svemagie.net/indiekit-server
1
0
Fork 0
Code Issues 1 Actions Packages Projects Releases Activity

Alias legacy /admin auth routes to root endpoints

Browse Source
This commit is contained in:
svemagie
2026-03-08 04:45:46 +01:00
parent 98eb54ac63
commit acb8afc794
2 changed files with 21 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+1
View File
@@ -4,6 +4,7 @@
- The IndieKit admin uses root auth/session paths (for example: `/session/login`, `/auth`, `/auth/new-password`). - The IndieKit admin uses root auth/session paths (for example: `/session/login`, `/auth`, `/auth/new-password`).
- Legacy `/admin` request paths are normalized to root login redirects (for example `/admin/posts` -> `/session/login?redirect=/posts`) to avoid post-login dead-end targets. - Legacy `/admin` request paths are normalized to root login redirects (for example `/admin/posts` -> `/session/login?redirect=/posts`) to avoid post-login dead-end targets.
- Legacy auth/session aliases are redirected directly (for example `/admin/auth/new-password` -> `/auth/new-password`, `/admin/session/login` -> `/session/login`).
- Login page now auto-continues to the password consent screen by default. Add `?noautocontinue=1` to `/session/login` if you want to keep the manual button step. - Login page now auto-continues to the password consent screen by default. Add `?noautocontinue=1` to `/session/login` if you want to keep the manual button step.
- Login uses `PASSWORD_SECRET` (bcrypt hash), not `INDIEKIT_PASSWORD`. - Login uses `PASSWORD_SECRET` (bcrypt hash), not `INDIEKIT_PASSWORD`.
- If no `PASSWORD_SECRET` exists yet, open `/auth/new-password` once to generate it. - If no `PASSWORD_SECRET` exists yet, open `/auth/new-password` once to generate it.
scripts/patch-indieauth-devmode-guard.mjs
+20 -11
View File
@@ -14,13 +14,15 @@ const newDevModeCode = `if (devMode && process.env.INDIEKIT_ALLOW_DEV_AUTH === "
request.session.scope = "create update delete media"; request.session.scope = "create update delete media";
} else if (!process.env.PASSWORD_SECRET) {`; } else if (!process.env.PASSWORD_SECRET) {`;
const oldLoginRedirectCode = ` if (request.method === "GET") {
return response.redirect(
\`/session/login?redirect=\${request.originalUrl}\`,
);
}`;
const newLoginRedirectCode = ` if (request.method === "GET") { const newLoginRedirectCode = ` if (request.method === "GET") {
const directAlias = request.originalUrl.replace(
/^\\/admin\\/(auth|session)(?=\\/|$)/,
"/$1",
);
if (directAlias !== request.originalUrl) {
return response.redirect(directAlias);
}
const loginRedirect = const loginRedirect =
request.originalUrl === "/admin" request.originalUrl === "/admin"
? "/" ? "/"
@@ -30,6 +32,11 @@ const newLoginRedirectCode = ` if (request.method === "GET") {
); );
}`; }`;
const oldLoginRedirectRegexes = [
/if \(request\.method === "GET"\) \{\n\s+return response\.redirect\(\n\s+`\/session\/login\?redirect=\$\{request\.originalUrl\}`,\n\s+\);\n\s+\}/m,
/if \(request\.method === "GET"\) \{\n\s+const loginRedirect =[\s\S]*?`\/session\/login\?redirect=\$\{loginRedirect\}`,\n\s+\);\n\s+\}/m,
];
async function exists(path) { async function exists(path) {
try { try {
await access(path); await access(path);
@@ -56,11 +63,13 @@ for (const filePath of candidates) {
updated = updated.replace(oldDevModeCode, newDevModeCode); updated = updated.replace(oldDevModeCode, newDevModeCode);
} }
if ( if (!updated.includes("const directAlias = request.originalUrl.replace(")) {
!updated.includes(newLoginRedirectCode) && for (const regex of oldLoginRedirectRegexes) {
updated.includes(oldLoginRedirectCode) if (regex.test(updated)) {
) { updated = updated.replace(regex, newLoginRedirectCode);
updated = updated.replace(oldLoginRedirectCode, newLoginRedirectCode); break;
}
}
} }
if (updated !== source) { if (updated !== source) {