๐ v2.0.0-alpha1 - Authentication & Authorization System
โ ๏ธ ALPHA RELEASE - For Testing Only
This is the first alpha release of MeshMonitor v2.0.0, introducing a comprehensive authentication and authorization system.
โ ๏ธ Breaking Changes
- All API endpoints now require authentication or appropriate anonymous permissions
- Session cookies required for API access
- This is a major version change - please review the migration notes below
๐ฏ Key Features
Authentication
- โ Local username/password authentication with bcrypt hashing
- โ OpenID Connect (OIDC) integration for SSO
- โ Dual authentication support (both local and OIDC simultaneously)
- โ Session management with secure cookies
- โ
Admin password reset utility (
reset-admin.mjs)
Authorization
- โ
Permission-based access control for 8 resource types:
- Dashboard, Nodes, Channels, Messages, Settings, Configuration, Info, Automation
- โ Read/Write permissions per resource
- โ Admin role with full permissions
- โ Middleware for route protection
- โ Database-backed permission storage
User Management
- โ Admin-only Users tab for managing users and permissions
- โ Create local users with passwords
- โ Set/reset passwords for local users
- โ Toggle admin status
- โ Activate/deactivate users
- โ Grant/revoke granular permissions
- โ OIDC user auto-creation on first login
Anonymous User Support
- โ Special "anonymous" user defines permissions for unauthenticated users
- โ Enables public/read-only access scenarios
- โ Configurable permissions via admin interface
- โ Seamless transition between authenticated and anonymous states
๐ง First-Run Setup
On first startup, MeshMonitor will create a default admin user:
- Username:
admin - Password:
changeme
โ ๏ธ IMPORTANT: Change this password immediately after first login!
๐ Configuration
Environment Variables
# OIDC (optional)
OIDC_ISSUER=https://your-oidc-provider.com
OIDC_CLIENT_ID=your-client-id
OIDC_CLIENT_SECRET=your-client-secret
OIDC_REDIRECT_URI=http://localhost:3001/api/auth/oidc/callback
# Session Security (recommended for production)
SESSION_SECRET=your-random-secret-here
# Admin User (optional, defaults to 'admin')
ADMIN_USERNAME=admin๐ Migration Notes
- First-run creates default admin user (username:
admin, password:changeme) - Existing installations will auto-create admin on next startup
- Anonymous user created automatically with default read-only permissions (dashboard, nodes, info)
- Database migrations run automatically on startup
- Admin can modify anonymous permissions in the Users tab
๐ Security Enhancements
- Passwords hashed with bcrypt (10 rounds)
- Session-based authentication with HTTP-only cookies
- CSRF protection via SameSite cookies
- Permission checks on all protected routes
- Admin-only routes for user management
- Secure OIDC token validation
- SQL injection prevention with input validation
๐ Documentation
- OIDC setup guide available in docs/AUTHENTICATION.md
- Permission model documented in code comments
- Database schema includes permission constraints
๐งช Testing
This is an alpha release intended for testing. Please report any issues on GitHub.
Test Coverage:
- โ 505 tests passing
- โ Local authentication login/logout
- โ OIDC authentication flow
- โ Permission checks across all resources
- โ Admin user management operations
- โ Password reset functionality
- โ Anonymous user permissions
- โ Logout returns to anonymous state
๐ Known Issues
- None currently identified
๐ฆ What's Next
- v2.0.0-beta1: Bug fixes and refinements based on alpha feedback
- v2.0.0-rc1: Release candidate with full documentation
- v2.0.0: Stable release
๐ Acknowledgments
This release includes contributions and testing feedback from the community.
๐ค Generated with Claude Code