Skip to content

Commit fbb3d28

Browse files
feat: warn on /account.html when password is still default (#18)
On page load, /account.html now probes JSS's PUT /idp/credentials with {currentPassword:"me", newPassword:"me"} via session.authFetch. - 204 (current matches) → red warning banner above the password form: "You're using the default password. Change it below to claim your pod." - 401 (current doesn't match) → no banner. The probe is server-side truth (no localStorage state to go stale across browsers). Side effect is a bcrypt re-hash of the same value when the password is still default — rate-limited 10/min per IP by JSS, no functional change. After a successful password update, the warning is hidden synchronously (no reload needed). On subsequent loads the probe sees 401 and the warning stays gone. Refs #1 #6
1 parent b895463 commit fbb3d28

2 files changed

Lines changed: 28 additions & 1 deletion

File tree

account.html

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -49,6 +49,9 @@ <h2>Explore</h2>
4949
</div>
5050

5151
<h2>Password</h2>
52+
<div id="pw-default-warning" hidden style="background:#fff0f0;border:1px solid #f4a4a4;color:#a00;padding:.7em .9em;border-radius:8px;margin:.5em 0;font-size:.95em">
53+
<strong>You're using the default password.</strong> Change it below to claim your pod.
54+
</div>
5255
<p id="pw-hint" style="margin:.25em 0 .5em;color:#666;font-size:.9em">Climb from rung 1 (default <code>me</code>) to rung 2 (your password).</p>
5356
<button class="btn btn-secondary" id="pw-toggle" type="button">Change password</button>
5457
<form id="pw-form" hidden style="margin:.75em 0 0;display:grid;gap:.5em;max-width:360px">
@@ -127,6 +130,28 @@ <h2>Session</h2>
127130
// Profile link strips the fragment (WebID typically ends with #me)
128131
document.getElementById('profile-link').href = webid.replace(/#.*/, '');
129132
signedInEl.hidden = false;
133+
134+
// Background probe: is the password still the default rung-1 'me'?
135+
// We send PUT /idp/credentials with {currentPassword:'me',newPassword:'me'}
136+
// — JSS returns 204 when the current password matches (no-op re-hash),
137+
// 401 when it doesn't. Show the climb warning only on 204.
138+
// The probe runs fire-and-forget so the rest of the dashboard renders
139+
// immediately; the warning fades in once we know.
140+
(async () => {
141+
try {
142+
const res = await session.authFetch(new URL('./idp/credentials', window.location.href).href, {
143+
method: 'PUT',
144+
headers: { 'Content-Type': 'application/json' },
145+
body: JSON.stringify({ currentPassword: 'me', newPassword: 'me' })
146+
});
147+
if (res.ok) {
148+
document.getElementById('pw-default-warning').hidden = false;
149+
}
150+
} catch {
151+
// Best-effort: rate-limited or transient. No warning shown.
152+
}
153+
})();
154+
130155
document.getElementById('signout-btn').addEventListener('click', async () => {
131156
try {
132157
await session.logout();
@@ -195,6 +220,8 @@ <h2>Session</h2>
195220
}
196221
pwStatus('Password updated. You\'re on rung 2 now.');
197222
pwCurrent.value = pwNew.value = pwConfirm.value = '';
223+
// Hide the default-password warning if it was showing.
224+
document.getElementById('pw-default-warning').hidden = true;
198225
} catch (e) {
199226
pwStatus('Change failed: ' + (e.message || String(e)), true);
200227
} finally {

package.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
{
22
"name": "jspod",
3-
"version": "0.0.19",
3+
"version": "0.0.20",
44
"description": "JavaScript Solid Pod - Just works, batteries included",
55
"type": "module",
66
"main": "index.js",

0 commit comments

Comments
 (0)