Skip to content

fix(pi-package-webui): support fixed remote PIN via PI_WEBUI_REMOTE_PIN env var#7

Open
buihongduc132 wants to merge 1 commit into
Firstp1ck:mainfrom
buihongduc132:fix/pi-webui-remote-pin-env-var
Open

fix(pi-package-webui): support fixed remote PIN via PI_WEBUI_REMOTE_PIN env var#7
buihongduc132 wants to merge 1 commit into
Firstp1ck:mainfrom
buihongduc132:fix/pi-webui-remote-pin-env-var

Conversation

@buihongduc132

Copy link
Copy Markdown

Problem

pi-webui generates a random 4-digit PIN on every server start (generateRemotePin()). Operators running headless / supervised deployments (e.g. behind a reverse proxy on a trusted LAN, or inside a Nomad/Kubernetes job) cannot know the PIN without querying the running alloc's logs. Restarting the alloc rotates the PIN, breaking bookmarks / saved sessions.

Fix

generateRemotePin() now checks PI_WEBUI_REMOTE_PIN first. If set and exactly 4 digits, it returns that value. If unset (or invalid), behavior is unchanged — a fresh random PIN is generated per server start.

Why env var (not CLI flag / settings file)

  • Env var: works headless without inspecting the running process. Aligns with existing PI_WEBUI_REMOTE_AUTH, PI_WEBUI_HOST, PI_WEBUI_PORT, etc.
  • CLI flag: would require editing launch scripts, not a fit for supervisors that template env.
  • Settings file: persists the toggle already; persisting the PIN would defeat the security goal of rotation.

Changes

  • `pi-package-webui/bin/pi-webui.mjs`: `generateRemotePin()` reads `process.env.PI_WEBUI_REMOTE_PIN` first; logs a warning + falls back to random if the value is not exactly 4 digits.
  • `pi-package-webui/README.md`: document `PI_WEBUI_REMOTE_PIN` in the env var list and clarify that the default random-PIN behavior is preserved when unset.
  • `pi-package-webui/tests/remote-pin-env-harness.test.mjs`: new harness test (follows `remote-auth-settings-harness.test.mjs` pattern) covering:
    • startup PIN equals the env-pinned value
    • POST `/api/remote-auth` with correct PIN → 200
    • POST `/api/remote-auth` with wrong PIN → 403

Validation

  • `node tests/remote-pin-env-harness.test.mjs` — PASS
  • `node tests/remote-auth-settings-harness.test.mjs` — PASS (existing test, unchanged behavior preserved)
  • `./dev/scripts/check-publish-readiness.sh --target pi-package-webui --skip-auth --skip-registry` — PASS (per `CONTRIBUTING.md`)

Backward compatibility

Default behavior (random PIN per start) is fully preserved when `PI_WEBUI_REMOTE_PIN` is unset. No existing test or behavior changes.

Security note

A fixed PIN reduces security versus random rotation; the README addition makes that explicit. This is opt-in only and is intended for trusted-LAN / supervised deployments where operator access to the PIN is required.

…IN env var

generateRemotePin() now checks PI_WEBUI_REMOTE_PIN first; falls back to
random PIN if unset or invalid (non-4-digit). Enables headless / supervised
deployments where operator needs a stable PIN across restarts.

- README: document PI_WEBUI_REMOTE_PIN in env var list
- Test: remote-pin-env-harness covers valid pin, auth POST, wrong-pin rejection

Default behavior (random PIN per start) preserved when env var unset.

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds an operator-friendly option for pi-webui to use a stable Remote PIN in headless/supervised deployments by allowing the PIN to be supplied via an environment variable, while preserving the existing random-PIN default when unset/invalid.

Changes:

  • Update generateRemotePin() to prefer PI_WEBUI_REMOTE_PIN when it is exactly 4 digits; otherwise warn and fall back to a random PIN.
  • Document PI_WEBUI_REMOTE_PIN in the pi-package-webui README.
  • Add a new harness test validating env-pinned Remote PIN behavior and auth success/failure paths.

Reviewed changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated 1 comment.

File Description
pi-package-webui/bin/pi-webui.mjs Reads PI_WEBUI_REMOTE_PIN for Remote PIN generation with validation + fallback behavior.
pi-package-webui/README.md Documents the new PI_WEBUI_REMOTE_PIN environment variable and its behavior.
pi-package-webui/tests/remote-pin-env-harness.test.mjs Adds an integration-style harness test for fixed PIN startup and remote-auth POST outcomes.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread pi-package-webui/README.md
@Firstp1ck

Copy link
Copy Markdown
Owner

If we want to implement a fixed env var, PI_WEBUI_REMOTE_PIN (change var name) should instead be modeled as a fixed remote auth secret/token rather than a fixed 4-digit PIN.

Suggested behavior:

  • If no env var is set: keep the current behavior.
  • If an env var is set: require a stronger token/password, e.g. minimum length >= 24 chars, and use that as the fixed remote auth secret.
  • Prefer a clearer name such as PI_WEBUI_REMOTE_TOKEN or PI_WEBUI_REMOTE_PASSWORD
  • Do not log env-provided secret values. Also do not log invalid values; log only that the value was invalid, possibly with length/format metadata. (Keep logging the random PIN)
  • If the env-provided value is invalid/too weak, fail startup instead of silently falling back to a random PIN.

@Firstp1ck Firstp1ck added the enhancement New feature or request label Jul 5, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

enhancement New feature or request

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants