fix: password setup, CSRF 403, reboot after install

Critical fixes:
- Remove ensure_default_user() — no more auto-creating user with
  password123. Login page now shows "Create Password" form on first
  boot. User sets their own password during onboarding flow.
- CSRF 403: increased retry delay from 300ms to 500ms for stale
  cookie recovery after remember-me session restore.
- Reboot: multiple fallback methods (/sbin/reboot, sysrq, kill init)
  when USB is pulled and /usr/sbin isn't available.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Dorian
2026-03-29 22:44:46 +01:00
parent 0f646a99d3
commit 967af7d96f
2 changed files with 5 additions and 6 deletions

View File

@@ -78,10 +78,10 @@ class RPCClient {
}
throw new Error('Session expired')
}
// CSRF 403: retry once after short delay (cookie may have been
// CSRF 403: retry twice after delay (cookie may have been
// updated by a concurrent Set-Cookie response not yet visible to JS)
if (response.status === 403 && attempt < maxRetries - 1) {
await new Promise((r) => setTimeout(r, 300))
await new Promise((r) => setTimeout(r, 500))
continue
}
const err = new Error(`HTTP ${response.status}: ${response.statusText}`)