uppercase, lowercase, numbers, and symbols — this is a recommendation and is not enforced by the application) |
Copilot
AI
Jan 18, 2026
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The statement "Tokens do not expire by default - you stay logged in until you manually log out" is accurate based on the JWT implementation (no expiry set in generateToken function). However, this is a security concern that should be documented differently. Consider rephrasing to acknowledge this as a potential security trade-off, for example: "Tokens do not expire by default for convenience, but this means you should log out when using shared or public computers."
| - **Token expiry**: Tokens do not expire by default - you stay logged in until you manually log out | |
| - **Token expiry**: Tokens do not expire by default for convenience; always log out when using shared or public computers to protect your account |
Copilot
AI
Feb 27, 2026
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This line implies token expiration is configurable (“do not expire by default”), but the implementation currently signs JWTs with no expiresIn at all (tokens never expire). Consider rewording to reflect the current behavior and to note the implication: a stolen token remains valid until logout/token removal or the server-side secret is rotated.
| - **Token expiry**: Tokens do not expire by default - you stay logged in until you manually log out | |
| - **Logging out**: Click the logout button to clear your session token | |
| - **Token expiry**: Tokens currently have no automatic expiration; they remain valid as long as they exist in storage and the server's JWT secret is not rotated | |
| - **Logging out**: Click the logout button to clear your session token from this browser | |
| - **Security implication**: If someone gains access to your JWT (for example via a compromised device), they can use it until the token is removed (logout/clearing storage) or the server's JWT secret is rotated |
Copilot
AI
Jan 18, 2026
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The password recovery instructions state "This will also clear any saved settings and GitHub tokens." However, based on the codebase, tools settings, themes, and other preferences are stored in localStorage (browser-side), not in the SQLite database. Only the user account and potentially database-stored settings would be cleared. Consider clarifying that this only clears server-side data (user account) and that browser-stored settings (tools, preferences) will remain unless the browser cache is cleared separately.
| > **Note**: This will also clear any saved settings and GitHub tokens. | |
| > **Note**: Resetting the database clears all **server-side** data (your user account and any database-stored settings or GitHub tokens). **Client-side** settings stored in your browser (such as tool configuration, themes, and other preferences saved in localStorage) are not removed; clear your browser data separately if you want to reset those as well. |
Copilot
AI
Feb 27, 2026
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This note says resetting the DB clears “saved settings”, but most UI settings/tool permissions are stored in the browser’s localStorage, not in the SQLite DB. Resetting the DB will clear server-side stored credentials (e.g., GitHub tokens / API keys), but not local browser settings. Please adjust the wording to avoid confusing users about what is actually lost.
| > **Note**: This will also clear any saved settings and GitHub tokens. | |
| > **Note**: This will also clear any server-side stored credentials (e.g., GitHub tokens or API keys), but it will not reset UI preferences or tool permissions stored in your browser (localStorage). |
Uh oh!
There was an error while loading. Please reload this page.