diff --git a/database/music_database.py b/database/music_database.py index 5816065c..1a2bca8b 100644 --- a/database/music_database.py +++ b/database/music_database.py @@ -5246,6 +5246,8 @@ class MusicDatabase: 'avatar_url': row['avatar_url'] if 'avatar_url' in columns else None, 'is_admin': bool(row['is_admin']), 'has_pin': row['pin_hash'] is not None, + 'has_password': row['password_hash'] is not None if 'password_hash' in columns else False, + 'has_recovery': row['recovery_answer_hash'] is not None if 'recovery_answer_hash' in columns else False, 'home_page': row['home_page'] if 'home_page' in columns else None, 'allowed_pages': json.loads(ap_raw) if ap_raw else None, 'can_download': bool(row['can_download']) if 'can_download' in columns else True, @@ -5276,6 +5278,8 @@ class MusicDatabase: 'avatar_url': row['avatar_url'] if 'avatar_url' in columns else None, 'is_admin': bool(row['is_admin']), 'has_pin': row['pin_hash'] is not None, + 'has_password': row['password_hash'] is not None if 'password_hash' in columns else False, + 'has_recovery': row['recovery_answer_hash'] is not None if 'recovery_answer_hash' in columns else False, 'home_page': row['home_page'] if 'home_page' in columns else None, 'allowed_pages': json.loads(ap_raw) if ap_raw else None, 'can_download': bool(row['can_download']) if 'can_download' in columns else True, diff --git a/webui/index.html b/webui/index.html index 8da0f94a..b7bcf9b7 100644 --- a/webui/index.html +++ b/webui/index.html @@ -5993,100 +5993,119 @@ - +
* on its own line to allow any origin (insecure β only do this if you understand why you need it).
+ X-Forwarded-* headers, marks the session cookie HTTPS-only, and adds security headers. Leave OFF for direct or LAN access over http:// β turning it on would make the session cookie HTTPS-only and break plain-HTTP access. Takes effect after a restart. See Support/REVERSE-PROXY.md.
+
+ Support/REVERSE-PROXY.md.
Remote-User) and SoulSync will skip the launch PIN for already-authenticated requests. Only set this behind a proxy that strips any client-supplied copy of the header β otherwise it can be spoofed. Leave blank to disable (the default).
+ X-Forwarded-* headers, marks the session cookie HTTPS-only, and adds security headers. Leave OFF for direct / LAN access over http:// β it would otherwise break plain-HTTP login. Takes effect after a restart.
+ * on its own line allows any origin (insecure).
+