clay-server 2.36.2-beta.4 → 2.36.2-beta.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/lib/public/modules/app-misc.js +12 -0
  2. package/lib/server-settings.js +6 -1
  3. package/package.json +1 -1
package/lib/public/modules/app-misc.js CHANGED
@@ -320,6 +320,7 @@ export function showForceChangePinOverlay() {
320
320
  '</div>' +
321
321
  '<button id="fcp-save" disabled style="width:100%;padding:12px;border:none;border-radius:10px;background:var(--accent);color:#fff;font-size:15px;font-weight:600;cursor:pointer;opacity:0.5;transition:opacity 0.15s">Save PIN</button>' +
322
322
  '<div id="fcp-err" style="margin-top:12px;color:var(--error,#ef4444);font-size:13px;min-height:1.3em"></div>' +
323
+ '<button id="fcp-logout" type="button" style="margin-top:8px;background:none;border:none;color:var(--text-dimmer,#888);font-size:13px;cursor:pointer;text-decoration:underline">Log out and start over</button>' +
323
324
  '</div>';
324
325
  document.body.appendChild(ov);
325
326
 
@@ -417,6 +418,17 @@ export function showForceChangePinOverlay() {
417
418
  });
418
419
  }
419
420
  saveBtn.addEventListener("click", doSave);
421
+
422
+ var logoutBtn = ov.querySelector("#fcp-logout");
423
+ if (logoutBtn) {
424
+ logoutBtn.addEventListener("click", function () {
425
+ fetch("/auth/logout", { method: "POST" }).then(function () {
426
+ location.href = "/";
427
+ }).catch(function () {
428
+ location.href = "/";
429
+ });
430
+ });
431
+ }
420
432
  }
421
433
 
422
434
  export function sendExtensionCommand(command, args, requestId) {
package/lib/server-settings.js CHANGED
@@ -332,7 +332,12 @@ function attachSettings(ctx) {
332
332
  res.end('{"error":"PIN must be exactly 6 digits"}');
333
333
  return;
334
334
  }
335
- if (mu.pinHash) {
335
+ // Forced PIN change after temporary PIN login: skip currentPin
336
+ // verification. The user authenticated with the temp PIN to
337
+ // establish this session, so requiring them to re-enter it adds
338
+ // friction without security benefit. The session cookie is the
339
+ // proof of possession.
340
+ if (mu.pinHash && !mu.mustChangePin) {
336
341
  if (!data.currentPin || typeof data.currentPin !== "string" || !/^\d{6}$/.test(data.currentPin)) {
337
342
  res.writeHead(400, { "Content-Type": "application/json" });
338
343
  res.end('{"error":"Current PIN is required"}');
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "clay-server",
3
- "version": "2.36.2-beta.4",
3
+ "version": "2.36.2-beta.5",
4
4
  "description": "Self-hosted team workspace for Claude Code and Codex. Multi-user, browser-based, with persistent AI mates.",
5
5
  "bin": {
6
6
  "clay-server": "./bin/cli.js",