🔒 Security Fix
- Auth bypass after onboarding — Fixed regression where users could access the dashboard without authentication after upgrading from older versions. The "no password" safeguard (for fresh installs) was incorrectly firing after onboarding was complete, allowing unauthenticated access when
setupComplete=truebut the password DB row was missing (#151)
Root Cause
proxy.ts:136 and apiAuth.ts:138 checked !settings.password to skip auth, but didn't verify if onboarding was already done. Added !settings.setupComplete guard so the bypass only applies before onboarding.
Affected versions: v1.6.3 – v1.6.5
Recommendation: Update immediately if you use password-protected access.
Full Changelog: v1.6.5...v1.6.6