Skip to content

Authentication improvements #21194

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
NickM-27 merged 13 commits into from
Dec 8, 2025
Merged

Authentication improvements #21194

NickM-27 merged 13 commits into from
Dec 8, 2025

Conversation

@hawkeye217
Copy link
Collaborator

@hawkeye217 hawkeye217 commented Dec 8, 2025
edited
Loading

Proposed change

This PR improves Frigate authentication in a few ways:

  • Set default permissions on the jwt secret to r/w for the user only (400 instead of 644)
  • Enforce password strength (backend and frontend, 8+ chars, uppercase, digit, special)
  • Require existing password before setting a new one (enforced via the API and the frontend)
    • Add password_changed_at to user table
    • Add iat to JWTs, enforce token invalidation when token.iat < user.password_changed_at, require current password for self-changes, return a fresh JWT after a user changes their own password
    • Change jwt refresh time to 30 minutes

Type of change

  • Dependency upgrade
  • Bugfix (non-breaking change which fixes an issue)
  • New feature
  • Breaking change (fix/feature causing existing functionality to break)
  • Code quality improvements to existing code
  • Documentation Update

Additional information

  • This PR fixes or closes issue: fixes #
  • This PR is related to issue:

Checklist

  • The code change is tested and works locally.
  • Local tests pass. Your PR cannot be merged unless tests pass
  • There is no commented out code in this PR.
  • UI changes including text have used i18n keys and have been added to the en locale.
  • The code has been formatted using Ruff (ruff format frigate)

@hawkeye217
jwt permissions
d3e038b
@hawkeye217
add old password to body req
90d9acf
@hawkeye217
add model and migration
29fb4b9 
need to track the datetime that passwords were changed for the jwt
@hawkeye217
auth api backend changes
c7322cd 
- use os.open to create jwt secret with restrictive permissions (0o600: read/write for owner only)
- add backend validation for password strength
- add iat claim to jwt so the server can determine when a token was issued and reject any jwts issued before a user's password_changed_at timestamp, ensuring old tokens are invalidated after a password change
- set logout route to public to avoid 401 when logging out
- issue new jwt for users who change their own password so they stay logged in
@hawkeye217
improve set password dialog
b05a7cc 
- add field to verify old password
- add password strength requirements
@hawkeye217
frontend tweaks for password dialog
122dfb3
@hawkeye217
i18n
d654ac2
@hawkeye217
use verify endpoint for existing password verification
96731ea 
avoid /login side effects (creating a new session)
@hawkeye217
public logout
e7b35df
@netlify
Copy link

netlify bot commented Dec 8, 2025
edited
Loading

Deploy Preview for frigate-docs canceled.

Name Link
🔨 Latest commit f5e5217
🔍 Latest deploy log https://app.netlify.com/projects/frigate-docs/deploys/6936f324882d990009eadf2f

@hawkeye217
only check if password has changed on jwt refresh
2a78ae4
@hawkeye217
fix tests
df8d177 
Fix migration 030 by using raw sql to select usernames (avoid ORM selecting nonexistent columns)
@hawkeye217
add multi device warning to password dialog
7bbf287
@hawkeye217
remove password verification endpoint
f5e5217 
Just send old_password + new password in one request, let the backend handle verification in a single operation
@NickM-27 NickM-27 merged commit 152e585 into dev Dec 8, 2025
12 checks passed
@NickM-27 NickM-27 deleted the password-tweaks branch December 8, 2025 16:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@NickM-27 NickM-27 NickM-27 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@hawkeye217 @NickM-27