fix(rotate): record PPSK rotation password + sync banded-SSID siblings

Three bugs reported from prod after a PPSK rotation:

1. unifi.password_rotation.last_password was only saved after a
   whole-SSID rotation. PPSK-only setups (the typical guest-WiFi case)
   ran a successful rotation but the setting stayed empty, so the
   Settings → Tasks UI never showed the current password and the
   /api/unifi/wifi/current-password endpoint returned 404
   "no rotated password recorded yet". The PPSK loop now writes
   last_password on every successful PPSK rotation.

2. When an SSID is "banded" (band-steering disabled), UniFi splits it
   into one wlanconf per band — 2.4GHz and 5GHz each get their own _id
   and their own embedded PPSK array. Rotating the PPSK on one band
   left the other band with the old password. New
   UnifiApiClient::getWlanSiblings($wlanId) finds all wlanconfs that
   share an SSID name; both rotation and the manual modal edit now
   call updateEmbeddedPpsk on each sibling and update the matching
   UnifiPpsk DB rows.

3. The manual WiFi modal edit had the same band-blindness as #2 —
   editing the GUEST PPSK on the 2.4GHz half left the 5GHz half stale.
   WifiController::ppskUpdate now walks siblings the same way.

v1.8.1.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

composer.json

@@ -1,7 +1,7 @@
 {
     "name": "dashboard/unifi",
     "description": "UniFi network management, WiFi stats, and captive portal authentication for the Dashboard platform",
-    "version": "1.5.3",
+    "version": "1.8.1",
     "type": "library",
     "license": "MIT",
     "autoload": {
@@ -27,7 +27,6 @@
                 { "label": "Devices",          "route_name": "unifi.devices",          "icon": "cpu-chip",         "permission": "unifi.stats",    "sort_order": 3 },
                 { "label": "Clients",          "route_name": "unifi.clients",          "icon": "users",            "permission": "unifi.stats",    "sort_order": 4 },
                 { "label": "WiFi Networks",    "route_name": "unifi.wifi",             "icon": "wifi",             "permission": "unifi.manage",   "sort_order": 5 },
-                { "label": "Portal",           "route_name": "unifi.portal.settings",  "icon": "shield-check",     "permission": "unifi.auth",     "sort_order": 6 },
                 { "label": "Settings",         "route_name": "unifi.settings",         "icon": "cog-6-tooth",      "permission": "unifi.settings", "sort_order": 99 }
             ],
             "permissions": [

database/migrations/2026_05_24_000002_add_templates_and_tracked_clients_to_unifi_webhook_configs.php

@@ -0,0 +1,32 @@
+<?php
+
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Database\Schema\Blueprint;
+use Illuminate\Support\Facades\Schema;
+
+return new class extends Migration
+{
+    public function up(): void
+    {
+        Schema::table('unifi_webhook_configs', function (Blueprint $table) {
+            if (! Schema::hasColumn('unifi_webhook_configs', 'tracked_clients')) {
+                $table->json('tracked_clients')->nullable()->after('device_filter');
+            }
+            if (! Schema::hasColumn('unifi_webhook_configs', 'templates')) {
+                $table->json('templates')->nullable()->after('tracked_clients');
+            }
+        });
+    }
+
+    public function down(): void
+    {
+        Schema::table('unifi_webhook_configs', function (Blueprint $table) {
+            if (Schema::hasColumn('unifi_webhook_configs', 'templates')) {
+                $table->dropColumn('templates');
+            }
+            if (Schema::hasColumn('unifi_webhook_configs', 'tracked_clients')) {
+                $table->dropColumn('tracked_clients');
+            }
+        });
+    }
+};

database/migrations/2026_05_24_000003_add_consecutive_count_to_unifi_device_states.php

@@ -0,0 +1,26 @@
+<?php
+
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Database\Schema\Blueprint;
+use Illuminate\Support\Facades\Schema;
+
+return new class extends Migration
+{
+    public function up(): void
+    {
+        Schema::table('unifi_device_states', function (Blueprint $table) {
+            if (! Schema::hasColumn('unifi_device_states', 'consecutive_count')) {
+                $table->unsignedSmallInteger('consecutive_count')->default(0)->after('in_alert');
+            }
+        });
+    }
+
+    public function down(): void
+    {
+        Schema::table('unifi_device_states', function (Blueprint $table) {
+            if (Schema::hasColumn('unifi_device_states', 'consecutive_count')) {
+                $table->dropColumn('consecutive_count');
+            }
+        });
+    }
+};

src/Console/RotatePasswords.php

@@ -68,6 +68,9 @@ class RotatePasswords extends Command
 
             if ($rotated) {
                 Setting::set('unifi.password_rotation.last_rotated_at', now()->toIso8601String());
+                // Persist the active password so it can be displayed in
+                // the Settings page and exposed via the API endpoint.
+                Setting::set('unifi.password_rotation.last_password', $password);
                 $this->info('Rotated password for ' . count($rotated) . ' SSID(s).');
             }
 
@@ -76,9 +79,49 @@ class RotatePasswords extends Command
             foreach ($ppskQuery->get() as $ppsk) {
                 $newPass = $passwords[array_rand($passwords)];
                 try {
+                    if (str_starts_with((string) $ppsk->unifi_id, 'emb_')) {
+                        // Embedded PPSK: update inside the parent WLAN object.
+                        // Synthetic ID is derived from the new passphrase, so update it too.
+                        $unifi->updateEmbeddedPpsk($ppsk->wlan_id, $ppsk->x_passphrase, $newPass);
+                        $newUid = 'emb_' . substr(hash('sha256', $ppsk->wlan_id . ':' . $newPass), 0, 32);
+                        $oldPass = $ppsk->x_passphrase;
+                        $ppsk->update(['x_passphrase' => $newPass, 'unifi_id' => $newUid]);
+
+                        // Sibling WLANs (same SSID name on a different band):
+                        // their embedded PPSK with the same name also needs
+                        // to rotate to the same new password so the SSID's
+                        // 2.4/5GHz halves stay in sync.
+                        foreach ($unifi->getWlanSiblings($ppsk->wlan_id) as $siblingWlanId) {
+                            $sibling = UnifiPpsk::where('wlan_id', $siblingWlanId)
+                                ->where('name', $ppsk->name)
+                                ->where('state', 'active')
+                                ->first();
+                            $siblingOldPass = $sibling?->x_passphrase ?? $oldPass;
+                            try {
+                                $unifi->updateEmbeddedPpsk($siblingWlanId, $siblingOldPass, $newPass);
+                                if ($sibling) {
+                                    $sibling->update([
+                                        'x_passphrase' => $newPass,
+                                        'unifi_id'     => 'emb_' . substr(hash('sha256', $siblingWlanId . ':' . $newPass), 0, 32),
+                                    ]);
+                                }
+                            } catch (\Throwable $e) {
+                                $this->error("Sibling rotate failed for wlan {$siblingWlanId}: {$e->getMessage()}");
+                                $failedPpsks[] = ['name' => $ppsk->name . ' (sibling wlan ' . $siblingWlanId . ')', 'error' => $e->getMessage()];
+                            }
+                        }
+                    } else {
                         $unifi->updatePpsk($ppsk->unifi_id, ['x_passphrase' => $newPass]);
                         $ppsk->update(['x_passphrase' => $newPass]);
+                    }
                     $rotatedPpsks[] = $ppsk->name;
+
+                    // Save the active password every time a rotation
+                    // succeeds — covers PPSK-only rotation setups where
+                    // there's no whole-SSID rotation. Last successful
+                    // password wins if multiple PPSKs rotate in one run.
+                    Setting::set('unifi.password_rotation.last_password', $newPass);
+                    Setting::set('unifi.password_rotation.last_rotated_at', now()->toIso8601String());
                 } catch (\Throwable $e) {
                     $this->error("Failed to rotate PPSK \"{$ppsk->name}\": {$e->getMessage()}");
                     $failedPpsks[] = ['name' => $ppsk->name, 'error' => $e->getMessage()];

src/Http/Controllers/UnifiPagesAccessController.php

@@ -40,6 +40,15 @@ class UnifiPagesAccessController extends Controller
         $grantedUserIds = $grants->flatten(1)->where('grantee_type', 'user')->pluck('grantee_id')->unique();
         $users = User::whereIn('id', $grantedUserIds)->orderBy('name')->get(['id', 'name', 'email']);
 
+        // Groups: always include super-admin groups (locked-on across all
+        // pages) plus any group with at least one grant. Other groups are
+        // added via searchGroups.
+        $grantedGroupIds = $grants->flatten(1)->where('grantee_type', 'group')->pluck('grantee_id')->unique();
+        $groups = Group::where(function ($q) use ($grantedGroupIds) {
+            $q->where('is_super', true)
+              ->orWhereIn('id', $grantedGroupIds);
+        })->orderBy('name')->get(['id', 'name', 'is_super']);
+
         return response()->json([
             'pages' => $pages->map(fn ($p) => [
                 'id'         => $p->id,
@@ -49,7 +58,7 @@ class UnifiPagesAccessController extends Controller
                 'group_ids'  => $grants->get($p->id, collect())->where('grantee_type', 'group')->pluck('grantee_id')->all(),
             ])->values(),
             'users'  => $users,
-            'groups' => Group::orderBy('name')->get(['id', 'name', 'is_super']),
+            'groups' => $groups,
         ]);
     }
 
@@ -76,6 +85,27 @@ class UnifiPagesAccessController extends Controller
         return response()->json(['users' => $users]);
     }
 
+    /**
+     * Typeahead-style search for groups to add to the access matrix.
+     * Excludes super-admin groups (they're already in the matrix and
+     * locked-on across every page).
+     */
+    public function searchGroups(Request $request)
+    {
+        $q = trim((string) $request->query('q', ''));
+        if (strlen($q) < 2) {
+            return response()->json(['groups' => []]);
+        }
+
+        $groups = Group::where('name', 'like', '%' . $q . '%')
+            ->where(function ($w) { $w->where('is_super', false)->orWhereNull('is_super'); })
+            ->orderBy('name')
+            ->limit(20)
+            ->get(['id', 'name', 'is_super']);
+
+        return response()->json(['groups' => $groups]);
+    }
+
     public function update(Request $request, NavItem $navItem)
     {
         $app = DashboardApp::where('slug', 'unifi')->first();

src/Http/Controllers/UnifiSettingsController.php

@@ -31,10 +31,26 @@ class UnifiSettingsController extends Controller
             'rotationMinute'         => (int) Setting::get('unifi.password_rotation.minute', 0),
             'rotationWordlist'       => Setting::get('unifi.password_rotation.wordlist', ''),
             'rotationLastRotatedAt'   => Setting::get('unifi.password_rotation.last_rotated_at', null),
+            'rotationLastPassword'    => Setting::get('unifi.password_rotation.last_password', null),
             'ppskSchedulingEnabled'   => (bool) Setting::get('unifi.ppsk_scheduling.enabled', false),
+            'apiEnabled'              => (bool) Setting::get('unifi.api.enabled', false),
+            'apiToken'                => Setting::get('unifi.api_token', null),
         ]);
     }
 
+    public function regenerateApiToken()
+    {
+        $token = bin2hex(random_bytes(24));
+        Setting::set('unifi.api_token', $token);
+        return response()->json(['token' => $token]);
+    }
+
+    public function clearApiToken()
+    {
+        Setting::set('unifi.api_token', '');
+        return response()->json(['ok' => true]);
+    }
+
     public function update(Request $request)
     {
         $request->validate([
@@ -56,6 +72,7 @@ class UnifiSettingsController extends Controller
             'rotation_minute'       => 'nullable|integer|min:0|max:59',
             'rotation_wordlist'       => 'nullable|string|max:20000',
             'ppsk_scheduling_enabled' => 'boolean',
+            'api_enabled'             => 'boolean',
         ]);
 
         Setting::set('unifi.controller_url', rtrim($request->controller_url, '/'));
@@ -82,6 +99,7 @@ class UnifiSettingsController extends Controller
         Setting::set('unifi.password_rotation.minute',      $request->input('rotation_minute', 0));
         Setting::set('unifi.password_rotation.wordlist',    $request->input('rotation_wordlist', ''));
         Setting::set('unifi.ppsk_scheduling.enabled',        $request->boolean('ppsk_scheduling_enabled') ? '1' : '');
+        Setting::set('unifi.api.enabled',                    $request->boolean('api_enabled')             ? '1' : '');
 
         \Illuminate\Support\Facades\Cache::forget('unifi:api_prefix:' . md5(rtrim($request->controller_url, '/')));
 

src/Http/Controllers/WebhookController.php

@@ -68,20 +68,49 @@ class WebhookController extends Controller
 
     public function test(WebhookConfig $webhook)
     {
-        $payload = [
+        return $this->fireTest($webhook->url, $webhook->secret);
+    }
+
+    /**
+     * Test an arbitrary URL+secret before the webhook is saved. Lets the
+     * operator validate their endpoint from the form without first
+     * committing a row.
+     */
+    public function testUrl(Request $request)
+    {
+        $data = $request->validate([
+            'url'    => 'required|url|max:500',
+            'secret' => 'nullable|string|max:255',
+        ]);
+        return $this->fireTest($data['url'], $data['secret'] ?? null);
+    }
+
+    private function fireTest(string $url, ?string $secret)
+    {
+        $message = '✅ Test webhook from ' . config('app.name') . ' — endpoint is reachable.';
+        $genericPayload = [
             'event'     => 'test',
             'timestamp' => now()->toIso8601String(),
-            'data'      => ['message' => 'This is a test webhook from ' . config('app.name')],
+            'message'   => $message,
+            'data'      => ['message' => $message],
         ];
+        // Shape the payload to match the target platform (Google Chat,
+        // Slack, Discord, Teams) so the test exercises the same code
+        // path real events use.
+        $payload = \Dashboard\Unifi\Services\WebhookCheckService::buildPlatformPayload($url, $message, $genericPayload);
 
         $headers = ['Content-Type' => 'application/json'];
-        if ($webhook->secret) {
+        if ($secret) {
-            $headers['X-Webhook-Signature'] = hash_hmac('sha256', json_encode($payload), $webhook->secret);
+            $headers['X-Webhook-Signature'] = hash_hmac('sha256', json_encode($payload), $secret);
         }
 
         try {
-            $response = \Illuminate\Support\Facades\Http::withHeaders($headers)->timeout(10)->post($webhook->url, $payload);
+            $response = \Illuminate\Support\Facades\Http::withHeaders($headers)->timeout(10)->post($url, $payload);
-            return response()->json(['ok' => true, 'status' => $response->status()]);
+            return response()->json([
+                'ok'     => $response->successful(),
+                'status' => $response->status(),
+                'body'   => mb_substr((string) $response->body(), 0, 500),
+            ]);
         } catch (\Throwable $e) {
             return response()->json(['ok' => false, 'error' => $e->getMessage()], 422);
         }

src/Http/Controllers/WifiApiController.php

@@ -0,0 +1,44 @@
+<?php
+
+namespace Dashboard\Unifi\Http\Controllers;
+
+use App\Models\Setting;
+use Illuminate\Http\Request;
+use Illuminate\Routing\Controller;
+
+/**
+ * Token-protected JSON endpoints for external integrations (signage,
+ * kiosks, room displays, etc.) that need the current rotating WiFi
+ * password without going through the dashboard UI.
+ */
+class WifiApiController extends Controller
+{
+    public function currentPassword(Request $request)
+    {
+        if (! Setting::get('unifi.api.enabled')) {
+            return response()->json(['error' => 'API disabled'], 503);
+        }
+
+        $expected = Setting::get('unifi.api_token');
+        if (! $expected) {
+            return response()->json(['error' => 'API token not configured'], 503);
+        }
+
+        $provided = $request->bearerToken() ?: $request->query('token');
+        if (! $provided || ! hash_equals($expected, $provided)) {
+            return response()->json(['error' => 'Unauthorized'], 401);
+        }
+
+        $password = Setting::get('unifi.password_rotation.last_password');
+        if (! $password) {
+            return response()->json([
+                'error' => 'No rotated password recorded yet — wait for the next scheduled rotation or run unifi:rotate-passwords --force.',
+            ], 404);
+        }
+
+        return response()->json([
+            'password'   => $password,
+            'rotated_at' => Setting::get('unifi.password_rotation.last_rotated_at'),
+        ]);
+    }
+}

src/Http/Controllers/WifiController.php

@@ -291,11 +291,43 @@ class WifiController extends Controller
                     fn ($v) => $v !== null
                 );
                 if (! empty($unifiUpdate)) {
+                    if (str_starts_with($record->unifi_id, 'emb_') && isset($unifiUpdate['x_passphrase'])) {
+                        // Embedded PPSK update path — modify the WLAN's embedded array.
+                        $newPass = $unifiUpdate['x_passphrase'];
+                        $oldPass = $record->x_passphrase;
+                        $unifi->updateEmbeddedPpsk($record->wlan_id, $oldPass, $newPass);
+                        $data['unifi_id'] = 'emb_' . substr(hash('sha256', $record->wlan_id . ':' . $newPass), 0, 32);
+
+                        // Also update sibling WLANs (banded SSID — same name
+                        // on 2.4 and 5GHz are separate wlanconf rows).
+                        foreach ($unifi->getWlanSiblings($record->wlan_id) as $siblingWlanId) {
+                            $sibling = UnifiPpsk::where('wlan_id', $siblingWlanId)
+                                ->where('name', $record->name)
+                                ->where('state', 'active')
+                                ->first();
+                            $siblingOldPass = $sibling?->x_passphrase ?? $oldPass;
+                            try {
+                                $unifi->updateEmbeddedPpsk($siblingWlanId, $siblingOldPass, $newPass);
+                                if ($sibling) {
+                                    $sibling->update([
+                                        'x_passphrase' => $newPass,
+                                        'unifi_id'     => 'emb_' . substr(hash('sha256', $siblingWlanId . ':' . $newPass), 0, 32),
+                                    ]);
+                                }
+                            } catch (\Throwable $e) {
+                                \Illuminate\Support\Facades\Log::warning('unifi.ppsk_sibling_update_failed', [
+                                    'sibling_wlan' => $siblingWlanId,
+                                    'error'        => $e->getMessage(),
+                                ]);
+                            }
+                        }
+                    } else {
                         $unifi->updatePpsk($record->unifi_id, $unifiUpdate);
                     }
                 }
+            }
 
-            $dbUpdate = array_intersect_key($data, array_flip(['name', 'x_passphrase']));
+            $dbUpdate = array_intersect_key($data, array_flip(['name', 'x_passphrase', 'unifi_id']));
             // vlan can be explicitly set to null
             if (array_key_exists('vlan', $data)) $dbUpdate['vlan'] = $data['vlan'];
             if (! empty($dbUpdate)) $record->update($dbUpdate);

src/Models/UnifiPageGrant.php

@@ -29,18 +29,20 @@ class UnifiPageGrant extends Model
     }
 
     /**
-     * True iff $user is allowed to access $navItem under this grant model.
+     * True iff $user is allowed to access $navItem under strict allowlist
-     * Super-admins always pass.
+     * semantics:
-     * If there are NO grants for the page, falls back to "open" (anyone
+     *  * super-admins (the model-level flag) always pass
-     * who can reach the route can access — same as before grants existed).
+     *  * otherwise the user must be a direct grantee, OR be in a group
+     *    that is a grantee
+     *
+     * A page with NO grants saved is only visible to super-admins —
+     * the admin must explicitly authorize everyone else via the
+     * Access tab.
      */
     public static function userCanAccess(User $user, NavItem $navItem): bool
     {
         if ($user->is_super_admin) return true;
 
-        $hasGrants = static::where('nav_item_id', $navItem->id)->exists();
-        if (! $hasGrants) return true;
-
         $groupIds = $user->groups()->pluck('groups.id');
 
         return static::where('nav_item_id', $navItem->id)

src/Services/UnifiApiClient.php

@@ -312,6 +312,40 @@ class UnifiApiClient
         return $this->put("/rest/wlanconf/{$wlanId}", $data);
     }
 
+    /**
+     * Find sibling WLAN configs — same SSID name, different _id. UniFi
+     * splits a "banded" SSID (band-steering disabled) into one wlanconf
+     * per band, each with its own _id and its own embedded PPSK array.
+     * A rotation that updates one band must also update the others, or
+     * the SSID's two halves drift out of sync.
+     *
+     * Returns an array of sibling wlan IDs (excludes $wlanId itself).
+     * Empty array if the target WLAN is unique or can't be found.
+     */
+    public function getWlanSiblings(string $wlanId): array
+    {
+        try {
+            $all = $this->get('/rest/wlanconf');
+        } catch (\Throwable) {
+            return [];
+        }
+
+        $target = null;
+        foreach ($all as $w) {
+            if (($w['_id'] ?? null) === $wlanId) { $target = $w; break; }
+        }
+        if (! $target || empty($target['name'])) return [];
+
+        $siblings = [];
+        foreach ($all as $w) {
+            if (($w['_id'] ?? null) === $wlanId) continue;
+            if (($w['name'] ?? null) === $target['name']) {
+                $siblings[] = $w['_id'];
+            }
+        }
+        return $siblings;
+    }
+
     // ── PPSK ─────────────────────────────────────────────────────────────────
 
     /**
@@ -496,6 +530,63 @@ class UnifiApiClient
         return $this->normalizePpsk(is_array($result) && isset($result[0]) ? $result : [$result]);
     }
 
+    /**
+     * Update an embedded PPSK (one that lives inside a WLAN's
+     * private_preshared_keys array rather than as its own REST resource).
+     *
+     * Matching is done by current passphrase since embedded entries have
+     * no controller-side ID. Only changes the entry's passphrase; name
+     * isn't separately addressable on embedded PPSKs.
+     */
+    public function updateEmbeddedPpsk(string $wlanId, string $oldPassphrase, string $newPassphrase): array
+    {
+        $wlanResp = $this->get("/rest/wlanconf/{$wlanId}");
+        $wlan     = $wlanResp[0] ?? $wlanResp;
+        $entries  = $wlan['private_preshared_keys'] ?? [];
+
+        if (! is_array($entries) || empty($entries)) {
+            throw new \RuntimeException('WLAN has no embedded PPSKs to update.');
+        }
+
+        $matched = false;
+        foreach ($entries as &$e) {
+            $current = $e['x_passphrase'] ?? $e['password'] ?? $e['passphrase'] ?? null;
+            if ($current === $oldPassphrase) {
+                // Preserve whichever field name the controller is using.
+                if (array_key_exists('x_passphrase', $e))  $e['x_passphrase'] = $newPassphrase;
+                if (array_key_exists('password', $e))       $e['password']     = $newPassphrase;
+                if (array_key_exists('passphrase', $e))     $e['passphrase']   = $newPassphrase;
+                // If none of the above existed, default to password (most common on embedded).
+                if (! isset($e['x_passphrase']) && ! isset($e['password']) && ! isset($e['passphrase'])) {
+                    $e['password'] = $newPassphrase;
+                }
+                $matched = true;
+                break;
+            }
+        }
+        unset($e);
+
+        if (! $matched) {
+            throw new \RuntimeException('Embedded PPSK not found by current passphrase.');
+        }
+
+        // UniFi REST expects the full WLAN object on PUT — send what we
+        // got back, with the mutated PPSK array.
+        $payload = $wlan;
+        $payload['private_preshared_keys'] = $entries;
+        // Strip internal fields the controller rejects on PUT.
+        unset($payload['_id'], $payload['site_id']);
+
+        $this->put("/rest/wlanconf/{$wlanId}", $payload);
+
+        // Return a normalized record so callers can read the new state.
+        return $this->normalizePpsk([[
+            '_id'          => 'emb_' . substr(hash('sha256', $wlanId . ':' . $newPassphrase), 0, 32),
+            'wlan_id'      => $wlanId,
+            'x_passphrase' => $newPassphrase,
+        ]]);
+    }
+
     public function deletePpsk(string $ppskId): void
     {
         // Try v2 hotspot endpoint first

src/Services/WebhookCheckService.php

@@ -580,6 +580,15 @@ class WebhookCheckService
     }
 
     private function formatPayloadForPlatform(string $url, string $message, array $fullPayload): array
+    {
+        return self::buildPlatformPayload($url, $message, $fullPayload);
+    }
+
+    /**
+     * Public/static helper so the test-webhook endpoint produces the
+     * same per-platform payload shape that real events do.
+     */
+    public static function buildPlatformPayload(string $url, string $message, array $fullPayload): array
     {
         if (str_contains($url, 'chat.googleapis.com'))                                          return ['text'    => $message];
         if (str_contains($url, 'hooks.slack.com'))                                              return ['text'    => $message];

src/UnifiServiceProvider.php

@@ -44,7 +44,9 @@ class UnifiServiceProvider extends ServiceProvider
                 if (! $item) return;
 
                 if (! UnifiPageGrant::userCanAccess($user, $item)) {
-                    abort(403, 'You do not have access to this page.');
+                    // 404 instead of 403 — don't leak that the page
+                    // exists. The Access tab is the only way in.
+                    abort(404);
                 }
             } catch (\Throwable) {
                 // unifi_page_grants table may not exist yet on a fresh

src/routes/unifi.php

@@ -9,6 +9,7 @@ use Dashboard\Unifi\Http\Controllers\UnifiPagesAccessController;
 use Dashboard\Unifi\Http\Controllers\UnifiSettingsController;
 use Dashboard\Unifi\Http\Controllers\VlanGroupController;
 use Dashboard\Unifi\Http\Controllers\WebhookController;
+use Dashboard\Unifi\Http\Controllers\WifiApiController;
 use Dashboard\Unifi\Http\Controllers\WifiController;
 use Illuminate\Support\Facades\Route;
 
@@ -77,6 +78,7 @@ Route::middleware(['web', 'auth', 'app.access:unifi'])
             Route::middleware('super.admin')->group(function () {
                 Route::get('/settings/pages-access',                [UnifiPagesAccessController::class, 'index'])      ->name('settings.pages-access.index');
                 Route::get('/settings/pages-access/users/search',   [UnifiPagesAccessController::class, 'searchUsers'])->name('settings.pages-access.users.search');
+                Route::get('/settings/pages-access/groups/search',  [UnifiPagesAccessController::class, 'searchGroups'])->name('settings.pages-access.groups.search');
                 Route::put('/settings/pages-access/{navItem}',      [UnifiPagesAccessController::class, 'update'])     ->name('settings.pages-access.update');
             });
 
@@ -89,9 +91,21 @@ Route::middleware(['web', 'auth', 'app.access:unifi'])
             Route::put('/settings/webhooks/{webhook}',          [WebhookController::class, 'update']) ->name('webhooks.update');
             Route::delete('/settings/webhooks/{webhook}',       [WebhookController::class, 'destroy'])->name('webhooks.destroy');
             Route::post('/settings/webhooks/{webhook}/test',    [WebhookController::class, 'test'])   ->name('webhooks.test');
+            Route::post('/settings/webhooks/test-url',          [WebhookController::class, 'testUrl'])->name('webhooks.test-url');
+
+            // API-token management
+            Route::post('/settings/api-token/regenerate', [UnifiSettingsController::class, 'regenerateApiToken'])->name('settings.api-token.regenerate');
+            Route::delete('/settings/api-token',          [UnifiSettingsController::class, 'clearApiToken'])    ->name('settings.api-token.clear');
         });
     });
 
+// ── Public API (token-protected) ──────────────────────────────────────────
+// External integrations (signage, kiosks) hit these without session auth.
+Route::prefix('api/unifi')->name('unifi.api.')->group(function () {
+    Route::get('/wifi/current-password', [WifiApiController::class, 'currentPassword'])
+        ->name('wifi.current-password');
+});
+
 // ── Captive portal callback (public — user redirected here by UniFi) ─────
 Route::middleware(['web', 'auth'])
     ->get('/portal/wifi/callback', [PortalController::class, 'captiveCallback'])