daniel/furtka
1
1
Fork 0
Code Issues 1 Pull requests Projects 1 Releases 13 Packages Wiki Activity Actions

13 releases 15 tags

RSS feed
  • 26.11-alpha 470823b347

    26.11-alpha
    All checks were successful
    Build ISO / build-iso (push) Successful in 17m30s
    Details
    CI / lint (push) Successful in 27s
    Details
    CI / test (push) Successful in 43s
    Details
    CI / validate-json (push) Successful in 31s
    Details
    CI / markdown-links (push) Successful in 15s
    Details
    Release / release (push) Successful in 11m38s
    Details
    Pre-release

    daniel released this 2026-04-21 13:01:17 +02:00 | 9 commits to main since this release

    Added

    • Login-auth for the Furtka web UI. Every /apps, /api/*, /,
      and /settings/ route now requires a signed-in session. New
      /login page serves a username/password form; POST /login
      validates against /var/lib/furtka/users.json (werkzeug PBKDF2-
      hashed), sets a furtka_session cookie (HttpOnly, SameSite= Strict, 7-day TTL), and redirects to /apps. POST /logout
      revokes the server-side session and clears the cookie.
      Unauthenticated HTML requests get a 302 to /login; unauthenticated
      API requests get 401 JSON. The old "No authentication on this UI
      yet" banner is gone; the /apps header picks up a Logout link
      instead.
    • First-run setup fallback for upgrade-path boxes. Boxes
      upgrading from 26.10-alpha have no users.json yet — on the first
      visit /login renders a setup form (username + password +
      password-confirm) that creates the admin record on submit. Fresh
      installs skip this: the webinstaller writes users.json during
      the chroot post-install step using the step-1 password, so the
      first browser visit after boot goes straight to the login form.
    • Caddy proxy routes /login and /logout. assets/Caddyfile
      gets two new handle blocks in the shared (furtka_routes)
      snippet so both the :80 block and the hostname.local, hostname
      HTTPS block forward the auth endpoints to the stdlib server on
      127.0.0.1:7000. Without this Caddy would serve a 404 from the
      static file server.

    Fixed

    • tests/test_installer.py ruff-format nit — the 26.10-alpha
      release commit had a misformatted list literal that failed
      ruff format --check. Caught when the Release page on Forgejo
      showed a red CI badge for the tag.
    • pyproject.toml version string bumped from the stale 26.8-alpha
      to 26.11-alpha. Release pipeline uses GITHUB_REF_NAME as source
      of truth for the artefact name, but having the two agree matters
      for local dev runs that read pyproject.toml.
    Downloads