fix: register unifi pages with shell NavVisibilityRegistry; v1.12.1

The Access tab persists user/group grants in unifi_page_grants and the existing RouteMatched listener honors them on the request path, but NavItem::visibleTo() only consulted the page's required_permission — so a granted user never saw the menu entry to reach the page. Register the unifi.* prefix with the shell's NavVisibilityRegistry so the sidebar lists exactly the pages the grant table allows. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
release: 1.12.0 — rolls up 1.11.1 (reboot suppression hardening)
2026-06-05 12:12:58 -04:00 · 2026-05-24 22:09:08 -04:00 · 2026-05-24 22:07:58 -04:00 · 2026-05-24 21:01:22 -04:00 · 2026-05-24 20:58:10 -04:00 · 2026-05-24 20:49:26 -04:00
6 changed files with 369 additions and 28 deletions
--- a/composer.json
+++ b/composer.json
@@ -1,7 +1,7 @@
 {
    "name": "dashboard/unifi",
    "description": "UniFi network management, WiFi stats, and captive portal authentication for the Dashboard platform",
-    "version": "1.7.1",
+    "version": "1.12.1",
    "type": "library",
    "license": "MIT",
    "autoload": {
--- a/src/Console/RotatePasswords.php
+++ b/src/Console/RotatePasswords.php
@@ -80,16 +80,73 @@ class RotatePasswords extends Command
                $newPass = $passwords[array_rand($passwords)];
                try {
                    if (str_starts_with((string) $ppsk->unifi_id, 'emb_')) {
-                        // Embedded PPSK: update inside the parent WLAN object.
+                        // Embedded PPSK: update inside the parent WLAN object,
-                        // Synthetic ID is derived from the new passphrase, so update it too.
+                        // matched by name (synthetic id changes with the
-                        $unifi->updateEmbeddedPpsk($ppsk->wlan_id, $ppsk->x_passphrase, $newPass);
+                        // passphrase, so it's not a stable matcher).
                        $unifi->updateEmbeddedPpsk($ppsk->wlan_id, $ppsk->x_passphrase, $newPass, $ppsk->name);
                        $newUid = 'emb_' . substr(hash('sha256', $ppsk->wlan_id . ':' . $newPass), 0, 32);
                        $ppsk->update(['x_passphrase' => $newPass, 'unifi_id' => $newUid]);
                        // Update every grouped sibling (user-defined SSID
                        // groups take precedence; same-name fallback for
                        // installs that haven't grouped manually).
                        foreach ($unifi->getGroupedWlans($ppsk->wlan_id) as $siblingWlanId) {
                            $sibling = UnifiPpsk::where('wlan_id', $siblingWlanId)
                                ->where('name', $ppsk->name)
                                ->where('state', 'active')
                                ->first();
                            try {
                                $unifi->updateEmbeddedPpsk($siblingWlanId, $sibling?->x_passphrase, $newPass, $ppsk->name);
                                if ($sibling) {
                                    $sibling->update([
                                        'x_passphrase' => $newPass,
                                        'unifi_id'     => 'emb_' . substr(hash('sha256', $siblingWlanId . ':' . $newPass), 0, 32),
                                    ]);
                                }
                            } catch (\Throwable $e) {
                                if (str_contains($e->getMessage(), 'not found')) {
                                    \Illuminate\Support\Facades\Log::info('unifi.ppsk_sibling_skipped', [
                                        'sibling_wlan' => $siblingWlanId,
                                        'ppsk_name'    => $ppsk->name,
                                    ]);
                                    continue;
                                }
                                $this->error("Sibling rotate failed for wlan {$siblingWlanId}: {$e->getMessage()}");
                                $failedPpsks[] = ['name' => $ppsk->name . ' (sibling wlan ' . $siblingWlanId . ')', 'error' => $e->getMessage()];
                            }
                        }
                        // Verify that the new passphrase actually applied
                        // on every grouped WLAN. UniFi can 200 an update
                        // that doesn't stick (cluster sync race, etc).
                        // Anything we expected to rotate that didn't is a
                        // failure — surface it in the cron log.
                        $allWlanIds = array_merge([$ppsk->wlan_id], $unifi->getGroupedWlans($ppsk->wlan_id));
                        foreach ($allWlanIds as $checkWlanId) {
                            $result = $unifi->verifyEmbeddedPpsk($checkWlanId, $ppsk->name, $newPass);
                            if ($result['ok']) continue;
                            // 'not_found' on a sibling = PPSK isn't on that band — ignore
                            // (consistent with the skip in the update loop).
                            if ($result['reason'] === 'not_found' && $checkWlanId !== $ppsk->wlan_id) continue;
                            $failedPpsks[] = [
                                'name'   => $ppsk->name . ' (verify wlan ' . $checkWlanId . ')',
                                'error'  => 'verification ' . $result['reason'] . ($result['error'] ?? null ? ': ' . $result['error'] : ''),
                            ];
                        }
                    } else {
                        $unifi->updatePpsk($ppsk->unifi_id, ['x_passphrase' => $newPass]);
                        $ppsk->update(['x_passphrase' => $newPass]);
                    }
                    $rotatedPpsks[] = $ppsk->name;
                    // Save the active password every time a rotation
                    // succeeds — covers PPSK-only rotation setups where
                    // there's no whole-SSID rotation. Last successful
                    // password wins if multiple PPSKs rotate in one run.
                    Setting::set('unifi.password_rotation.last_password', $newPass);
                    Setting::set('unifi.password_rotation.last_rotated_at', now()->toIso8601String());
                } catch (\Throwable $e) {
                    $this->error("Failed to rotate PPSK \"{$ppsk->name}\": {$e->getMessage()}");
                    $failedPpsks[] = ['name' => $ppsk->name, 'error' => $e->getMessage()];
--- a/src/Http/Controllers/WifiController.php
+++ b/src/Http/Controllers/WifiController.php
@@ -149,8 +149,18 @@ class WifiController extends Controller
                    $name = $networksById[$nconfId]['name'] ?? null;
                }
-                // Match by unifi_id, or by passphrase for a held embedded record re-appearing
+                // Match in priority order:
                //   1. by current unifi_id (already-synced row)
                //   2. by name within this wlan (catches rotation: passphrase
                //      changed → synthetic id changed → row identity unchanged)
                //   3. by passphrase among held rows (legacy fallback for
                //      cases where name wasn't ingested)
                $record = UnifiPpsk::where('unifi_id', $uid)->first()
                       ?? ($name
                            ? UnifiPpsk::where('wlan_id', $wlanId)->where('name', $name)
                                ->orderByRaw("FIELD(state, 'active', 'held')")
                                ->first()
                            : null)
                       ?? UnifiPpsk::where('wlan_id', $wlanId)
                            ->where('x_passphrase', $pass)
                            ->where('state', 'held')
@@ -174,8 +184,8 @@ class WifiController extends Controller
                }
            }
-            // Only mark as held when we have confirmed live IDs —
+            // Mark non-matching active rows as held — but ONLY if there's no
-            // never wipe on an empty API response (prevents false-holds on API failures)
+            // other active row with the same name we just reconnected.
            if (! empty($liveIds)) {
                UnifiPpsk::where('wlan_id', $wlanId)
                    ->where('state', 'active')
@@ -184,6 +194,47 @@ class WifiController extends Controller
                    ->update(['state' => 'held', 'unifi_id' => null]);
            }
            // For each active row, salvage any rotate_password / schedule
            // settings from the held tombstones with the same name BEFORE
            // we prune them. Otherwise a row that had rotate=on loses the
            // flag every time a rotation changes its synthetic id.
            $activeRows = UnifiPpsk::where('wlan_id', $wlanId)
                ->where('state', 'active')
                ->whereNotNull('name')
                ->get();
            foreach ($activeRows as $active) {
                $heldWithSettings = UnifiPpsk::where('wlan_id', $wlanId)
                    ->where('state', 'held')
                    ->where('name', $active->name)
                    ->where(fn ($q) => $q
                        ->where('rotate_password', true)
                        ->orWhereNotNull('schedule'))
                    ->orderByDesc('updated_at')
                    ->first();
                if (! $heldWithSettings) continue;
                $patch = [];
                if ($heldWithSettings->rotate_password && ! $active->rotate_password) {
                    $patch['rotate_password'] = true;
                }
                if ($heldWithSettings->schedule && ! $active->schedule) {
                    $patch['schedule'] = $heldWithSettings->schedule;
                }
                if ($patch) $active->update($patch);
            }
            // Prune obsolete held rows: any held row whose name matches an
            // active row in the same wlan is a stale tombstone — its
            // settings have been salvaged above, and its data has been
            // superseded by the active one.
            $activeNames = $activeRows->pluck('name')->filter()->unique();
            if ($activeNames->isNotEmpty()) {
                UnifiPpsk::where('wlan_id', $wlanId)
                    ->where('state', 'held')
                    ->whereIn('name', $activeNames)
                    ->delete();
            }
            $dbRecords = UnifiPpsk::where('wlan_id', $wlanId)
                ->orderByRaw("FIELD(state, 'active', 'held')")
                ->orderBy('name')
@@ -293,9 +344,37 @@ class WifiController extends Controller
                if (! empty($unifiUpdate)) {
                    if (str_starts_with($record->unifi_id, 'emb_') && isset($unifiUpdate['x_passphrase'])) {
                        // Embedded PPSK update path — modify the WLAN's embedded array.
-                        $unifi->updateEmbeddedPpsk($record->wlan_id, $record->x_passphrase, $unifiUpdate['x_passphrase']);
+                        // Match by name (reliable across drift).
-                        // Synthetic id is derived from the new passphrase.
+                        $newPass = $unifiUpdate['x_passphrase'];
-                        $data['unifi_id'] = 'emb_' . substr(hash('sha256', $record->wlan_id . ':' . $unifiUpdate['x_passphrase']), 0, 32);
+                        $unifi->updateEmbeddedPpsk($record->wlan_id, $record->x_passphrase, $newPass, $record->name);
                        $data['unifi_id'] = 'emb_' . substr(hash('sha256', $record->wlan_id . ':' . $newPass), 0, 32);
                        // Also update grouped WLAN siblings (user-defined
                        // SSID groups, falling back to same-name).
                        foreach ($unifi->getGroupedWlans($record->wlan_id) as $siblingWlanId) {
                            $sibling = UnifiPpsk::where('wlan_id', $siblingWlanId)
                                ->where('name', $record->name)
                                ->where('state', 'active')
                                ->first();
                            try {
                                $unifi->updateEmbeddedPpsk($siblingWlanId, $sibling?->x_passphrase, $newPass, $record->name);
                                if ($sibling) {
                                    $sibling->update([
                                        'x_passphrase' => $newPass,
                                        'unifi_id'     => 'emb_' . substr(hash('sha256', $siblingWlanId . ':' . $newPass), 0, 32),
                                    ]);
                                }
                            } catch (\Throwable $e) {
                                // PPSK absent on this band is fine — just
                                // means it isn't mirrored. Anything else
                                // gets warning-logged.
                                $level = str_contains($e->getMessage(), 'not found') ? 'info' : 'warning';
                                \Illuminate\Support\Facades\Log::log($level, 'unifi.ppsk_sibling_update', [
                                    'sibling_wlan' => $siblingWlanId,
                                    'error'        => $e->getMessage(),
                                ]);
                            }
                        }
                    } else {
                        $unifi->updatePpsk($record->unifi_id, $unifiUpdate);
                    }
--- a/src/Services/UnifiApiClient.php
+++ b/src/Services/UnifiApiClient.php
@@ -312,6 +312,122 @@ class UnifiApiClient
        return $this->put("/rest/wlanconf/{$wlanId}", $data);
    }
    /**
     * Find every other WLAN that should rotate/update together with this
     * one. Authoritative source: the user-defined "SSID groups" setting
     * (unifi.ssid_groups) from the WiFi Networks page, which lets the
     * operator manually couple WLANs that may have different SSID names.
     *
     * Falls back to same-SSID-name siblings for installs that haven't
     * configured groups yet.
     *
     * Returns an array of sibling wlan IDs (excludes $wlanId itself).
     */
    public function getGroupedWlans(string $wlanId): array
    {
        $groupsJson = Setting::get('unifi.ssid_groups', '{}');
        $groups     = json_decode($groupsJson, true);
        if (is_array($groups)) {
            foreach ($groups as $wlanIds) {
                if (! is_array($wlanIds)) continue;
                if (in_array($wlanId, $wlanIds, true)) {
                    return array_values(array_filter($wlanIds, fn ($id) => $id !== $wlanId));
                }
            }
        }
        return $this->getWlanSiblings($wlanId);
    }
    /**
     * Verify an embedded PPSK has the expected passphrase right now.
     * Used after an update to confirm the change actually applied —
     * UniFi sometimes 200s an update that didn't stick (cluster sync
     * race, hot-restart in progress, etc.).
     *
     * Returns ['ok' => true] on a clean match, or
     * ['ok' => false, 'reason' => 'fetch_failed'|'not_found'|'mismatch']
     * with optional 'error' on fetch failures.
     */
    public function verifyEmbeddedPpsk(string $wlanId, string $name, string $expectedPassphrase): array
    {
        try {
            $entries = $this->getPpskEntries($wlanId);
        } catch (\Throwable $e) {
            return ['ok' => false, 'reason' => 'fetch_failed', 'error' => $e->getMessage()];
        }
        $networkconfId = $this->findNetworkconfIdByName($name);
        foreach ($entries as $e) {
            $entryName     = $e['name'] ?? $e['label'] ?? $e['username'] ?? $e['privatePskName'] ?? null;
            $entryNetId    = $e['networkconf_id'] ?? null;
            $entryMatches  = ($networkconfId !== null && $entryNetId === $networkconfId)
                          || ($entryName !== null && $entryName === $name);
            if (! $entryMatches) continue;
            $entryPass = $e['x_passphrase'] ?? $e['password'] ?? $e['passphrase'] ?? null;
            return $entryPass === $expectedPassphrase
                ? ['ok' => true]
                : ['ok' => false, 'reason' => 'mismatch'];
        }
        return ['ok' => false, 'reason' => 'not_found'];
    }
    /**
     * Look up a networkconf (VLAN/network) by its display name. Embedded
     * PPSKs on this controller use networkconf_id as their stable
     * identifier — the human "name" the operator sees is actually the
     * network's name.
     */
    private function findNetworkconfIdByName(string $name): ?string
    {
        try {
            $networks = $this->getNetworkConfs();
        } catch (\Throwable) {
            return null;
        }
        foreach ($networks as $n) {
            if (($n['name'] ?? null) === $name) {
                return $n['_id'] ?? null;
            }
        }
        return null;
    }
    /**
     * Find sibling WLAN configs — same SSID name, different _id. UniFi
     * splits a "banded" SSID (band-steering disabled) into one wlanconf
     * per band, each with its own _id and its own embedded PPSK array.
     * A rotation that updates one band must also update the others, or
     * the SSID's two halves drift out of sync.
     *
     * Returns an array of sibling wlan IDs (excludes $wlanId itself).
     * Empty array if the target WLAN is unique or can't be found.
     */
    public function getWlanSiblings(string $wlanId): array
    {
        try {
            $all = $this->get('/rest/wlanconf');
        } catch (\Throwable) {
            return [];
        }
        $target = null;
        foreach ($all as $w) {
            if (($w['_id'] ?? null) === $wlanId) { $target = $w; break; }
        }
        if (! $target || empty($target['name'])) return [];
        $siblings = [];
        foreach ($all as $w) {
            if (($w['_id'] ?? null) === $wlanId) continue;
            if (($w['name'] ?? null) === $target['name']) {
                $siblings[] = $w['_id'];
            }
        }
        return $siblings;
    }
    // ── PPSK ─────────────────────────────────────────────────────────────────
    /**
@@ -504,7 +620,7 @@ class UnifiApiClient
     * no controller-side ID. Only changes the entry's passphrase; name
     * isn't separately addressable on embedded PPSKs.
     */
-    public function updateEmbeddedPpsk(string $wlanId, string $oldPassphrase, string $newPassphrase): array
+    public function updateEmbeddedPpsk(string $wlanId, ?string $oldPassphrase, string $newPassphrase, ?string $name = null): array
    {
        $wlanResp = $this->get("/rest/wlanconf/{$wlanId}");
        $wlan     = $wlanResp[0] ?? $wlanResp;
@@ -514,26 +630,66 @@ class UnifiApiClient
            throw new \RuntimeException('WLAN has no embedded PPSKs to update.');
        }
-        $matched = false;
+        // Embedded PPSKs on this controller don't carry a name field —
-        foreach ($entries as &$e) {
+        // the human label ("GUEST", "3DPrinters", …) is the *network's*
-            $current = $e['x_passphrase'] ?? $e['password'] ?? $e['passphrase'] ?? null;
+        // name, and each entry references it via networkconf_id. So when
-            if ($current === $oldPassphrase) {
+        // the caller passes a name, first resolve it to a networkconf_id
-                // Preserve whichever field name the controller is using.
+        // and match on that. Falls back to entry-level name (other
        // controller versions DO put a name on the entry) and finally
        // to current passphrase.
        $applyUpdate = function (array &$e) use ($newPassphrase) {
            if (array_key_exists('x_passphrase', $e)) $e['x_passphrase'] = $newPassphrase;
            if (array_key_exists('password',     $e)) $e['password']     = $newPassphrase;
            if (array_key_exists('passphrase',   $e)) $e['passphrase']   = $newPassphrase;
                // If none of the above existed, default to password (most common on embedded).
            if (! isset($e['x_passphrase']) && ! isset($e['password']) && ! isset($e['passphrase'])) {
                $e['password'] = $newPassphrase;
            }
        };
        $networkconfId = ($name !== null && $name !== '') ? $this->findNetworkconfIdByName($name) : null;
        $matched = false;
        if ($networkconfId !== null) {
            foreach ($entries as &$e) {
                if (($e['networkconf_id'] ?? null) === $networkconfId) {
                    $applyUpdate($e);
                    $matched = true;
                    break;
                }
            }
            unset($e);
        }
        if (! $matched && $name !== null && $name !== '') {
            foreach ($entries as &$e) {
                $entryName = $e['name'] ?? $e['label'] ?? $e['username'] ?? $e['privatePskName'] ?? null;
                if ($entryName === $name) {
                    $applyUpdate($e);
                    $matched = true;
                    break;
                }
            }
            unset($e);
        }
        if (! $matched && $oldPassphrase !== null && $oldPassphrase !== '') {
            foreach ($entries as &$e) {
                $current = $e['x_passphrase'] ?? $e['password'] ?? $e['passphrase'] ?? null;
                if ($current === $oldPassphrase) {
                    $applyUpdate($e);
                    $matched = true;
                    break;
                }
            }
            unset($e);
        }
        if (! $matched) {
-            throw new \RuntimeException('Embedded PPSK not found by current passphrase.');
+            throw new \RuntimeException(
                'Embedded PPSK not found' .
                ($name !== null ? " for network \"{$name}\"" : '') .
                ' or by current passphrase.'
            );
        }
        // UniFi REST expects the full WLAN object on PUT — send what we
--- a/src/Services/WebhookCheckService.php
+++ b/src/Services/WebhookCheckService.php
@@ -181,7 +181,11 @@ class WebhookCheckService
            $prev     = DeviceState::where('device_mac', $mac)->first();
            if (! $prev) continue;
-            // Skip planned reboots — these are intentional, not alerts
+            // Skip planned reboots — these are intentional, not alerts.
            // Two layers: a global suppression window set by RebootAllAps
            // (Setting, survives any cache driver), plus the per-MAC
            // cache keys for finer granularity.
            if ($this->inGlobalRebootSuppression()) continue;
            if (Cache::has('unifi:planned_reboot:' . strtolower($mac))) continue;
            if ($comingOnline) {
@@ -509,6 +513,8 @@ class WebhookCheckService
    private function checkReboot($aps, array $filter): array
    {
        $alerts = [];
        if ($this->inGlobalRebootSuppression()) return $alerts;
        foreach ($aps as $ap) {
            if (! empty($filter) && ! in_array($ap['mac'], $filter)) continue;
            if (Cache::has('unifi:planned_reboot:' . strtolower($ap['mac']))) continue;
@@ -584,6 +590,24 @@ class WebhookCheckService
        return self::buildPlatformPayload($url, $message, $fullPayload);
    }
    /**
     * Is a fleet reboot in progress right now? RebootAllAps stamps a
     * suppression-until timestamp as a Setting; while that timestamp
     * is in the future, we skip all device-offline / device-online /
     * unexpected-reboot alerts to avoid flooding webhooks during the
     * known maintenance window.
     */
    private function inGlobalRebootSuppression(): bool
    {
        $until = \App\Models\Setting::get('unifi.reboot_suppression_until');
        if (! $until) return false;
        try {
            return \Carbon\Carbon::parse($until)->isFuture();
        } catch (\Throwable) {
            return false;
        }
    }
    /**
     * Public/static helper so the test-webhook endpoint produces the
     * same per-platform payload shape that real events do.
--- a/src/UnifiServiceProvider.php
+++ b/src/UnifiServiceProvider.php
@@ -25,6 +25,31 @@ class UnifiServiceProvider extends ServiceProvider
        $this->loadRoutesFrom(__DIR__ . '/routes/unifi.php');
        $this->loadMigrationsFrom(__DIR__ . '/../database/migrations');
        // Tell the shell's NavVisibilityRegistry which unifi nav items
        // the user can see in the sidebar. Without this the sidebar
        // would only follow legacy required_permission, hiding pages
        // the user has been explicitly granted via the Access tab.
        try {
            app(\App\Support\NavVisibilityRegistry::class)->register(
                'unifi.',
                function (\App\Models\User $user) {
                    if (! \Illuminate\Support\Facades\Schema::hasTable('unifi_page_grants')) {
                        return collect();
                    }
                    $groupIds = $user->groups()->pluck('groups.id');
                    return UnifiPageGrant::query()
                        ->where(function ($q) use ($user, $groupIds) {
                            $q->where(fn ($u) => $u->where('grantee_type', 'user')->where('grantee_id', $user->id))
                              ->orWhere(fn ($g) => $g->where('grantee_type', 'group')->whereIn('grantee_id', $groupIds));
                        })
                        ->pluck('nav_item_id');
                }
            );
        } catch (\Throwable) {
            // Shell may not have the registry yet (older shell version).
            // Sidebar will fall back to legacy permission filter.
        }
        // Per-page access enforcement for unifi routes. If a unifi page has
        // any UnifiPageGrant rows, only super-admins and granted users/
        // groups can hit it; otherwise (no grants) it's open per the existing
Author	SHA1	Message	Date
jwed	429cd44ac5	fix: register unifi pages with shell NavVisibilityRegistry; v1.12.1 The Access tab persists user/group grants in unifi_page_grants and the existing RouteMatched listener honors them on the request path, but NavItem::visibleTo() only consulted the page's required_permission — so a granted user never saw the menu entry to reach the page. Register the unifi.* prefix with the shell's NavVisibilityRegistry so the sidebar lists exactly the pages the grant table allows. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-06-05 12:12:58 -04:00
jwed	274f210337	release: 1.12.0 — rolls up 1.11.1 (reboot suppression hardening) Bundled stable cut for prod. Contents since 1.11.0: * fix(reboot): suppress webhook alerts during a fleet reboot regardless of cache driver. RebootAllAps now stamps a Setting (unifi.reboot_suppression_until) for 20 minutes at the start of a fleet reboot, and WebhookCheckService consults that Setting in checkDeviceTransition + checkReboot in addition to the existing per-MAC cache keys. Database-backed Setting always crosses container/process/cache-driver boundaries so the suppression can no longer be defeated by config differences. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-24 22:09:08 -04:00
jwed	c0f12ce931	fix(reboot): suppress webhook alerts during a fleet reboot, regardless of cache driver Existing Cache::has('unifi:planned_reboot:{mac}') per-MAC suppression relies on the cache driver being shared across the scheduler and the snapshot-capture containers. In environments where the cache is backed by something process-local (or where the keys expire before a slow reboot completes), webhook alerts fire even though the dashboard itself initiated the reboots. RebootAllAps now also stamps a single Setting (unifi.reboot_suppression_until) at the start of a fleet reboot, covering a 20-minute window. WebhookCheckService checks this Setting in addition to the per-MAC cache key, in checkDeviceTransition and checkReboot. Setting is database-backed so it's always visible across containers regardless of cache configuration. v1.11.1. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-24 22:07:58 -04:00
jwed	dd4e0ca564	release: 1.11.0 — rolls up the 1.10.1/1.10.2/1.10.3/1.10.4 patches Bundled stable cut for prod. Contents since 1.10.0: * fix(banded ssid): treat "PPSK not on this band" as a quiet info-level skip rather than a failure (1.10.1). * fix(ppsk sync): the WiFi modal's ingest sync now matches by NAME within a wlan before falling back to held-by-passphrase, and salvages rotate_password / schedule from held tombstones into the active row before pruning them. Prevents the modal from accumulating phantom "held" duplicates after every rotation and keeps the rotate flag on the row that's actually live (1.10.2). * feat(grouped wifi): PPSK updates (both rotation and the manual modal edit) now follow user-defined SSID groups from the WiFi Networks page first, falling back to same-SSID-name detection. Lets the operator pair WLANs whose SSIDs have different names (e.g. "VCS Guest" and "VCS Guest 5G") (1.10.3). * fix(name resolution): on this controller, embedded PPSKs don't carry a name field — the human "GUEST" label is the network's name and entries reference it via networkconf_id. updateEmbeddedPpsk and verifyEmbeddedPpsk now resolve name → networkconf_id and match on that, with entry-name and current-passphrase as fallbacks for other controller variants (1.10.4). * feat(verify): after every rotation, each affected WLAN is re-fetched and the new passphrase is checked at the named network. Anything that didn't actually propagate (mismatch, fetch failure) shows up as a failed PPSK in the cron run details (1.10.4). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-24 21:01:22 -04:00
jwed	f533208b37	feat(grouped wifi): route updates through user-defined SSID groups + verify User-defined SSID groups (configured on the WiFi Networks page and stored in unifi.ssid_groups) now drive PPSK sibling propagation. The previous same-SSID-name detection missed cases where two grouped WLANs have different names — e.g. "VCS Guest" on 2.4 and "VCS Guest 5G" on 5GHz manually grouped by the operator. Falls back to same-name siblings when no group is configured. Match-by-name fix: embedded PPSKs on this controller don't carry a name field — the human "GUEST" label is the network's name, with the entry referenced via networkconf_id. updateEmbeddedPpsk and verifyEmbeddedPpsk now resolve name → networkconf_id first and match on that, with entry-name and current-passphrase as fallbacks for other controller variants. After every rotation we re-fetch each affected WLAN and verify the new passphrase is actually present on the named network. Failures ("mismatch" or "fetch_failed" on the primary, anything other than "not_found" on a sibling) surface in the cron run details as failed PPSKs so the operator sees what didn't propagate. v1.10.4. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-24 20:58:10 -04:00
jwed	bb74edf4c1	fix(ppsk sync): match by name + salvage settings, prune dup tombstones Every rotation changes an embedded PPSK's synthetic id (it's derived from sha256(wlan_id : passphrase)). The ingest sync matched only by unifi_id, so after rotation the row's id was "new" — the sync created a fresh active row and marked the previous one held. Over multiple rotations this accumulated: each rotation left a held tombstone, and the rotate_password / schedule flags were stuck on the original tombstone instead of transferring to the new active row. Dev's GUEST PPSK had 3 rows after a few rotations: two held (with rotate_password=true on the first), one active with rotate=false. Future rotations would silently skip that PPSK because the active row no longer had the rotate flag set. Fix in three layers, all in WifiController::ppskIndex: 1. Match priority extended: unifi_id → name within wlan → held by passphrase. The name match means a passphrase change just updates the existing row in place. No more new-row creation per rotation. 2. Salvage step before pruning: for each active row, scan held tombstones with the same name and copy over rotate_password and schedule. Operator's rotation opt-in survives history. 3. Prune step: held rows with the same name as an active row in the same wlan are now hard-deleted (their settings were just salvaged, their data is stale). Keeps the WiFi modal clean instead of accumulating phantoms. v1.10.2. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-24 20:49:26 -04:00
jwed	e5cc075938	fix(banded ssid): treat "PPSK not on this band" as a quiet skip The sibling-rotation path's "Embedded PPSK not found" error was being surfaced to the operator as a failure, but it's not — it just means the PPSK isn't mirrored on that band (GUEST was configured on one band only, which is a perfectly valid setup). Logging this as a sibling failure also poisoned the cron run status to "partial". Now: "not found"-style errors from updateEmbeddedPpsk on a sibling become info-level log entries and the loop continues. Other errors (API failures, permissions, etc.) still surface as warnings/failures. v1.10.1. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-24 20:43:10 -04:00
jwed	4ec4a293c0	release: 1.10.0 — rolls up 1.9.1 (banded-SSID PPSK match by name) Bundled stable cut for prod. Contents since 1.9.0: * fix(banded ssid): updateEmbeddedPpsk now matches embedded PPSK entries by name first (e.g. "GUEST") and falls back to current passphrase. Name-matching survives any passphrase drift caused by pre-1.8.1 out-of-band manual edits — the sibling-rotation failure reported on prod after upgrading to 1.9.0 no longer happens. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-24 20:40:13 -04:00
jwed	720e94c54a	fix(banded ssid): match embedded PPSK by name first, passphrase fallback The sibling-update path on prod failed with "Embedded PPSK not found by current passphrase" because the DB-stored x_passphrase on the unedited band was stale — earlier manual edits (pre-1.8.1) only touched one band, leaving the other band's row out of sync. When rotation then tried to use that stale passphrase to find the entry, no match. updateEmbeddedPpsk now takes an optional $name parameter and tries it first. PPSK names within a WLAN are unique, so name-matching survives any passphrase drift caused by historical out-of-band edits. Passphrase matching stays as a fallback for callers that don't have a name (none currently — both rotation and the manual modal pass it). v1.9.1. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-24 20:38:10 -04:00
jwed	2be17c70db	release: 1.9.0 — rolls up the 1.8.1 patch series Bundled stable cut for prod. Contents since 1.8.0: * fix(rotate): unifi.password_rotation.last_password is now saved on successful PPSK rotation as well as whole-SSID rotation. PPSK-only setups (typical guest-WiFi configurations) will populate the Settings → Tasks "current password" display and the /api/unifi/wifi/current-password endpoint after the next rotation. * fix(banded-ssid): when an SSID is split across 2.4 and 5GHz bands (band-steering disabled — two wlanconf rows with the same name), rotating or manually editing a PPSK on one band now also updates the same-name PPSK on every sibling band. Previously the two halves drifted out of sync. Both the rotation scheduler and the WiFi modal use the new UnifiApiClient::getWlanSiblings helper. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-24 20:33:48 -04:00
jwed	31686a35d5	fix(rotate): record PPSK rotation password + sync banded-SSID siblings Three bugs reported from prod after a PPSK rotation: 1. unifi.password_rotation.last_password was only saved after a whole-SSID rotation. PPSK-only setups (the typical guest-WiFi case) ran a successful rotation but the setting stayed empty, so the Settings → Tasks UI never showed the current password and the /api/unifi/wifi/current-password endpoint returned 404 "no rotated password recorded yet". The PPSK loop now writes last_password on every successful PPSK rotation. 2. When an SSID is "banded" (band-steering disabled), UniFi splits it into one wlanconf per band — 2.4GHz and 5GHz each get their own _id and their own embedded PPSK array. Rotating the PPSK on one band left the other band with the old password. New UnifiApiClient::getWlanSiblings($wlanId) finds all wlanconfs that share an SSID name; both rotation and the manual modal edit now call updateEmbeddedPpsk on each sibling and update the matching UnifiPpsk DB rows. 3. The manual WiFi modal edit had the same band-blindness as #2 — editing the GUEST PPSK on the 2.4GHz half left the 5GHz half stale. WifiController::ppskUpdate now walks siblings the same way. v1.8.1. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-24 20:32:15 -04:00
jwed	8769308dfd	release: 1.8.0 — rolls up the 1.7.1 patch series Bundled stable cut for prod. Contents since 1.7.0: * feat(access): strict allowlist enforcement. A unifi page with NO grants is now visible only to super-admins — previously it fell back to "open for anyone with the route permission". Matches the new dashboard-wide access model. * feat(access): the Access tab now adds groups by typeahead search, mirroring the user-search flow. Only granted groups + super-admin groups appear in the matrix; other groups are added on demand. * fix(access): ungranted users hitting a unifi URL get 404 instead of 403 so the page doesn't leak its existence. Breaking note: super-admins continue to see everything. Non-super users that previously accessed a unifi page via permission alone now need an explicit grant in the Access tab. Configure grants before relying on existing permission-based access. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-24 20:17:21 -04:00