Added back password management APIs using handler-case (not with-error-handling):
1. /api/asteroid/user/change-password
- Users can change their own password
- Requires current password verification
- Uses get-current-user() function
2. /api/asteroid/admin/reset-password
- Admins can reset any user's password
- No current password required
- Returns 404 if user not found
Both APIs use handler-case for error handling to maintain consistency
with other APIs in this file. Build succeeds.
Works with password change UI in admin dashboard (admin.ctml, admin.js).
Reverted to working version before password API additions.
The password APIs and UI are still in place (admin.ctml, admin.js).
Need to re-add the backend APIs more carefully.
Build now succeeds.
Fixed compilation error by using the correct function name.
The codebase uses get-current-user() which is defined in
user-management.lisp, not auth:current-user.
Build now completes successfully.
Changed password change and reset APIs to use with-error-handling
macro instead of handler-case for consistency with refactored codebase.
This ensures proper error handling using our custom condition system.
NEW API ENDPOINTS:
1. /api/asteroid/user/change-password (authenticated users)
- Users can change their own password
- Requires current password verification
- Returns 401 if current password is incorrect
- Returns 200 on success
2. /api/asteroid/admin/reset-password (admin only)
- Admins can reset any user's password
- No current password required
- Returns 404 if user not found
- Returns 200 on success
USAGE EXAMPLES:
User changes own password:
curl -X POST http://localhost:8080/api/asteroid/user/change-password \
-d 'current-password=asteroid123&new-password=newsecurepass' \
-b cookies.txt
Admin resets user password:
curl -X POST http://localhost:8080/api/asteroid/admin/reset-password \
-d 'username=admin&new-password=newsecurepass' \
-b cookies.txt
This addresses the security concern about the default admin password.
Admins can now reset it via API without needing REPL access.
Ref: TODO.org Problem 4 - Default admin password
Core Features:
- Login redirects based on user role (admin -> /admin, users -> /profile)
- User registration redirects to /profile page
- Convert user management APIs to use define-api (Radiance standard)
- Add user statistics API endpoint
- Add create user API endpoint
- Add list users API endpoint
Authentication & Authorization:
- Update require-role to return proper JSON for API requests
- Fix password verification with debug logging
- Add reset-user-password function for admin use
API Endpoints (using define-api):
- /api/asteroid/users - Get all users (admin only)
- /api/asteroid/user-stats - Get user statistics (admin only)
- /api/asteroid/users/create - Create new user (admin only)
Bug Fixes:
- Fix JavaScript API path for user-stats endpoint
- Remove dependency on non-existent radiance:api-output
- Use api-output for proper JSON responses
Testing:
- Admin login redirects to /asteroid/admin ✓
- Regular user login redirects to /asteroid/profile ✓
- User creation working (testuser created successfully) ✓
- User statistics loading correctly ✓
Known Issues (non-blocking):
- User table display needs UI fixes
- Profile page needs additional API endpoints
- Session persistence on navigation needs investigation
✅ CLIP Template System:
- Created template-utils.lisp with centralized rendering
- Template caching for performance
- render-template-with-plist for consistent API
- Proper CLIP attribute processors (data-text)
- Documentation in docs/CLIP-REFACTORING.org
✅ Admin Dashboard Complete:
- System Status: All 4 indicators working (Server, DB, Liquidsoap, Icecast)
- Music Library: Scan, upload, duplicate detection working
- Track Management: Pagination (20/page, configurable 10/20/50/100)
- Player Control: HTML5 audio player with play/pause/stop
- User Management: Moved to separate /admin/users page
✅ User Management:
- New /admin/users route with dedicated page
- Inline user creation form
- User stats dashboard
- Role management (listener/DJ/admin)
- Activate/deactivate users
- API endpoint /api/users/create
- Tested with curl - all working
✅ Live Stream & Now Playing:
- Fixed: Green 🟢 LIVE STREAM indicator (was red)
- Fixed: Stream quality display matches selected stream (AAC/MP3)
- Now Playing updates every 10s from Icecast
- No HTML rendering bugs - working correctly
✅ Track Library:
- Fixed recursive directory scanning bug
- 64 tracks scanned and in database
- Pagination working perfectly
✅ Front Page & Web Player:
- Station Status shows correct stream quality
- Quality selector updates all displays
- Live stream indicators green
- Now Playing working on all pages
All Templates section items complete [4/4] ✅
- Fixed find-user-by-id to handle BIT type database IDs
- Updated user-has-role-p to extract role from list format
- Enhanced API endpoint to return properly formatted JSON data
- Added comprehensive debugging for authentication flow
- Created login.chtml template with CLIP data binding
- Resolved 'Error loading users' issue in admin panel
- Fix database query syntax for RADIANCE hash table returns
- Handle RADIANCE field storage format (lists instead of strings)
- Configure r-simple-sessions module for session management
- Update login page styling to match main site theme
- Implement working authentication with admin/asteroid123
- Add proper error handling and debug logging
- Ensure session persistence and redirects work correctly
glenneth