clay-server 2.36.2-beta.4 → 2.36.2-beta.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/lib/pages.js +3 -29
- package/lib/public/modules/app-misc.js +12 -0
- package/lib/server-settings.js +6 -1
- package/package.json +1 -1
package/lib/pages.js
CHANGED
|
@@ -964,7 +964,9 @@ function multiUserLoginPageHtml() {
|
|
|
964
964
|
'body:JSON.stringify({username:usernameEl.value,pin:pinEl.value})})' +
|
|
965
965
|
'.then(function(r){return r.json()})' +
|
|
966
966
|
'.then(function(d){' +
|
|
967
|
-
|
|
967
|
+
// mustChangePin is handled by the main app overlay
|
|
968
|
+
// (showForceChangePinOverlay in app-misc.js): it has a logout escape
|
|
969
|
+
// hatch and proper error display. Reload either way to enter it.
|
|
968
970
|
'if(d.ok){location.reload();return}' +
|
|
969
971
|
'if(d.locked){var boxes=document.querySelectorAll(".pin-digit");' +
|
|
970
972
|
'for(var i=0;i<boxes.length;i++)boxes[i].disabled=true;' +
|
|
@@ -976,34 +978,6 @@ function multiUserLoginPageHtml() {
|
|
|
976
978
|
'.catch(function(){errs[1].textContent="Connection error";btns[1].disabled=false})}' +
|
|
977
979
|
'btns[1].onclick=doLogin;' +
|
|
978
980
|
|
|
979
|
-
// Force PIN change: reuse the same login screen, switch step1 to "Set new PIN" mode
|
|
980
|
-
'function showChangePinOverlay(){' +
|
|
981
|
-
// Hide step dots (no longer a 2-step flow)
|
|
982
|
-
'var bar=document.querySelector(".steps-bar");if(bar)bar.style.display="none";' +
|
|
983
|
-
// Hide step 0 (username), show step 1 (PIN) with new labels
|
|
984
|
-
'steps[0].classList.remove("active");' +
|
|
985
|
-
'steps[1].classList.add("active");' +
|
|
986
|
-
'var h1=steps[1].querySelector("h1");if(h1)h1.textContent="Set your new PIN";' +
|
|
987
|
-
'var sub=steps[1].querySelector(".sub");if(sub)sub.textContent="Your temporary PIN has expired. Please set a new 6-digit PIN to continue.";' +
|
|
988
|
-
'btns[1].textContent="Save PIN";' +
|
|
989
|
-
// Re-init PIN boxes for fresh input
|
|
990
|
-
'resetPin();' +
|
|
991
|
-
'initPinBoxes("pin-boxes","pin",function(){if(!btns[1].disabled)doSaveNewPin()});' +
|
|
992
|
-
'var boxes=document.querySelectorAll(".pin-digit");' +
|
|
993
|
-
'for(var i=0;i<boxes.length;i++)boxes[i].addEventListener("input",function(){btns[1].disabled=pinEl.value.length!==6});' +
|
|
994
|
-
// Override button handler to save new PIN instead of login
|
|
995
|
-
'btns[1].onclick=doSaveNewPin;' +
|
|
996
|
-
'function doSaveNewPin(){' +
|
|
997
|
-
'btns[1].disabled=true;errs[1].textContent="";' +
|
|
998
|
-
'fetch("/api/user/pin",{method:"PUT",headers:{"Content-Type":"application/json"},' +
|
|
999
|
-
'body:JSON.stringify({newPin:pinEl.value})})' +
|
|
1000
|
-
'.then(function(r){return r.json()})' +
|
|
1001
|
-
'.then(function(d){' +
|
|
1002
|
-
'if(d.ok){location.reload();return}' +
|
|
1003
|
-
'errs[1].textContent=d.error||"Failed to save PIN";btns[1].disabled=false})' +
|
|
1004
|
-
'.catch(function(){errs[1].textContent="Connection error";btns[1].disabled=false})}' +
|
|
1005
|
-
'}' +
|
|
1006
|
-
|
|
1007
981
|
'</script></div></body></html>';
|
|
1008
982
|
}
|
|
1009
983
|
|
|
@@ -320,6 +320,7 @@ export function showForceChangePinOverlay() {
|
|
|
320
320
|
'</div>' +
|
|
321
321
|
'<button id="fcp-save" disabled style="width:100%;padding:12px;border:none;border-radius:10px;background:var(--accent);color:#fff;font-size:15px;font-weight:600;cursor:pointer;opacity:0.5;transition:opacity 0.15s">Save PIN</button>' +
|
|
322
322
|
'<div id="fcp-err" style="margin-top:12px;color:var(--error,#ef4444);font-size:13px;min-height:1.3em"></div>' +
|
|
323
|
+
'<button id="fcp-logout" type="button" style="margin-top:8px;background:none;border:none;color:var(--text-dimmer,#888);font-size:13px;cursor:pointer;text-decoration:underline">Log out and start over</button>' +
|
|
323
324
|
'</div>';
|
|
324
325
|
document.body.appendChild(ov);
|
|
325
326
|
|
|
@@ -417,6 +418,17 @@ export function showForceChangePinOverlay() {
|
|
|
417
418
|
});
|
|
418
419
|
}
|
|
419
420
|
saveBtn.addEventListener("click", doSave);
|
|
421
|
+
|
|
422
|
+
var logoutBtn = ov.querySelector("#fcp-logout");
|
|
423
|
+
if (logoutBtn) {
|
|
424
|
+
logoutBtn.addEventListener("click", function () {
|
|
425
|
+
fetch("/auth/logout", { method: "POST" }).then(function () {
|
|
426
|
+
location.href = "/";
|
|
427
|
+
}).catch(function () {
|
|
428
|
+
location.href = "/";
|
|
429
|
+
});
|
|
430
|
+
});
|
|
431
|
+
}
|
|
420
432
|
}
|
|
421
433
|
|
|
422
434
|
export function sendExtensionCommand(command, args, requestId) {
|
package/lib/server-settings.js
CHANGED
|
@@ -332,7 +332,12 @@ function attachSettings(ctx) {
|
|
|
332
332
|
res.end('{"error":"PIN must be exactly 6 digits"}');
|
|
333
333
|
return;
|
|
334
334
|
}
|
|
335
|
-
|
|
335
|
+
// Forced PIN change after temporary PIN login: skip currentPin
|
|
336
|
+
// verification. The user authenticated with the temp PIN to
|
|
337
|
+
// establish this session, so requiring them to re-enter it adds
|
|
338
|
+
// friction without security benefit. The session cookie is the
|
|
339
|
+
// proof of possession.
|
|
340
|
+
if (mu.pinHash && !mu.mustChangePin) {
|
|
336
341
|
if (!data.currentPin || typeof data.currentPin !== "string" || !/^\d{6}$/.test(data.currentPin)) {
|
|
337
342
|
res.writeHead(400, { "Content-Type": "application/json" });
|
|
338
343
|
res.end('{"error":"Current PIN is required"}');
|
package/package.json
CHANGED