feat(rotate): persist current password; add token-protected API

* RotatePasswords now stores the active wordlist entry as
  unifi.password_rotation.last_password whenever a whole-SSID rotation
  succeeds. Per-PPSK rotation continues to store passwords on each
  PPSK row as before.
* Settings → Tasks tab surfaces the current password in bold beneath
  the wordlist textarea so operators can quickly check what's live.
* New JSON endpoint GET /api/unifi/wifi/current-password returns
  {"password": "...", "rotated_at": "..."}. Protected by a token stored
  in unifi.api_token — pass as Authorization: Bearer <token> or
  ?token=<token>. 401 on bad/missing token, 503 if no token is
  configured, 404 if no rotation has happened yet.
* Settings page lets super-admins Generate / Regenerate / Clear the
  token. Generated tokens are 48-char hex from bin2hex(random_bytes(24)).
* The endpoint lives outside the web/auth middleware so external
  signage / kiosks can hit it without a session cookie.

v1.6.2.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

composer.json

@@ -1,7 +1,7 @@
 {
     "name": "dashboard/unifi",
     "description": "UniFi network management, WiFi stats, and captive portal authentication for the Dashboard platform",
-    "version": "1.5.5",
+    "version": "1.6.2",
     "type": "library",
     "license": "MIT",
     "autoload": {
@@ -27,7 +27,6 @@
                 { "label": "Devices",          "route_name": "unifi.devices",          "icon": "cpu-chip",         "permission": "unifi.stats",    "sort_order": 3 },
                 { "label": "Clients",          "route_name": "unifi.clients",          "icon": "users",            "permission": "unifi.stats",    "sort_order": 4 },
                 { "label": "WiFi Networks",    "route_name": "unifi.wifi",             "icon": "wifi",             "permission": "unifi.manage",   "sort_order": 5 },
-                { "label": "Portal",           "route_name": "unifi.portal.settings",  "icon": "shield-check",     "permission": "unifi.auth",     "sort_order": 6 },
                 { "label": "Settings",         "route_name": "unifi.settings",         "icon": "cog-6-tooth",      "permission": "unifi.settings", "sort_order": 99 }
             ],
             "permissions": [

database/migrations/2026_05_24_000003_add_consecutive_count_to_unifi_device_states.php

@@ -0,0 +1,26 @@
+<?php
+
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Database\Schema\Blueprint;
+use Illuminate\Support\Facades\Schema;
+
+return new class extends Migration
+{
+    public function up(): void
+    {
+        Schema::table('unifi_device_states', function (Blueprint $table) {
+            if (! Schema::hasColumn('unifi_device_states', 'consecutive_count')) {
+                $table->unsignedSmallInteger('consecutive_count')->default(0)->after('in_alert');
+            }
+        });
+    }
+
+    public function down(): void
+    {
+        Schema::table('unifi_device_states', function (Blueprint $table) {
+            if (Schema::hasColumn('unifi_device_states', 'consecutive_count')) {
+                $table->dropColumn('consecutive_count');
+            }
+        });
+    }
+};

src/Console/RotatePasswords.php

@@ -68,6 +68,9 @@ class RotatePasswords extends Command
 
             if ($rotated) {
                 Setting::set('unifi.password_rotation.last_rotated_at', now()->toIso8601String());
+                // Persist the active password so it can be displayed in
+                // the Settings page and exposed via the API endpoint.
+                Setting::set('unifi.password_rotation.last_password', $password);
                 $this->info('Rotated password for ' . count($rotated) . ' SSID(s).');
             }
 

src/Http/Controllers/UnifiSettingsController.php

@@ -31,10 +31,25 @@ class UnifiSettingsController extends Controller
             'rotationMinute'         => (int) Setting::get('unifi.password_rotation.minute', 0),
             'rotationWordlist'       => Setting::get('unifi.password_rotation.wordlist', ''),
             'rotationLastRotatedAt'   => Setting::get('unifi.password_rotation.last_rotated_at', null),
+            'rotationLastPassword'    => Setting::get('unifi.password_rotation.last_password', null),
             'ppskSchedulingEnabled'   => (bool) Setting::get('unifi.ppsk_scheduling.enabled', false),
+            'apiToken'                => Setting::get('unifi.api_token', null),
         ]);
     }
 
+    public function regenerateApiToken()
+    {
+        $token = bin2hex(random_bytes(24));
+        Setting::set('unifi.api_token', $token);
+        return response()->json(['token' => $token]);
+    }
+
+    public function clearApiToken()
+    {
+        Setting::set('unifi.api_token', '');
+        return response()->json(['ok' => true]);
+    }
+
     public function update(Request $request)
     {
         $request->validate([

src/Http/Controllers/WebhookController.php

@@ -87,11 +87,17 @@ class WebhookController extends Controller
 
     private function fireTest(string $url, ?string $secret)
     {
-        $payload = [
+        $message = '✅ Test webhook from ' . config('app.name') . ' — endpoint is reachable.';
+        $genericPayload = [
             'event'     => 'test',
             'timestamp' => now()->toIso8601String(),
-            'data'      => ['message' => 'This is a test webhook from ' . config('app.name')],
+            'message'   => $message,
+            'data'      => ['message' => $message],
         ];
+        // Shape the payload to match the target platform (Google Chat,
+        // Slack, Discord, Teams) so the test exercises the same code
+        // path real events use.
+        $payload = \Dashboard\Unifi\Services\WebhookCheckService::buildPlatformPayload($url, $message, $genericPayload);
 
         $headers = ['Content-Type' => 'application/json'];
         if ($secret) {

src/Http/Controllers/WifiApiController.php

@@ -0,0 +1,40 @@
+<?php
+
+namespace Dashboard\Unifi\Http\Controllers;
+
+use App\Models\Setting;
+use Illuminate\Http\Request;
+use Illuminate\Routing\Controller;
+
+/**
+ * Token-protected JSON endpoints for external integrations (signage,
+ * kiosks, room displays, etc.) that need the current rotating WiFi
+ * password without going through the dashboard UI.
+ */
+class WifiApiController extends Controller
+{
+    public function currentPassword(Request $request)
+    {
+        $expected = Setting::get('unifi.api_token');
+        if (! $expected) {
+            return response()->json(['error' => 'API token not configured'], 503);
+        }
+
+        $provided = $request->bearerToken() ?: $request->query('token');
+        if (! $provided || ! hash_equals($expected, $provided)) {
+            return response()->json(['error' => 'Unauthorized'], 401);
+        }
+
+        $password = Setting::get('unifi.password_rotation.last_password');
+        if (! $password) {
+            return response()->json([
+                'error' => 'No rotated password recorded yet — wait for the next scheduled rotation or run unifi:rotate-passwords --force.',
+            ], 404);
+        }
+
+        return response()->json([
+            'password'   => $password,
+            'rotated_at' => Setting::get('unifi.password_rotation.last_rotated_at'),
+        ]);
+    }
+}

src/Services/WebhookCheckService.php

@@ -580,6 +580,15 @@ class WebhookCheckService
     }
 
     private function formatPayloadForPlatform(string $url, string $message, array $fullPayload): array
+    {
+        return self::buildPlatformPayload($url, $message, $fullPayload);
+    }
+
+    /**
+     * Public/static helper so the test-webhook endpoint produces the
+     * same per-platform payload shape that real events do.
+     */
+    public static function buildPlatformPayload(string $url, string $message, array $fullPayload): array
     {
         if (str_contains($url, 'chat.googleapis.com'))                                          return ['text'    => $message];
         if (str_contains($url, 'hooks.slack.com'))                                              return ['text'    => $message];

src/routes/unifi.php

@@ -9,6 +9,7 @@ use Dashboard\Unifi\Http\Controllers\UnifiPagesAccessController;
 use Dashboard\Unifi\Http\Controllers\UnifiSettingsController;
 use Dashboard\Unifi\Http\Controllers\VlanGroupController;
 use Dashboard\Unifi\Http\Controllers\WebhookController;
+use Dashboard\Unifi\Http\Controllers\WifiApiController;
 use Dashboard\Unifi\Http\Controllers\WifiController;
 use Illuminate\Support\Facades\Route;
 
@@ -90,9 +91,20 @@ Route::middleware(['web', 'auth', 'app.access:unifi'])
             Route::delete('/settings/webhooks/{webhook}',       [WebhookController::class, 'destroy'])->name('webhooks.destroy');
             Route::post('/settings/webhooks/{webhook}/test',    [WebhookController::class, 'test'])   ->name('webhooks.test');
             Route::post('/settings/webhooks/test-url',          [WebhookController::class, 'testUrl'])->name('webhooks.test-url');
+
+            // API-token management
+            Route::post('/settings/api-token/regenerate', [UnifiSettingsController::class, 'regenerateApiToken'])->name('settings.api-token.regenerate');
+            Route::delete('/settings/api-token',          [UnifiSettingsController::class, 'clearApiToken'])    ->name('settings.api-token.clear');
         });
     });
 
+// ── Public API (token-protected) ──────────────────────────────────────────
+// External integrations (signage, kiosks) hit these without session auth.
+Route::prefix('api/unifi')->name('unifi.api.')->group(function () {
+    Route::get('/wifi/current-password', [WifiApiController::class, 'currentPassword'])
+        ->name('wifi.current-password');
+});
+
 // ── Captive portal callback (public — user redirected here by UniFi) ─────
 Route::middleware(['web', 'auth'])
     ->get('/portal/wifi/callback', [PortalController::class, 'captiveCallback'])