fix: disable auto-login, diceware passwords, improved security reset UX, fix GNOME keyring

Agent-Logs-Url: https://github.com/naturallaw777/staging_alpha/sessions/82a54a25-4844-4a41-afcc-c034cebbd6ed Co-authored-by: naturallaw777 <99053422+naturallaw777@users.noreply.github.com>
2026-04-12 15:08:25 +00:00
parent 38acee7319
commit 17f89fa773
6 changed files with 268 additions and 45 deletions
--- a/app/sovran_systemsos_web/static/css/security.css
+++ b/app/sovran_systemsos_web/static/css/security.css
@@ -242,6 +242,60 @@
  margin-bottom: 16px;
 }

+/* ── Phase 2: password display box ──────────────────────────────── */
+
+.security-reset-password-label {
+  font-size: 0.88rem;
+  color: var(--text-secondary);
+  margin: 16px 0 8px 0;
+}
+
+.security-reset-password-box {
+  font-family: monospace;
+  font-size: 1.35rem;
+  font-weight: 700;
+  color: var(--text-primary);
+  background: rgba(109, 191, 139, 0.10);
+  border: 1.5px solid rgba(109, 191, 139, 0.35);
+  border-radius: 8px;
+  padding: 14px 24px;
+  letter-spacing: 0.04em;
+  text-align: center;
+  word-break: break-all;
+  margin-bottom: 16px;
+  min-width: 260px;
+}
+
+.security-reset-password-warning {
+  font-size: 0.84rem;
+  color: var(--text-secondary);
+  line-height: 1.6;
+  margin-bottom: 20px;
+  text-align: center;
+}
+
+.security-reset-reboot-btn {
+  background-color: #6DBF8B;
+  color: #0a0c0b;
+  border: none;
+  border-radius: 7px;
+  padding: 11px 22px;
+  font-size: 0.88rem;
+  font-weight: 700;
+  cursor: pointer;
+  transition: background-color 0.15s, opacity 0.15s;
+  white-space: nowrap;
+}
+
+.security-reset-reboot-btn:hover:not(:disabled) {
+  background-color: #5aab78;
+}
+
+.security-reset-reboot-btn:disabled {
+  opacity: 0.5;
+  cursor: not-allowed;
+}
+
 /* ── First-login security banner ─────────────────────────────────── */

 .security-first-login-banner {
--- a/app/sovran_systemsos_web/static/js/security.js
+++ b/app/sovran_systemsos_web/static/js/security.js
@@ -128,11 +128,43 @@ function openSecurityModal() {

        if (resetStatus) { resetStatus.textContent = "Running security reset\u2026"; resetStatus.className = "security-status-msg security-status-info"; }
        try {
-          await apiFetch("/api/security/reset", { method: "POST" });
-          if ($secResetStep) $secResetStep.textContent = "Reset complete. Rebooting now\u2026";
-          if (resetStatus) { resetStatus.textContent = "\u2713 Reset complete. Rebooting\u2026"; resetStatus.className = "security-status-msg security-status-ok"; }
-          if ($rebootOverlay) $rebootOverlay.classList.add("visible");
-          setTimeout(waitForServerReboot, REBOOT_CHECK_INTERVAL);
+          var data = await apiFetch("/api/security/reset", { method: "POST" });
+
+          // Switch to Phase 2: show the new password and wait for user confirmation
+          var phase1 = document.getElementById("security-reset-phase1");
+          var phase2 = document.getElementById("security-reset-phase2");
+          var passwordBox = document.getElementById("security-reset-new-password");
+          var rebootBtn = document.getElementById("security-reset-reboot-btn");
+
+          if (phase1) phase1.style.display = "none";
+          if (phase2) phase2.style.display = "";
+          if (passwordBox && data.new_password) passwordBox.textContent = data.new_password;
+
+          if (rebootBtn) {
+            // Keep button disabled for 5 seconds to prevent accidental clicks
+            var countdown = 5;
+            rebootBtn.textContent = "I have written down my new password \u2014 Reboot now (" + countdown + ")";
+            var timer = setInterval(function() {
+              countdown--;
+              if (countdown <= 0) {
+                clearInterval(timer);
+                rebootBtn.disabled = false;
+                rebootBtn.textContent = "I have written down my new password \u2014 Reboot now";
+              } else {
+                rebootBtn.textContent = "I have written down my new password \u2014 Reboot now (" + countdown + ")";
+              }
+            }, 1000);
+
+            rebootBtn.addEventListener("click", async function() {
+              rebootBtn.disabled = true;
+              rebootBtn.textContent = "Rebooting\u2026";
+              try {
+                await apiFetch("/api/reboot", { method: "POST" });
+              } catch (_) {}
+              if ($rebootOverlay) $rebootOverlay.classList.add("visible");
+              setTimeout(waitForServerReboot, REBOOT_CHECK_INTERVAL);
+            }, { once: true });
+          }
        } catch (err) {
          if ($secResetOverlay) $secResetOverlay.classList.remove("visible");
          if (resetStatus) { resetStatus.textContent = "\u2717 Error: " + (err.message || "Reset failed."); resetStatus.className = "security-status-msg security-status-error"; }