From ea3533ac49107170d0af11d80315aac02920d241 Mon Sep 17 00:00:00 2001 From: shuki Date: Fri, 6 Mar 2026 05:40:39 +0200 Subject: [PATCH] Fix web login: use consistent API key instead of re-reading config The login handler was re-reading the config on each attempt, which returned empty when no key was set, causing all logins to fail. Now uses the key resolved at startup (from config or generated). Co-Authored-By: Claude Opus 4.6 --- web/app.py | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/web/app.py b/web/app.py index 47a5187..5933178 100644 --- a/web/app.py +++ b/web/app.py @@ -66,20 +66,22 @@ def create_app(): template_folder=str(Path(__file__).resolve().parent / "templates"), ) - api_key = _get_api_key() - if not api_key: - api_key = secrets.token_urlsafe(32) - print(f"WARNING: No WEB_API_KEY configured. Generated temporary key: {api_key}") - print("Set WEB_API_KEY in gniza.conf to persist this key.") + stored_key = _get_api_key() + if not stored_key: + stored_key = secrets.token_urlsafe(32) + print(f"\n{'='*60}") + print(f" No WEB_API_KEY configured.") + print(f" Generated temporary key: {stored_key}") + print(f" Set WEB_API_KEY in gniza.conf to persist this key.") + print(f"{'='*60}\n") - app.secret_key = api_key + app.secret_key = stored_key @app.route("/login", methods=["GET", "POST"]) def login(): if request.method == "POST": token = request.form.get("token", "") - current_key = _get_api_key() or api_key - if secrets.compare_digest(token, current_key): + if token and secrets.compare_digest(token, stored_key): session["authenticated"] = True return redirect(url_for("dashboard")) flash("Invalid API key.")