feat(rotate): persist current password; add token-protected API

* RotatePasswords now stores the active wordlist entry as unifi.password_rotation.last_password whenever a whole-SSID rotation succeeds. Per-PPSK rotation continues to store passwords on each PPSK row as before. * Settings → Tasks tab surfaces the current password in bold beneath the wordlist textarea so operators can quickly check what's live. * New JSON endpoint GET /api/unifi/wifi/current-password returns {"password": "...", "rotated_at": "..."}. Protected by a token stored in unifi.api_token — pass as Authorization: Bearer <token> or ?token=<token>. 401 on bad/missing token, 503 if no token is configured, 404 if no rotation has happened yet. * Settings page lets super-admins Generate / Regenerate / Clear the token. Generated tokens are 48-char hex from bin2hex(random_bytes(24)). * The endpoint lives outside the web/auth middleware so external signage / kiosks can hit it without a session cookie. v1.6.2. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-24 19:42:13 -04:00
parent e8796d443e
commit 4b29f55518
5 changed files with 71 additions and 1 deletions
--- a/src/Http/Controllers/UnifiSettingsController.php
+++ b/src/Http/Controllers/UnifiSettingsController.php
@@ -31,10 +31,25 @@ class UnifiSettingsController extends Controller
            'rotationMinute'         => (int) Setting::get('unifi.password_rotation.minute', 0),
            'rotationWordlist'       => Setting::get('unifi.password_rotation.wordlist', ''),
            'rotationLastRotatedAt'   => Setting::get('unifi.password_rotation.last_rotated_at', null),
+            'rotationLastPassword'    => Setting::get('unifi.password_rotation.last_password', null),
            'ppskSchedulingEnabled'   => (bool) Setting::get('unifi.ppsk_scheduling.enabled', false),
+            'apiToken'                => Setting::get('unifi.api_token', null),
        ]);
    }

+    public function regenerateApiToken()
+    {
+        $token = bin2hex(random_bytes(24));
+        Setting::set('unifi.api_token', $token);
+        return response()->json(['token' => $token]);
+    }
+
+    public function clearApiToken()
+    {
+        Setting::set('unifi.api_token', '');
+        return response()->json(['ok' => true]);
+    }
+
    public function update(Request $request)
    {
        $request->validate([
--- a/src/Http/Controllers/WifiApiController.php
+++ b/src/Http/Controllers/WifiApiController.php
@@ -0,0 +1,40 @@
+<?php
+
+namespace Dashboard\Unifi\Http\Controllers;
+
+use App\Models\Setting;
+use Illuminate\Http\Request;
+use Illuminate\Routing\Controller;
+
+/**
+ * Token-protected JSON endpoints for external integrations (signage,
+ * kiosks, room displays, etc.) that need the current rotating WiFi
+ * password without going through the dashboard UI.
+ */
+class WifiApiController extends Controller
+{
+    public function currentPassword(Request $request)
+    {
+        $expected = Setting::get('unifi.api_token');
+        if (! $expected) {
+            return response()->json(['error' => 'API token not configured'], 503);
+        }
+
+        $provided = $request->bearerToken() ?: $request->query('token');
+        if (! $provided || ! hash_equals($expected, $provided)) {
+            return response()->json(['error' => 'Unauthorized'], 401);
+        }
+
+        $password = Setting::get('unifi.password_rotation.last_password');
+        if (! $password) {
+            return response()->json([
+                'error' => 'No rotated password recorded yet — wait for the next scheduled rotation or run unifi:rotate-passwords --force.',
+            ], 404);
+        }
+
+        return response()->json([
+            'password'   => $password,
+            'rotated_at' => Setting::get('unifi.password_rotation.last_rotated_at'),
+        ]);
+    }
+}