farhadh 56ce6073ce feat(auth): block panel with default admin/admin credentials and guide credential change ...

checkLogin middleware now detects default admin/admin credentials and
redirects every panel route to /panel/settings until they are changed.
The settings page auto-opens the Authentication tab, shows a
non-dismissible error banner, and lists 'Default credentials' first in
the security checklist. Login response includes mustChangeCredentials
so the login page can redirect directly. Logout is now POST-only.
Password must be at least 10 characters and cannot be admin/admin.

2026-05-11 21:16:22 +02:00

2.4 KiB

Raw Blame History

View Raw