rustdesk-server

Author SHA1 Message Date

Author	SHA1	Message	Date
mike	4ccfe7a0e6	feat(admin): user-administration QoL — last-seen, profile page, OIDC awareness Bundles the dashboard improvements that landed since `782e4c5` into one commit. None of these change wire protocols or DB schema; they're all UI + handlers on top of existing tables. Users page (/admin/#users) - "Last seen" column derived from MAX(tokens.last_used_at) per user (single GROUP BY query in users_last_seen_map). Shows relative short-form ("5m ago", "3h ago", "2d ago") with the absolute UTC timestamp in the cell title= for hover. - Per-row dropdown gains an inline "Edit profile" form (display name, email, Save) so admins can edit other users' info without going through the self-service profile. - "Enroll TOTP" button removed from the dropdown — TOTP enrollment is now self-service only, so admin-side enroll (which generated a secret out-of-band with no QR/confirm) is dead UX. "Disable TOTP" stays, shown only when the user has it enrolled, with hx-confirm. - Per-row action popover (the ··· menu) now closes on outside click, via a global handler in index.html that targets details.relative. Deploy page's collapsible help section is unaffected (no `relative`). Self-service profile page (/admin/#profile) - New page accessible to any signed-in user (no admin gate). Sections: * Profile info — display name, email * Change password — requires current password + new + confirm * Two-factor authentication — enroll/disable - TOTP enrollment is two-step with QR confirmation. POST .../totp/start generates a fresh secret, renders a server-side SVG QR code (new `qrcode` crate dependency, no_std SVG renderer) plus the manual-entry base32 secret. The secret rides in a hidden form field; nothing is written to user_totp_secrets until the user submits a valid 6-digit code at .../totp/confirm. Wrong code re-renders the same QR with a "code didn't match" notice so the user can retry without re-scanning. - TOTP removal requires the current password. - Sidebar now has a "My profile" link at the bottom. OIDC linkage awareness - UserRow exposes oidc_subject (was already in schema, just not surfaced in the struct). UserRow::is_oidc_linked() returns true for non-empty. - Admin Users page: for OIDC-linked rows the password-set form is replaced by a small italic note ("Linked to OIDC — password sign-in is disabled."). Server-side, reset_password also rejects with the same message — UI hide is cosmetic; the handler check is the actual guarantee. - TOTP column doubles as an auth-path indicator: OIDC-linked users get a cyan "OIDC" badge instead of (or in preference to) the violet "enrolled" badge. - Self-service profile page: change-password and TOTP sections become short notes ("Your account signs in via the identity provider …" / "MFA is managed by your identity provider") for OIDC users. change_password handler also short-circuits with the same message. Login page error fragment - The auth handler returns 401 with an HTML body for bad credentials / disabled / not-admin / bad-TOTP, but HTMX skips the swap on 4xx by default — so login errors silently never appeared. Form now has hx-on::before-swap that forces shouldSwap=true and clears isError on 4xx, but only for this form (page-level htmx:responseError handler that bounces 401s to /admin/login.html still applies elsewhere — it wouldn't loop here since this form sets isError=false). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-03 18:55:29 +02:00
mike	940b407560	fix(admin): drop overflow-hidden from action-dropdown tables The Users and Devices tables had `overflow-hidden` on the wrapper div for clean rounded corners. That same clipping was hiding the bottom half of the per-row action menu (a `<details>`/`<summary>` popover absolutely positioned inside the last cell). Removing `overflow-hidden` lets the dropdown extend past the table edge — the popover already has its own border + shadow, so the loss in corner aesthetics is negligible. The other read-only tables (audit, recordings, oidc, address_books) keep `overflow-hidden` since they don't host popovers. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-01 20:26:43 +02:00
mike	5b288d671c	feat: M5 admin dashboard (HTMX + Tailwind CDN, embedded HTML) A web admin UI for the rustdesk-server, mounted at /admin/* on the existing HTTP API listener. Single-binary deploy preserved — the two HTML files live in admin_ui/ and are pulled into the binary via include_str! at build time, so there's nothing extra to ship. ================================================================================ Architecture ================================================================================ - Stack: HTMX 1.9 + Tailwind play CDN. No SPA, no Node toolchain. Pages are server-rendered HTML fragments returned by Rust handlers via Html<String>; the index.html shell uses hx-get to drop a fragment into the main pane and hx-push-url for back-button history. - Auth: same Bearer-token table the API uses. The dashboard log-in form POSTs username + password (+ optional TOTP) to /admin/login; on success the server mints a token and pins it in an HttpOnly + SameSite=Strict cookie (`rd_admin_session`). The AuthedUser extractor was extended to accept either the Authorization: Bearer header (curl, desktop client) OR the session cookie (browser). - Embedding: src/api/admin/mod.rs has `include_str!("../../../admin_ui/index.html")` + login.html. No tower_http::ServeDir wildcard — we ran into axum 0.5 routing conflicts between literal /admin/login routes and an /admin/* catch-all, so each HTML file is its own explicit route. ================================================================================ M5a — foundation ================================================================================ Files: admin_ui/index.html page shell + sidebar + HTMX + 401-bounces-to-login admin_ui/login.html credentials + TOTP form, posts to /admin/login src/api/admin/mod.rs router + include_str! + Cache-Control: no-cache src/api/admin/auth.rs /admin/login POST (form-encoded), /admin/logout POST src/api/admin/me.rs sidebar fragment ("Signed in as <name>") src/api/middleware.rs `AuthedUser` now reads either Bearer OR cookie src/api/state.rs `admin_ui_dir` (informational; UI is embedded) src/main.rs --admin-ui-dir flag (empty disables the dashboard) The login flow asks for TOTP transparently in the same form when the target user has a secret enrolled, so the dashboard inherits the TOTP gate from the API auth surface for free. ================================================================================ M5b — full CRUD pages ================================================================================ - Users (src/api/admin/pages/users.rs) — list, create, password reset, toggle admin / status, TOTP enroll / unenroll, delete. TOTP enroll surfaces the secret + otpauth URL once, on a dismissible banner above the table. - Devices (devices.rs) — list with hostname/OS/last-heartbeat/conn count, force-disconnect (queues `heartbeat_commands` row consumed at the next /api/heartbeat tick), force-sysinfo refresh. - Device groups (groups.rs) — list / create / delete / add member / remove member. Per-group section, with an add-member dropdown of users not yet in the group. - Strategies (strategies.rs) — list / create / edit config_options / delete. config_options is validated as a JSON object on the server side before persist; bad JSON is reflected to the page with a friendly error notice. - Address books (address_books.rs) — read-only overview of all books with owner, kind (personal / shared badge), peer count, GUID. - OIDC providers (oidc.rs) — read-only list of what's configured. Editing remains operator-side via --oidc-config TOML or direct SQL. ================================================================================ M5c — audit + recordings browsers ================================================================================ - Audit log (audit.rs) — three tabs (Connections / File transfers / Alarms), each capped at the latest 200 rows. Tab pills are HTMX links with hx-get + hx-target="#main" so the tab switch is a single fetch. - Recordings (recordings.rs) — read-only list with peer / size / state / start / finish. Streaming download is a follow-up; for now operators pull files from --recording-dir directly. ================================================================================ DB methods added ================================================================================ - Users: users_list_all, user_set_status, user_set_admin, user_set_password, user_delete, user_has_totp, raw_update_user_email - Devices: devices_list_all, device_sysinfo_get_conns, heartbeat_command_queue (also used elsewhere; surfaced) - Groups: device_groups_list_all, device_group_members, device_group_create, device_group_delete, device_group_add_member, device_group_remove_member - Strategy: strategies_list_all, strategy_create, strategy_update_config, strategy_delete - Audit: audit_conn_list, audit_file_list, audit_alarm_list - Misc: ab_list_all_with_owner, recordings_list All use the runtime sqlx::query("...") form (matching the project-wide convention) so the SQLite compile-time-check macros don't require these new tables to pre-exist in the dev DB. ================================================================================ Conventions enforced ================================================================================ - Every page handler gates on require_admin(&AuthedUser) — non-admin users get an HTTP 403 + JSON envelope, which the SPA shell catches and bounces back to the login form. - HTML fragments are produced via `format!`-with-named-args; html_escape is centralized in src/api/admin/pages/shared.rs and applied to every user-supplied string before it lands in the DOM. - All mutations return either the updated table fragment OR notice_html(kind, msg) + the table — same pattern across pages, so HTMX swap targets stay simple (always #region innerHTML). - Cookie carries no path restriction so it also authorizes /api/* calls the dashboard might want to make from the browser; HttpOnly + SameSite=Strict mitigates XSS / CSRF; Max-Age tracks ApiConfig's session_ttl_secs (30 days). ================================================================================ Verification ================================================================================ 1. cargo build --release — clean. 2. End-to-end smoke test: - /admin/ serves index.html (4406 bytes), /admin/login.html serves login.html (2598 bytes). - POST /admin/login with valid creds returns 200 + Set-Cookie `rd_admin_session=…; HttpOnly; Path=/; SameSite=Strict; Max-Age=…`. - All eight /admin/pages/* fragments return 200 with cookie. - Users CRUD round-trip: create alice → toggle admin → disable → reset password → enroll TOTP (32-char secret displayed once) → unenroll → delete; self-action guard rejects suicide deletes. - Groups CRUD: create engineering → add alice as member → SQL confirms the row. - Strategies: valid JSON accepted, invalid JSON rejected with a friendly notice. - Audit tabs: all three render 200; empty-state messages appear when no rows. - /admin/logout clears the cookie; subsequent /admin/me returns 401. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-01 20:13:35 +02:00

mike

4ccfe7a0e6

feat(admin): user-administration QoL — last-seen, profile page, OIDC awareness

Bundles the dashboard improvements that landed since 782e4c5 into one
commit. None of these change wire protocols or DB schema; they're all
UI + handlers on top of existing tables.

Users page (/admin/#users)
- "Last seen" column derived from MAX(tokens.last_used_at) per user
  (single GROUP BY query in users_last_seen_map). Shows relative
  short-form ("5m ago", "3h ago", "2d ago") with the absolute UTC
  timestamp in the cell title= for hover.
- Per-row dropdown gains an inline "Edit profile" form (display name,
  email, Save) so admins can edit other users' info without going
  through the self-service profile.
- "Enroll TOTP" button removed from the dropdown — TOTP enrollment is
  now self-service only, so admin-side enroll (which generated a secret
  out-of-band with no QR/confirm) is dead UX. "Disable TOTP" stays,
  shown only when the user has it enrolled, with hx-confirm.
- Per-row action popover (the ··· menu) now closes on outside click,
  via a global handler in index.html that targets details.relative.
  Deploy page's collapsible help section is unaffected (no `relative`).

Self-service profile page (/admin/#profile)
- New page accessible to any signed-in user (no admin gate). Sections:
  * Profile info — display name, email
  * Change password — requires current password + new + confirm
  * Two-factor authentication — enroll/disable
- TOTP enrollment is two-step with QR confirmation. POST .../totp/start
  generates a fresh secret, renders a server-side SVG QR code (new
  `qrcode` crate dependency, no_std SVG renderer) plus the manual-entry
  base32 secret. The secret rides in a hidden form field; nothing is
  written to user_totp_secrets until the user submits a valid 6-digit
  code at .../totp/confirm. Wrong code re-renders the same QR with a
  "code didn't match" notice so the user can retry without re-scanning.
- TOTP removal requires the current password.
- Sidebar now has a "My profile" link at the bottom.

OIDC linkage awareness
- UserRow exposes oidc_subject (was already in schema, just not surfaced
  in the struct). UserRow::is_oidc_linked() returns true for non-empty.
- Admin Users page: for OIDC-linked rows the password-set form is
  replaced by a small italic note ("Linked to OIDC — password sign-in
  is disabled."). Server-side, reset_password also rejects with the
  same message — UI hide is cosmetic; the handler check is the actual
  guarantee.
- TOTP column doubles as an auth-path indicator: OIDC-linked users get
  a cyan "OIDC" badge instead of (or in preference to) the violet
  "enrolled" badge.
- Self-service profile page: change-password and TOTP sections become
  short notes ("Your account signs in via the identity provider …" /
  "MFA is managed by your identity provider") for OIDC users.
  change_password handler also short-circuits with the same message.

Login page error fragment
- The auth handler returns 401 with an HTML body for bad credentials /
  disabled / not-admin / bad-TOTP, but HTMX skips the swap on 4xx by
  default — so login errors silently never appeared. Form now has
  hx-on::before-swap that forces shouldSwap=true and clears isError on
  4xx, but only for this form (page-level htmx:responseError handler
  that bounces 401s to /admin/login.html still applies elsewhere — it
  wouldn't loop here since this form sets isError=false).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-03 18:55:29 +02:00

mike

940b407560

fix(admin): drop overflow-hidden from action-dropdown tables

The Users and Devices tables had `overflow-hidden` on the wrapper div for
clean rounded corners. That same clipping was hiding the bottom half of
the per-row action menu (a `<details>`/`<summary>` popover absolutely
positioned inside the last cell). Removing `overflow-hidden` lets the
dropdown extend past the table edge — the popover already has its own
border + shadow, so the loss in corner aesthetics is negligible.

The other read-only tables (audit, recordings, oidc, address_books) keep
`overflow-hidden` since they don't host popovers.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-01 20:26:43 +02:00

mike

5b288d671c

feat: M5 admin dashboard (HTMX + Tailwind CDN, embedded HTML)

A web admin UI for the rustdesk-server, mounted at /admin/* on the
existing HTTP API listener. Single-binary deploy preserved — the two
HTML files live in admin_ui/ and are pulled into the binary via
include_str! at build time, so there's nothing extra to ship.

================================================================================
Architecture
================================================================================
- Stack: HTMX 1.9 + Tailwind play CDN. No SPA, no Node toolchain. Pages
  are server-rendered HTML fragments returned by Rust handlers via
  Html<String>; the index.html shell uses hx-get to drop a fragment into
  the main pane and hx-push-url for back-button history.
- Auth: same Bearer-token table the API uses. The dashboard log-in form
  POSTs username + password (+ optional TOTP) to /admin/login; on success
  the server mints a token and pins it in an HttpOnly + SameSite=Strict
  cookie (`rd_admin_session`). The AuthedUser extractor was extended to
  accept either the Authorization: Bearer header (curl, desktop client)
  OR the session cookie (browser).
- Embedding: src/api/admin/mod.rs has `include_str!("../../../admin_ui/index.html")`
  + login.html. No tower_http::ServeDir wildcard — we ran into axum 0.5
  routing conflicts between literal /admin/login routes and an /admin/*
  catch-all, so each HTML file is its own explicit route.

================================================================================
M5a — foundation
================================================================================
Files:
  admin_ui/index.html   page shell + sidebar + HTMX + 401-bounces-to-login
  admin_ui/login.html   credentials + TOTP form, posts to /admin/login
  src/api/admin/mod.rs  router + include_str! + Cache-Control: no-cache
  src/api/admin/auth.rs /admin/login POST (form-encoded), /admin/logout POST
  src/api/admin/me.rs   sidebar fragment ("Signed in as <name>")
  src/api/middleware.rs `AuthedUser` now reads either Bearer OR cookie
  src/api/state.rs      `admin_ui_dir` (informational; UI is embedded)
  src/main.rs           --admin-ui-dir flag (empty disables the dashboard)

The login flow asks for TOTP transparently in the same form when the
target user has a secret enrolled, so the dashboard inherits the TOTP
gate from the API auth surface for free.

================================================================================
M5b — full CRUD pages
================================================================================
- Users (src/api/admin/pages/users.rs) — list, create, password reset,
  toggle admin / status, TOTP enroll / unenroll, delete. TOTP enroll
  surfaces the secret + otpauth URL once, on a dismissible banner above
  the table.
- Devices (devices.rs) — list with hostname/OS/last-heartbeat/conn count,
  force-disconnect (queues `heartbeat_commands` row consumed at the next
  /api/heartbeat tick), force-sysinfo refresh.
- Device groups (groups.rs) — list / create / delete / add member /
  remove member. Per-group section, with an add-member dropdown of users
  not yet in the group.
- Strategies (strategies.rs) — list / create / edit config_options /
  delete. config_options is validated as a JSON object on the server side
  before persist; bad JSON is reflected to the page with a friendly
  error notice.
- Address books (address_books.rs) — read-only overview of all books
  with owner, kind (personal / shared badge), peer count, GUID.
- OIDC providers (oidc.rs) — read-only list of what's configured. Editing
  remains operator-side via --oidc-config TOML or direct SQL.

================================================================================
M5c — audit + recordings browsers
================================================================================
- Audit log (audit.rs) — three tabs (Connections / File transfers /
  Alarms), each capped at the latest 200 rows. Tab pills are HTMX links
  with hx-get + hx-target="#main" so the tab switch is a single fetch.
- Recordings (recordings.rs) — read-only list with peer / size / state /
  start / finish. Streaming download is a follow-up; for now operators
  pull files from --recording-dir directly.

================================================================================
DB methods added
================================================================================
- Users:    users_list_all, user_set_status, user_set_admin,
            user_set_password, user_delete, user_has_totp,
            raw_update_user_email
- Devices:  devices_list_all, device_sysinfo_get_conns,
            heartbeat_command_queue (also used elsewhere; surfaced)
- Groups:   device_groups_list_all, device_group_members,
            device_group_create, device_group_delete,
            device_group_add_member, device_group_remove_member
- Strategy: strategies_list_all, strategy_create,
            strategy_update_config, strategy_delete
- Audit:    audit_conn_list, audit_file_list, audit_alarm_list
- Misc:     ab_list_all_with_owner, recordings_list

All use the runtime sqlx::query("...") form (matching the project-wide
convention) so the SQLite compile-time-check macros don't require these
new tables to pre-exist in the dev DB.

================================================================================
Conventions enforced
================================================================================
- Every page handler gates on require_admin(&AuthedUser) — non-admin
  users get an HTTP 403 + JSON envelope, which the SPA shell catches and
  bounces back to the login form.
- HTML fragments are produced via `format!`-with-named-args; html_escape
  is centralized in src/api/admin/pages/shared.rs and applied to every
  user-supplied string before it lands in the DOM.
- All mutations return either the updated table fragment OR
  notice_html(kind, msg) + the table — same pattern across pages, so
  HTMX swap targets stay simple (always #region innerHTML).
- Cookie carries no path restriction so it also authorizes /api/* calls
  the dashboard might want to make from the browser; HttpOnly +
  SameSite=Strict mitigates XSS / CSRF; Max-Age tracks ApiConfig's
  session_ttl_secs (30 days).

================================================================================
Verification
================================================================================
1. cargo build --release — clean.
2. End-to-end smoke test:
   - /admin/ serves index.html (4406 bytes), /admin/login.html serves
     login.html (2598 bytes).
   - POST /admin/login with valid creds returns 200 + Set-Cookie
     `rd_admin_session=…; HttpOnly; Path=/; SameSite=Strict; Max-Age=…`.
   - All eight /admin/pages/* fragments return 200 with cookie.
   - Users CRUD round-trip: create alice → toggle admin → disable →
     reset password → enroll TOTP (32-char secret displayed once) →
     unenroll → delete; self-action guard rejects suicide deletes.
   - Groups CRUD: create engineering → add alice as member → SQL
     confirms the row.
   - Strategies: valid JSON accepted, invalid JSON rejected with a
     friendly notice.
   - Audit tabs: all three render 200; empty-state messages appear when
     no rows.
   - /admin/logout clears the cookie; subsequent /admin/me returns 401.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-01 20:13:35 +02:00

3 Commits