Summary
The Admin Account Management subpanel in Settings → Authentication was gated by v-if="authEnabledComputed", which meant the username/password inputs were invisible whenever the Enable login screen toggle was off. Combined with the toggle reflecting the server-side AuthenticationRequired value from config.json, this produced a hard lockout for new installs:
- Operator edits
config/config.jsonto setAuthenticationRequired: "true"(or uses the UI toggle and clicks Save — which writes the same value). - Login screen activates on the next request.
- No admin user has been provisioned, because the only UI affordance to do so was inside the gated section that doesn't render until auth is already on.
- Every login attempt fails. There is no UI path to recover; the operator has to either edit
config.jsonback tofalseand restart, orcurlthe/api/v1/configuration/settingsendpoint with the API key + a JSON body containingAdminUsername/AdminPassword— which bypasses CSRF and creates the user — neither of which a user should be expected to know.
Fix
Drop the v-if gate. The credential inputs now render whenever the Authentication section is on screen, regardless of the login-screen toggle state. Operators can configure (or pre-configure) admin credentials before, during, or after enabling auth — eliminating the lockout window.
Help text and the password placeholder were updated to reflect the actual backend semantics:
- The fields are accepted at any time and are persisted with Save Settings.
- Both fields must be non-empty for
ConfigurationServiceto create/update the admin user (seelistenarr.application/Common/ConfigurationService.cs~line 245). - Leaving the password blank is the explicit "keep existing" path.
Test plan
-
npm run type-check— clean -
npx vitest run AuthenticationSection.spec.ts— 4 / 4 passing - New regression test added (`renders the a...
Automated Canary build