fluxy-bot 0.7.0 → 0.7.1

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "fluxy-bot",
-  "version": "0.7.0",
+  "version": "0.7.1",
   "releaseNotes": [
     "Fixed some bugs to iOs ",
     "2. ",

package/worker/index.ts

@@ -423,7 +423,7 @@ app.get('/api/portal/totp/status', (_req, res) => {
 });
 
 app.post('/api/portal/totp/setup', async (req, res) => {
-  // Verify caller has auth: either valid session token or correct password
+  // Verify caller has auth: session token, correct password, or initial onboard (no password set yet)
   const authHeader = req.headers['authorization'];
   let authorized = false;
   if (authHeader?.startsWith('Bearer ')) {
@@ -434,6 +434,8 @@ app.post('/api/portal/totp/setup', async (req, res) => {
     const storedPass = getSetting('portal_pass');
     if (storedPass && verifyPassword(req.body.password, storedPass)) authorized = true;
   }
+  // During initial onboard, no password is stored yet — allow setup
+  if (!authorized && !getSetting('portal_pass')) authorized = true;
   if (!authorized) { res.status(401).json({ error: 'Unauthorized' }); return; }
 
   const secret = generateTOTPSecret();
@@ -462,6 +464,8 @@ app.post('/api/portal/totp/verify-setup', (req, res) => {
     const storedPass = getSetting('portal_pass');
     if (storedPass && verifyPassword(req.body.password, storedPass)) authorized = true;
   }
+  // During initial onboard, no password is stored yet — allow verify
+  if (!authorized && !getSetting('portal_pass')) authorized = true;
   if (!authorized) { res.status(401).json({ error: 'Unauthorized' }); return; }
 
   const { code } = req.body;