7cb8fef01b
* Update all import paths * Rename directory cmd/wpcomposer/ → cmd/wppackages/ * Rename import alias wpcomposergo → wppackagesgo in main.go and migrate_test.go * Makefile — binary name wpcomposer → wppackages * Update Air path * Global replace repo.wp-composer.com → repo.wp-packages.org * Global replace cdn.wp-composer.com → cdn.wp-packages.org * Global replace wp-composer.com → wp-packages.org (remaining) * Composer repo key in templates/docs: repositories.wp-composer → repositories.wp-packages * Rename columns on the existing schema * Update all Go code referencing these column names * Routes & SEO * Templates & front-end * Admin UI * Documentation * CI/CD * Config defaults * Rename role directory * Rename all systemd template files inside the role * Update contents of all .j2 templates — service names, binary paths, descriptions * Update tasks/main.yml and handlers/main.yml in the role * Update deploy/ansible/roles/app/tasks/main.yml and deploy.yml * Update deploy/ansible/group_vars/production/main.yml * Additional renames/fixes * Additional renames/fixes * Additional renames/fixes * not needed
1.7 KiB
1.7 KiB
Admin Access
Security Model
Admin access is protected by in-app authentication. Email/password login and admin authorization are required for all protected /admin/* routes.
Note: The app always trusts X-Real-IP / X-Forwarded-For headers for client IP resolution (used for login rate limiting and telemetry dedupe). It must be deployed behind a trusted reverse proxy (Caddy) — never exposed directly to the internet.
Admin Bootstrap
Create initial admin user
echo 'secure-password' | wppackages admin create --email admin@example.com --name "Admin" --password-stdin
Promote existing user to admin
wppackages admin promote --email user@example.com
Reset admin password
echo 'new-password' | wppackages admin reset-password --email admin@example.com --password-stdin
Login/Logout
- Login:
GET /admin/loginrenders a login form.POST /admin/loginauthenticates with email/password and creates a server-side session. - Logout:
POST /admin/logoutdestroys the session and clears the cookie. - Session cookie:
session, HttpOnly, Secure (in production), SameSite=Lax. - Session lifetime: configurable via
SESSION_LIFETIME_MINUTES(default 7200 minutes / 5 days).
Session Cleanup
Expired sessions accumulate in the sessions table. Clean them periodically:
wppackages cleanup-sessions
Run via systemd timer or cron (daily recommended).
Emergency Password Reset
If locked out of the admin panel:
# SSH to the server
ssh deploy@your-server
# Reset the password
echo 'new-password' | wppackages admin reset-password --email admin@example.com --password-stdin
No database access or application restart required.
