thehack904/RetroIPTVGuide v4.9.3-beta2

v4.9.3 BETA 2

on GitHub

v4.9.3 - 2026-04-02

Added

• Added scripts/reset_admin_password.py to reset the admin account password from the command line.
• Added support for forcing the admin account to change its password on next login via a new must_change_password user flag.
• Added automatic users table schema migration support for the new must_change_password column.
• Added dedicated test coverage for:
  • forced password change on login
  • clearing the forced-change flag after a successful password update
  • admin password reset script behavior and error handling
• Added forced-change notice styling and UI messaging to the change password page.

Changed

• Updated user model loading to include the new must_change_password flag.
• Updated user creation logic so accounts can optionally be created with a forced password reset requirement.
• Updated login flow so flagged users are redirected to the change password page before accessing the app.
• Updated password change flow to clear the forced-reset flag after a successful password update.
• Updated health checks to validate expected users table columns, including:
  • last_login
  • assigned_tuner
  • must_change_password
• Updated admin diagnostics to display expanded virtual channel configuration details for:
  • Updates
  • Sports
  • NASA
  • Channel Mix
  • On This Day
• Updated the default admin bootstrap account to require a password change on first login.
• Updated the default Updates channel behavior so prerelease/beta items are hidden by default.
• Updated project documentation files (README.md, INSTALL.md, SECURITY.md, SECURITY_MODEL.md, ROADMAP.md) to reflect the latest setup, security, and roadmap guidance.

Fixed

• Fixed first-login admin security by requiring the default/bootstrap admin account to set a new password before continuing.
• Fixed password reset handling so admin password resets performed from the CLI now mark the account for a mandatory password change at next login.
• Fixed change password UX by showing a clear forced-reset notice when a user is required to update their password.
• Fixed diagnostics schema validation to warn on missing expected user-table columns instead of only checking for table existence.
• Fixed reset script behavior on uninitialized or partially initialized databases by ensuring required schema and table setup is handled more safely.

Security

• Hardened admin account recovery by providing a controlled password reset path that forces a new password change at next login.
• Hardened default admin account handling by preventing continued use of the initial/bootstrap password after first login.
• Expanded schema validation and deployment guidance to better surface incomplete or outdated database state.

Tests

• Added tests/test_forced_password_change.py.
• Expanded coverage around admin diagnostics and virtual channel defaults to reflect the current private repo behavior.