npm - clay-server - Versions diffs - 2.11.0-beta.7 → 2.11.0-beta.9 - Mend

clay-server 2.11.0-beta.7 → 2.11.0-beta.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/lib/pages.js +36 -0
package/lib/project.js +20 -1
package/lib/public/app.js +100 -0
package/lib/public/css/admin.css +43 -0
package/lib/public/modules/admin.js +131 -1
package/lib/server.js +106 -2
package/lib/users.js +29 -0
package/package.json +1 -1

package/lib/pages.js CHANGED Viewed

@@ -954,6 +954,7 @@ function multiUserLoginPageHtml() {
     'body:JSON.stringify({username:usernameEl.value,pin:pinEl.value})})' +
     '.then(function(r){return r.json()})' +
     '.then(function(d){' +
+    'if(d.ok&&d.mustChangePin){showChangePinOverlay();return}' +
     'if(d.ok){location.reload();return}' +
     'if(d.locked){var boxes=document.querySelectorAll(".pin-digit");' +
     'for(var i=0;i<boxes.length;i++)boxes[i].disabled=true;' +
@@ -964,6 +965,41 @@ function multiUserLoginPageHtml() {
     'errs[1].textContent=msg;resetPin()})' +
     '.catch(function(){errs[1].textContent="Connection error";btns[1].disabled=false})}' +
     'btns[1].onclick=doLogin;' +
+    // Force PIN change overlay
+    'function showChangePinOverlay(){' +
+    'var ov=document.createElement("div");ov.className="c";' +
+    'ov.style.cssText="position:fixed;inset:0;background:var(--bg,#0e0e10);z-index:9999;display:flex;align-items:center;justify-content:center";' +
+    'ov.innerHTML=\'<div style="width:100%;max-width:380px;padding:24px"><h1>Set your new PIN</h1>\'+' +
+    '\'<div class="sub">Your temporary PIN has expired. Please set a new 6-digit PIN to continue.</div>\'+' +
+    '\'<div id="new-pin-boxes" class="pin-boxes">\'+' +
+    '\'<input class="pin-digit" type="tel" maxlength="1" inputmode="numeric" autocomplete="off">\'+' +
+    '\'<input class="pin-digit" type="tel" maxlength="1" inputmode="numeric" autocomplete="off">\'+' +
+    '\'<input class="pin-digit" type="tel" maxlength="1" inputmode="numeric" autocomplete="off">\'+' +
+    '\'<input class="pin-digit" type="tel" maxlength="1" inputmode="numeric" autocomplete="off">\'+' +
+    '\'<input class="pin-digit" type="tel" maxlength="1" inputmode="numeric" autocomplete="off">\'+' +
+    '\'<input class="pin-digit" type="tel" maxlength="1" inputmode="numeric" autocomplete="off">\'+' +
+    '\'</div><input type="hidden" id="new-pin">\'+' +
+    '\'<button class="btn" id="save-new-pin" disabled style="margin-top:20px">Save PIN</button>\'+' +
+    '\'<div class="err" id="new-pin-err"></div></div>\';' +
+    'document.body.appendChild(ov);' +
+    'var newPinEl=ov.querySelector("#new-pin");' +
+    'var saveBtn=ov.querySelector("#save-new-pin");' +
+    'var errEl=ov.querySelector("#new-pin-err");' +
+    'initPinBoxes("new-pin-boxes","new-pin",function(){if(!saveBtn.disabled)doSavePin()});' +
+    'var nb=ov.querySelectorAll(".pin-digit");' +
+    'for(var i=0;i<nb.length;i++)nb[i].addEventListener("input",function(){saveBtn.disabled=newPinEl.value.length!==6});' +
+    'function doSavePin(){' +
+    'saveBtn.disabled=true;errEl.textContent="";' +
+    'fetch("/api/user/pin",{method:"PUT",headers:{"Content-Type":"application/json"},' +
+    'body:JSON.stringify({newPin:newPinEl.value})})' +
+    '.then(function(r){return r.json()})' +
+    '.then(function(d){' +
+    'if(d.ok){location.reload();return}' +
+    'errEl.textContent=d.error||"Failed to save PIN";saveBtn.disabled=false})' +
+    '.catch(function(){errEl.textContent="Connection error";saveBtn.disabled=false})}' +
+    'saveBtn.onclick=doSavePin}' +
     '</script></div></body></html>';
 }

package/lib/project.js CHANGED Viewed

@@ -1138,7 +1138,20 @@ function createProjectContext(opts) {
         }
       }
     }
-    if (active) {
+    // Auto-create a session if none exist for this client
+    var autoCreated = false;
+    if (!active) {
+      var autoOpts = {};
+      if (wsUser) autoOpts.ownerId = wsUser.id;
+      active = sm.createSession(autoOpts, ws);
+      autoCreated = true;
+    }
+    if (active && !autoCreated) {
+      // Backfill ownerId for legacy sessions restored without one
+      if (!active.ownerId && wsUser) {
+        active.ownerId = wsUser.id;
+        sm.saveSessionFile(active);
+      }
       ws._clayActiveSession = active.localId;
       sendTo(ws, { type: "session_switched", id: active.localId, cliSessionId: active.cliSessionId || null, loop: active.loop || null });
@@ -2902,6 +2915,12 @@ function createProjectContext(opts) {
     var session = getSessionForWs(ws);
     if (!session) return;
+    // Backfill ownerId for legacy sessions restored without one
+    if (!session.ownerId && ws._clayUser) {
+      session.ownerId = ws._clayUser.id;
+      sm.saveSessionFile(session);
+    }
     var userMsg = { type: "user_message", text: msg.text || "" };
     if (msg.images && msg.images.length > 0) {
       userMsg.imageCount = msg.images.length;

package/lib/public/app.js CHANGED Viewed

@@ -3957,6 +3957,105 @@ import { initAdmin, checkAdminAccess } from './modules/admin.js';
     basePath: basePath,
   });
+  // --- Force PIN change overlay (for admin-created accounts with temp PIN) ---
+  function showForceChangePinOverlay() {
+    var ov = document.createElement("div");
+    ov.id = "force-change-pin-overlay";
+    ov.style.cssText = "position:fixed;inset:0;background:var(--bg,#0e0e10);z-index:99999;display:flex;align-items:center;justify-content:center;flex-direction:column";
+    ov.innerHTML = '<div style="width:100%;max-width:380px;padding:24px;text-align:center">' +
+      '<h2 style="margin:0 0 8px;color:var(--text,#fff);font-size:22px">Set your new PIN</h2>' +
+      '<p style="margin:0 0 24px;color:var(--text-secondary,#aaa);font-size:14px">Your temporary PIN has expired. Please set a new 6-digit PIN to continue.</p>' +
+      '<div style="display:flex;gap:8px;justify-content:center;margin-bottom:16px" id="fcp-boxes">' +
+      '<input class="fcp-digit" type="tel" maxlength="1" inputmode="numeric" autocomplete="off" style="width:44px;height:52px;text-align:center;font-size:22px;font-weight:600;border:2px solid var(--border,#333);border-radius:10px;background:var(--bg-secondary,#1a1a1e);color:var(--text,#fff);outline:none">' +
+      '<input class="fcp-digit" type="tel" maxlength="1" inputmode="numeric" autocomplete="off" style="width:44px;height:52px;text-align:center;font-size:22px;font-weight:600;border:2px solid var(--border,#333);border-radius:10px;background:var(--bg-secondary,#1a1a1e);color:var(--text,#fff);outline:none">' +
+      '<input class="fcp-digit" type="tel" maxlength="1" inputmode="numeric" autocomplete="off" style="width:44px;height:52px;text-align:center;font-size:22px;font-weight:600;border:2px solid var(--border,#333);border-radius:10px;background:var(--bg-secondary,#1a1a1e);color:var(--text,#fff);outline:none">' +
+      '<input class="fcp-digit" type="tel" maxlength="1" inputmode="numeric" autocomplete="off" style="width:44px;height:52px;text-align:center;font-size:22px;font-weight:600;border:2px solid var(--border,#333);border-radius:10px;background:var(--bg-secondary,#1a1a1e);color:var(--text,#fff);outline:none">' +
+      '<input class="fcp-digit" type="tel" maxlength="1" inputmode="numeric" autocomplete="off" style="width:44px;height:52px;text-align:center;font-size:22px;font-weight:600;border:2px solid var(--border,#333);border-radius:10px;background:var(--bg-secondary,#1a1a1e);color:var(--text,#fff);outline:none">' +
+      '<input class="fcp-digit" type="tel" maxlength="1" inputmode="numeric" autocomplete="off" style="width:44px;height:52px;text-align:center;font-size:22px;font-weight:600;border:2px solid var(--border,#333);border-radius:10px;background:var(--bg-secondary,#1a1a1e);color:var(--text,#fff);outline:none">' +
+      '</div>' +
+      '<button id="fcp-save" disabled style="width:100%;padding:12px;border:none;border-radius:10px;background:var(--accent,#7c3aed);color:#fff;font-size:15px;font-weight:600;cursor:pointer;opacity:0.5">Save PIN</button>' +
+      '<div id="fcp-err" style="margin-top:12px;color:#ef4444;font-size:13px"></div>' +
+      '</div>';
+    document.body.appendChild(ov);
+    var digits = ov.querySelectorAll(".fcp-digit");
+    var saveBtn = ov.querySelector("#fcp-save");
+    var errEl = ov.querySelector("#fcp-err");
+    function getPin() {
+      var pin = "";
+      for (var i = 0; i < digits.length; i++) pin += digits[i].value;
+      return pin;
+    }
+    function updateBtn() {
+      var ready = getPin().length === 6;
+      saveBtn.disabled = !ready;
+      saveBtn.style.opacity = ready ? "1" : "0.5";
+    }
+    for (var i = 0; i < digits.length; i++) {
+      (function (idx) {
+        digits[idx].addEventListener("input", function () {
+          var val = this.value.replace(/\D/g, "");
+          this.value = val.substring(0, 1);
+          if (val && idx < digits.length - 1) digits[idx + 1].focus();
+          updateBtn();
+        });
+        digits[idx].addEventListener("keydown", function (e) {
+          if (e.key === "Backspace" && !this.value && idx > 0) {
+            digits[idx - 1].focus();
+            digits[idx - 1].value = "";
+            updateBtn();
+          }
+          if (e.key === "Enter" && !saveBtn.disabled) doSave();
+          e.stopPropagation();
+        });
+        digits[idx].addEventListener("keyup", function (e) { e.stopPropagation(); });
+        digits[idx].addEventListener("keypress", function (e) { e.stopPropagation(); });
+        digits[idx].addEventListener("paste", function (e) {
+          e.preventDefault();
+          var text = (e.clipboardData || window.clipboardData).getData("text").replace(/\D/g, "").substring(0, 6);
+          for (var j = 0; j < text.length && (idx + j) < digits.length; j++) {
+            digits[idx + j].value = text[j];
+          }
+          if (text.length > 0) {
+            var focusIdx = Math.min(idx + text.length, digits.length - 1);
+            digits[focusIdx].focus();
+          }
+          updateBtn();
+        });
+      })(i);
+    }
+    digits[0].focus();
+    function doSave() {
+      var pin = getPin();
+      if (pin.length !== 6) return;
+      saveBtn.disabled = true;
+      saveBtn.style.opacity = "0.5";
+      errEl.textContent = "";
+      fetch("/api/user/pin", {
+        method: "PUT",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ newPin: pin }),
+      }).then(function (r) { return r.json(); }).then(function (d) {
+        if (d.ok) {
+          ov.remove();
+          return;
+        }
+        errEl.textContent = d.error || "Failed to save PIN";
+        saveBtn.disabled = false;
+        saveBtn.style.opacity = "1";
+      }).catch(function () {
+        errEl.textContent = "Connection error";
+        saveBtn.disabled = false;
+        saveBtn.style.opacity = "1";
+      });
+    }
+    saveBtn.addEventListener("click", doSave);
+  }
   // --- Admin (multi-user mode) ---
   var isMultiUserMode = false;
   var myUserId = null;
@@ -3966,6 +4065,7 @@ import { initAdmin, checkAdminAccess } from './modules/admin.js';
   fetch("/api/me").then(function (r) { return r.json(); }).then(function (d) {
     if (d.multiUser) isMultiUserMode = true;
     if (d.user && d.user.id) myUserId = d.user.id;
+    if (d.mustChangePin) showForceChangePinOverlay();
   }).catch(function () {});
   // Hide server settings and update controls for non-admin users in multi-user mode
   checkAdminAccess().then(function (isAdmin) {

package/lib/public/css/admin.css CHANGED Viewed

@@ -607,6 +607,49 @@
   color: var(--accent);
 }
+/* --- Temp PIN display (admin-created user credentials) --- */
+.admin-temp-pin-box {
+  background: var(--bg-alt);
+  border: 1px solid var(--border);
+  border-radius: 10px;
+  padding: 12px 16px;
+  margin-top: 12px;
+}
+.admin-temp-pin-row {
+  display: flex;
+  align-items: center;
+  justify-content: space-between;
+  padding: 6px 0;
+}
+.admin-temp-pin-row + .admin-temp-pin-row {
+  border-top: 1px solid var(--border);
+}
+.admin-temp-pin-label {
+  font-size: 12px;
+  font-weight: 600;
+  color: var(--text-muted);
+  text-transform: uppercase;
+  letter-spacing: 0.3px;
+}
+.admin-temp-pin-value {
+  font-size: 14px;
+  color: var(--text);
+  background: var(--bg);
+  padding: 4px 10px;
+  border-radius: 6px;
+}
+.admin-temp-pin-highlight {
+  font-size: 18px;
+  font-weight: 700;
+  letter-spacing: 3px;
+  color: var(--accent);
+}
 /* --- Session visibility indicator --- */
 .session-private-icon {
   display: inline-flex;

package/lib/public/modules/admin.js CHANGED Viewed

@@ -93,7 +93,11 @@ function loadUsersTab(body) {
 }
 function renderUsersTab(body) {
-  var html = '<div class="admin-user-list">';
+  var html = '<div class="admin-section-header">' +
+    '<div class="admin-header-btns">' +
+    '<button class="admin-action-btn" id="admin-add-user">' + iconHtml("user-plus") + ' Add User</button>' +
+    '</div></div>';
+  html += '<div class="admin-user-list">';
   for (var i = 0; i < cachedUsers.length; i++) {
     var u = cachedUsers[i];
     var isMe = meInfo && meInfo.user && meInfo.user.id === u.id;
@@ -117,6 +121,14 @@ function renderUsersTab(body) {
   body.innerHTML = html;
   refreshIcons(body);
+  // Bind add user button
+  var addUserBtn = body.querySelector("#admin-add-user");
+  if (addUserBtn) {
+    addUserBtn.addEventListener("click", function () {
+      showAddUserModal(body);
+    });
+  }
   // Bind remove buttons
   var removeBtns = body.querySelectorAll(".admin-remove-btn");
   for (var j = 0; j < removeBtns.length; j++) {
@@ -131,6 +143,124 @@ function renderUsersTab(body) {
   }
 }
+function showAddUserModal(body) {
+  var modal = document.createElement("div");
+  modal.className = "admin-modal-overlay";
+  var html = '<div class="admin-modal">' +
+    '<div class="admin-modal-header">' +
+    '<h3>Add User</h3>' +
+    '<button class="admin-modal-close">' + iconHtml("x") + '</button>' +
+    '</div>' +
+    '<div class="admin-modal-body">' +
+    '<p class="admin-modal-desc">Create a new user account. A temporary 6-digit PIN will be generated automatically. The user must change it on first login.</p>' +
+    '<div class="admin-smtp-row"><label>Username</label>' +
+    '<input type="text" class="admin-smtp-input" id="admin-new-username" placeholder="username" autocomplete="off" maxlength="100"></div>' +
+    '<div class="admin-smtp-row"><label>Display Name</label>' +
+    '<input type="text" class="admin-smtp-input" id="admin-new-displayname" placeholder="Display Name (optional)" autocomplete="off" maxlength="30"></div>' +
+    '<div class="admin-smtp-row"><label>Email</label>' +
+    '<input type="email" class="admin-smtp-input" id="admin-new-email" placeholder="user@example.com (optional)" autocomplete="off"></div>' +
+    '<div class="admin-smtp-row"><label>Role</label>' +
+    '<select class="admin-smtp-input" id="admin-new-role"><option value="user">User</option><option value="admin">Admin</option></select></div>' +
+    '<div class="admin-smtp-error" id="admin-new-user-error"></div>' +
+    '</div>' +
+    '<div class="admin-modal-footer">' +
+    '<button class="admin-modal-save" id="admin-new-user-create">Create User</button>' +
+    '<button class="admin-modal-cancel">Cancel</button>' +
+    '</div></div>';
+  modal.innerHTML = html;
+  document.body.appendChild(modal);
+  refreshIcons(modal);
+  var usernameInput = modal.querySelector("#admin-new-username");
+  var displayNameInput = modal.querySelector("#admin-new-displayname");
+  var emailInput = modal.querySelector("#admin-new-email");
+  var roleSelect = modal.querySelector("#admin-new-role");
+  var createBtn = modal.querySelector("#admin-new-user-create");
+  var errorEl = modal.querySelector("#admin-new-user-error");
+  modal.querySelector(".admin-modal-close").addEventListener("click", function () { modal.remove(); });
+  modal.querySelector(".admin-modal-cancel").addEventListener("click", function () { modal.remove(); });
+  modal.addEventListener("click", function (e) { if (e.target === modal) modal.remove(); });
+  usernameInput.focus();
+  usernameInput.addEventListener("keydown", function (e) {
+    if (e.key === "Enter") createBtn.click();
+  });
+  createBtn.addEventListener("click", function () {
+    var username = usernameInput.value.trim();
+    if (!username) {
+      errorEl.textContent = "Username is required";
+      errorEl.className = "admin-smtp-error admin-smtp-error-visible";
+      return;
+    }
+    createBtn.disabled = true;
+    createBtn.textContent = "Creating...";
+    errorEl.textContent = "";
+    errorEl.className = "admin-smtp-error";
+    apiPost("/api/admin/users", {
+      username: username,
+      displayName: displayNameInput.value.trim() || username,
+      email: emailInput.value.trim() || null,
+      role: roleSelect.value,
+    }).then(function (data) {
+      if (data.ok) {
+        modal.remove();
+        showTempPinModal(data.user, data.tempPin);
+        loadUsersTab(body);
+      } else {
+        errorEl.textContent = data.error || "Failed to create user";
+        errorEl.className = "admin-smtp-error admin-smtp-error-visible";
+        createBtn.disabled = false;
+        createBtn.textContent = "Create User";
+      }
+    }).catch(function () {
+      errorEl.textContent = "Failed to create user";
+      errorEl.className = "admin-smtp-error admin-smtp-error-visible";
+      createBtn.disabled = false;
+      createBtn.textContent = "Create User";
+    });
+  });
+}
+function showTempPinModal(user, tempPin) {
+  var modal = document.createElement("div");
+  modal.className = "admin-modal-overlay";
+  var html = '<div class="admin-modal">' +
+    '<div class="admin-modal-header">' +
+    '<h3>User Created</h3>' +
+    '<button class="admin-modal-close">' + iconHtml("x") + '</button>' +
+    '</div>' +
+    '<div class="admin-modal-body">' +
+    '<p class="admin-modal-desc">Account for <strong>' + escapeHtml(user.displayName || user.username) + '</strong> has been created. Share these credentials with the user:</p>' +
+    '<div class="admin-temp-pin-box">' +
+    '<div class="admin-temp-pin-row"><span class="admin-temp-pin-label">Username</span><code class="admin-temp-pin-value">' + escapeHtml(user.username) + '</code></div>' +
+    '<div class="admin-temp-pin-row"><span class="admin-temp-pin-label">Temporary PIN</span><code class="admin-temp-pin-value admin-temp-pin-highlight">' + escapeHtml(tempPin) + '</code></div>' +
+    '</div>' +
+    '<p class="admin-modal-desc" style="margin-top:12px;color:var(--text-secondary);font-size:12px;">This PIN is one-time use. The user will be prompted to set a new PIN on first login.</p>' +
+    '</div>' +
+    '<div class="admin-modal-footer">' +
+    '<button class="admin-modal-save" id="admin-copy-credentials">Copy Credentials</button>' +
+    '<button class="admin-modal-cancel">Close</button>' +
+    '</div></div>';
+  modal.innerHTML = html;
+  document.body.appendChild(modal);
+  refreshIcons(modal);
+  modal.querySelector(".admin-modal-close").addEventListener("click", function () { modal.remove(); });
+  modal.querySelector(".admin-modal-cancel").addEventListener("click", function () { modal.remove(); });
+  modal.addEventListener("click", function (e) { if (e.target === modal) modal.remove(); });
+  modal.querySelector("#admin-copy-credentials").addEventListener("click", function () {
+    var text = "Username: " + user.username + "\nTemporary PIN: " + tempPin;
+    copyToClipboard(text).then(function () {
+      showToast("Credentials copied to clipboard");
+    }).catch(function () {
+      showToast("Username: " + user.username + " / PIN: " + tempPin);
+    });
+  });
+}
 function removeUser(userId, body) {
   apiDelete("/api/admin/users/" + userId).then(function (data) {
     if (data.ok) {

package/lib/server.js CHANGED Viewed

@@ -569,11 +569,13 @@ function createServer(opts) {
           }
           clearPinFailures(ip);
           var session = createMultiUserSession(user.id, tlsOptions);
+          var loginResp = { ok: true, user: { id: user.id, username: user.username, role: user.role } };
+          if (user.mustChangePin) loginResp.mustChangePin = true;
           res.writeHead(200, {
             "Set-Cookie": session.cookie,
             "Content-Type": "application/json",
           });
-          res.end(JSON.stringify({ ok: true, user: { id: user.id, username: user.username, role: user.role } }));
+          res.end(JSON.stringify(loginResp));
         } catch (e) {
           res.writeHead(400, { "Content-Type": "application/json" });
           res.end('{"error":"Invalid request"}');
@@ -959,6 +961,45 @@ function createServer(opts) {
       return;
     }
+    // Change own PIN (multi-user mode)
+    if (req.method === "PUT" && fullUrl === "/api/user/pin") {
+      if (!users.isMultiUser()) {
+        res.writeHead(404, { "Content-Type": "application/json" });
+        res.end('{"error":"Not found"}');
+        return;
+      }
+      var mu = getMultiUserFromReq(req);
+      if (!mu) {
+        res.writeHead(401, { "Content-Type": "application/json" });
+        res.end('{"error":"unauthorized"}');
+        return;
+      }
+      var body = "";
+      req.on("data", function (chunk) { body += chunk; });
+      req.on("end", function () {
+        try {
+          var data = JSON.parse(body);
+          if (!data.newPin || typeof data.newPin !== "string" || !/^\d{6}$/.test(data.newPin)) {
+            res.writeHead(400, { "Content-Type": "application/json" });
+            res.end('{"error":"PIN must be exactly 6 digits"}');
+            return;
+          }
+          var result = users.updateUserPin(mu.id, data.newPin);
+          if (result.error) {
+            res.writeHead(400, { "Content-Type": "application/json" });
+            res.end(JSON.stringify({ error: result.error }));
+            return;
+          }
+          res.writeHead(200, { "Content-Type": "application/json" });
+          res.end('{"ok":true}');
+        } catch (e) {
+          res.writeHead(400, { "Content-Type": "application/json" });
+          res.end('{"error":"Invalid request"}');
+        }
+      });
+      return;
+    }
     // --- Admin API endpoints (multi-user mode only) ---
     // List all users (admin only)
@@ -1016,6 +1057,67 @@ function createServer(opts) {
       return;
     }
+    // Create user (admin only) — generates a temporary PIN that must be changed on first login
+    if (req.method === "POST" && fullUrl === "/api/admin/users") {
+      if (!users.isMultiUser()) {
+        res.writeHead(404, { "Content-Type": "application/json" });
+        res.end('{"error":"Not found"}');
+        return;
+      }
+      var mu = getMultiUserFromReq(req);
+      if (!mu || mu.role !== "admin") {
+        res.writeHead(403, { "Content-Type": "application/json" });
+        res.end('{"error":"Admin access required"}');
+        return;
+      }
+      var body = "";
+      req.on("data", function (chunk) { body += chunk; });
+      req.on("end", function () {
+        try {
+          var data = JSON.parse(body);
+          if (!data.username || typeof data.username !== "string" || data.username.trim().length < 1) {
+            res.writeHead(400, { "Content-Type": "application/json" });
+            res.end('{"error":"Username is required"}');
+            return;
+          }
+          var result = users.createUserByAdmin({
+            username: data.username.trim(),
+            displayName: data.displayName ? data.displayName.trim() : data.username.trim(),
+            email: data.email ? data.email.trim() : null,
+            role: data.role === "admin" ? "admin" : "user",
+          });
+          if (result.error) {
+            res.writeHead(400, { "Content-Type": "application/json" });
+            res.end(JSON.stringify({ error: result.error }));
+            return;
+          }
+          // Auto-provision Linux account if OS users mode is enabled
+          if (osUsers && !result.user.linuxUser) {
+            var provision = provisionLinuxUser(result.user.username);
+            if (provision.ok) {
+              users.updateLinuxUser(result.user.id, provision.linuxUser);
+              if (onUserProvisioned) onUserProvisioned(result.user.id, provision.linuxUser);
+            }
+          }
+          res.writeHead(200, { "Content-Type": "application/json" });
+          res.end(JSON.stringify({
+            ok: true,
+            user: {
+              id: result.user.id,
+              username: result.user.username,
+              displayName: result.user.displayName,
+              role: result.user.role,
+            },
+            tempPin: result.tempPin,
+          }));
+        } catch (e) {
+          res.writeHead(400, { "Content-Type": "application/json" });
+          res.end('{"error":"Invalid request"}');
+        }
+      });
+      return;
+    }
     // Set Linux user mapping (admin only, OS-level multi-user)
     if (req.method === "PUT" && fullUrl.match(/^\/api\/admin\/users\/[^/]+\/linux-user$/)) {
       if (!users.isMultiUser()) {
@@ -1478,8 +1580,10 @@ function createServer(opts) {
         res.end('{"error":"unauthorized"}');
         return;
       }
+      var meResp = { multiUser: true, smtpEnabled: smtp.isSmtpConfigured(), emailLoginEnabled: smtp.isEmailLoginEnabled(), user: { id: mu.id, username: mu.username, email: mu.email || null, displayName: mu.displayName, role: mu.role } };
+      if (mu.mustChangePin) meResp.mustChangePin = true;
       res.writeHead(200, { "Content-Type": "application/json" });
-      res.end(JSON.stringify({ multiUser: true, smtpEnabled: smtp.isSmtpConfigured(), emailLoginEnabled: smtp.isEmailLoginEnabled(), user: { id: mu.id, username: mu.username, email: mu.email || null, displayName: mu.displayName, role: mu.role } }));
+      res.end(JSON.stringify(meResp));
       return;
     }

package/lib/users.js CHANGED Viewed

@@ -140,6 +140,7 @@ function createUser(opts) {
     displayName: opts.displayName || opts.username,
     pinHash: hashPin(opts.pin),
     role: opts.role || "user",
+    mustChangePin: !!opts.mustChangePin,
     createdAt: Date.now(),
     linuxUser: opts.linuxUser || null,
     profile: opts.profile || {
@@ -258,6 +259,7 @@ function updateUserPin(userId, newPin) {
   for (var i = 0; i < data.users.length; i++) {
     if (data.users[i].id === userId) {
       data.users[i].pinHash = hashPin(newPin);
+      data.users[i].mustChangePin = false;
       saveUsers(data);
       return { ok: true };
     }
@@ -265,6 +267,31 @@ function updateUserPin(userId, newPin) {
   return { error: "User not found" };
 }
+// Generate a random 6-digit PIN
+function generatePin() {
+  var digits = "";
+  var bytes = crypto.randomBytes(6);
+  for (var i = 0; i < 6; i++) {
+    digits += (bytes[i] % 10).toString();
+  }
+  return digits;
+}
+// Admin creates a user with a temporary PIN (must be changed on first login)
+function createUserByAdmin(opts) {
+  var tempPin = generatePin();
+  var result = createUser({
+    username: opts.username,
+    displayName: opts.displayName || opts.username,
+    email: opts.email || null,
+    pin: tempPin,
+    role: opts.role || "user",
+    mustChangePin: true,
+  });
+  if (result.error) return result;
+  return { ok: true, user: result.user, tempPin: tempPin };
+}
 // --- Linux user mapping (OS-level multi-user) ---
 function updateLinuxUser(userId, linuxUsername) {
@@ -506,4 +533,6 @@ module.exports = {
   canAccessSession: canAccessSession,
   getOtherUsers: getOtherUsers,
   updateLinuxUser: updateLinuxUser,
+  generatePin: generatePin,
+  createUserByAdmin: createUserByAdmin,
 };

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "clay-server",
-  "version": "2.11.0-beta.7",
+  "version": "2.11.0-beta.9",
   "description": "Web UI for Claude Code. Any device. Push notifications.",
   "bin": {
     "clay-server": "./bin/cli.js",