Replace all new Response calls in commitUpload.js and getUploadUrl.js with
createResponse from uploadTools so that responses include Access-Control-Allow-Origin
and other CORS headers, fixing cross-origin requests.
- checkAdmin: return 'admin' when admin auth not configured
- checkUser: return 'user' when authCode not configured
- directoryTree: use authType !== 'admin' to gate user-only checks
- Remove Basic Auth (verifyBasicAuth, parseBasicAuth) from authCore.js
- Add /api/auth/adminLogin POST endpoint for admin login via JSON body
- Delete legacy /api/manage/check, login, logout (no longer referenced)
- Fix adminConfigured to consider password-only config
- Extract shared authentication logic into utils/auth/authCore.js
- Replace enableBasicAuth/enableAuthCode flags with clear authScope enum (ADMIN/USER/EITHER)
- Move all auth-related files into utils/auth/ subdirectory
- Eliminate duplicated admin auth logic between _middleware.js and dualAuth.js
- Fix: user session no longer grants access to admin-only endpoints
- Fix: dualAuth no longer bypasses authCode when admin is not configured
- Update all 17 import references across the codebase
- Preserve original function signatures (userAuthCheck, dualAuthCheck) for zero caller changes
- Replace single-round SHA-256 with PBKDF2 (100k iterations) via Web Crypto API
- Auto-rehash old SHA-256/plaintext passwords to PBKDF2 on successful login
- Add timing-safe comparison to prevent timing attacks
- Replace Math.random() with crypto.getRandomValues() for API token and token ID generation
- Maintain full backward compatibility with existing SHA-256 hashes and plaintext passwords
Allows resetting all auth config when locked out:
- Requires RESET_KEY environment variable to be set
- GET /api/resetAuth?key=YOUR_RESET_KEY
- Clears security config from database (falls back to env vars)
- Destroys all active sessions
- Fix getSecurityConfig: use ?? instead of || so empty string is preserved
- Handle _clear flag to explicitly remove passwords
- Clear adminUsername together with adminPassword on _clear
- sessionCheck now returns adminRequired/userRequired fields
- Return 200 instead of 401 from sessionCheck for frontend to decide
