-
26.14-alpha
Pre-releaseAll checks were successfulBuild ISO / build-iso (push) Successful in 17m14sCI / lint (push) Successful in 26sCI / test (push) Successful in 1m2sCI / validate-json (push) Successful in 24sCI / markdown-links (push) Successful in 15sRelease / release (push) Successful in 11m26sdaniel released this
2026-04-21 18:16:42 +02:00 | 6 commits to main since this releaseFixed
- Landing page and
/settings/were silently bypassing the auth
guard. Since 26.11 shipped login, the Caddyfile only
reverse-proxied/api/*,/apps*,/login*, and/logout*to
Python. Everything else — including/and/settings/— fell
through to Caddy's catch-allfile_serverand was served straight
fromassets/www/without ever hitting the session check. The
effect: a LAN visitor saw the box's hostname, IP, Furtka version,
and the buttons for Update-now / Reboot / HTTPS-toggle. The API
calls those buttons fired were all 401-auth-gated so actions didn't
land, but the information leak and the "looks open" UX was a real
bug. Caught in the 26.13 SSH test session when the user noticed
Logout only showed up on/apps. Now Caddy routes/and
/settings*through Python; a new_serve_static_wwwhandler
checks the session cookie, redirects to/loginif unauthed, and
reads the HTML fromassets/www/otherwise. Catch-all still
serves/style.css,/rootCA.crt, and the runtime JSON files
publicly — those don't need auth. - Logout link now shows on every authed page, not just
/apps.
The static HTML for/and/settings/maintained their own nav
separate from_HTMLinapi.py, so they never got the Logout
entry when it was added in 26.11. Both nav bars now include it
plus an inlinedoLogout()that POSTs/logoutand bounces to
/login, matching the pattern in_HTML.
Downloads
-
Source code (ZIP)
1 download
-
Source code (TAR.GZ)
1 download
- Landing page and