customable/claude-mem
1
0
Fork 0
Code Issues 1 Pull requests 5 Projects Releases 163 Packages 2 Wiki Activity Actions

Web viewer authentication for network exposure #7

New issue
Closed
opened 2026-01-21 20:45:26 +00:00 by jack · 3 comments
jack commented 2026-01-21 20:45:26 +00:00
Owner
Copy link

Problem

With CLAUDE_MEM_WORKER_HOST=0.0.0.0, the Web Viewer is accessible to everyone on the network without authentication.

Exposed data:

  • Session observations
  • User prompts
  • Project structure
  • Activity timeline

Solution: Token-based Auth

{
  "CLAUDE_MEM_WORKER_HOST": "0.0.0.0",
  "CLAUDE_MEM_AUTH_ENABLED": "true",
  "CLAUDE_MEM_AUTH_TOKEN": "auto"
}
  • auto generates a random token on first start
  • Token as query param or Authorization header
  • Cookie-based session after first auth

Implementation

  • Middleware for token validation
  • Settings page for token management
  • CLI command to show/regenerate token

Migrated-From: jack/claude-mem-fork#74

## Problem With `CLAUDE_MEM_WORKER_HOST=0.0.0.0`, the Web Viewer is accessible to everyone on the network without authentication. Exposed data: - Session observations - User prompts - Project structure - Activity timeline ## Solution: Token-based Auth ```json { "CLAUDE_MEM_WORKER_HOST": "0.0.0.0", "CLAUDE_MEM_AUTH_ENABLED": "true", "CLAUDE_MEM_AUTH_TOKEN": "auto" } ``` - `auto` generates a random token on first start - Token as query param or Authorization header - Cookie-based session after first auth ## Implementation - Middleware for token validation - Settings page for token management - CLI command to show/regenerate token -------- Migrated-From: jack/claude-mem-fork#74
jack 2026-01-22 17:53:47 +00:00
jack commented 2026-01-22 18:08:50 +00:00
Author
Owner
Copy link

This feature has been fully implemented in src/services/server/middleware/auth.ts:

  • Token-based authentication via Bearer header
  • Localhost bypass (127.0.0.1, ::1 always allowed)
  • CLAUDE_MEM_REMOTE_TOKEN setting for token configuration
  • Automatic middleware activation when binding to non-localhost
  • Scope-based authorization with requireScope() middleware
  • Rate limiting for remote connections

Configuration:

{
  "CLAUDE_MEM_WORKER_HOST": "0.0.0.0",
  "CLAUDE_MEM_REMOTE_TOKEN": "your-secret-token"
}
This feature has been fully implemented in `src/services/server/middleware/auth.ts`: - ✅ Token-based authentication via Bearer header - ✅ Localhost bypass (127.0.0.1, ::1 always allowed) - ✅ `CLAUDE_MEM_REMOTE_TOKEN` setting for token configuration - ✅ Automatic middleware activation when binding to non-localhost - ✅ Scope-based authorization with `requireScope()` middleware - ✅ Rate limiting for remote connections Configuration: ```json { "CLAUDE_MEM_WORKER_HOST": "0.0.0.0", "CLAUDE_MEM_REMOTE_TOKEN": "your-secret-token" } ```
jack reopened this issue 2026-01-22 18:09:22 +00:00
jack commented 2026-01-22 18:09:23 +00:00
Author
Owner
Copy link

Reopening - API token auth is implemented but Web UI needs:

  • Login page for entering token
  • Cookie-based session after successful auth
  • Redirect to login when accessing viewer without session

The current Bearer token approach works for API clients but not for browser access.

Reopening - API token auth is implemented but Web UI needs: - [ ] Login page for entering token - [ ] Cookie-based session after successful auth - [ ] Redirect to login when accessing viewer without session The current Bearer token approach works for API clients but not for browser access.
jack commented 2026-01-22 18:15:40 +00:00
Author
Owner
Copy link

Implementation Complete

The web viewer now has proper user-friendly authentication with a login page:

Features Added:

  1. Login Page (/login)

    • Clean, styled login form with token input
    • Automatic redirect to viewer on success
    • Error messages for invalid tokens
    • Redirects to / when auth is not required (localhost mode)

  2. Cookie-based Sessions

    • 24-hour session duration
    • HttpOnly, secure cookies
    • Automatic session cleanup (hourly)
    • Session invalidation on logout

  3. Auth Routes

    • GET /login - Login page HTML
    • POST /api/auth/login - Authenticate with token
    • POST /api/auth/logout - Clear session
    • GET /api/auth/status - Check auth status

  4. Logout Button in UI

    • Only appears when remote auth is configured
    • Located in the topbar actions area
    • Clears session and redirects to login

How it works:

  • Localhost access: No authentication required, full access granted
  • Remote access (when CLAUDE_MEM_REMOTE_TOKEN is configured):
    • Unauthenticated browser requests to / redirect to /login
    • User enters the configured token
    • On success, a session cookie is set and user is redirected to the viewer
    • API requests can still use Bearer token authentication

Files Changed:

  • src/services/server/middleware/auth.ts - Session management functions
  • src/services/worker/http/middleware.ts - Added cookie-parser
  • src/services/worker/http/routes/AuthRoutes.ts - New auth routes
  • src/services/worker-service.ts - Register auth routes
  • src/ui/viewer/layouts/Topbar/TopbarActions.tsx - Logout button
## Implementation Complete The web viewer now has proper user-friendly authentication with a login page: ### Features Added: 1. **Login Page (`/login`)** - Clean, styled login form with token input - Automatic redirect to viewer on success - Error messages for invalid tokens - Redirects to `/` when auth is not required (localhost mode) 2. **Cookie-based Sessions** - 24-hour session duration - HttpOnly, secure cookies - Automatic session cleanup (hourly) - Session invalidation on logout 3. **Auth Routes** - `GET /login` - Login page HTML - `POST /api/auth/login` - Authenticate with token - `POST /api/auth/logout` - Clear session - `GET /api/auth/status` - Check auth status 4. **Logout Button in UI** - Only appears when remote auth is configured - Located in the topbar actions area - Clears session and redirects to login ### How it works: - **Localhost access**: No authentication required, full access granted - **Remote access (when `CLAUDE_MEM_REMOTE_TOKEN` is configured)**: - Unauthenticated browser requests to `/` redirect to `/login` - User enters the configured token - On success, a session cookie is set and user is redirected to the viewer - API requests can still use Bearer token authentication ### Files Changed: - `src/services/server/middleware/auth.ts` - Session management functions - `src/services/worker/http/middleware.ts` - Added cookie-parser - `src/services/worker/http/routes/AuthRoutes.ts` - New auth routes - `src/services/worker-service.ts` - Register auth routes - `src/ui/viewer/layouts/Topbar/TopbarActions.tsx` - Logout button
jack closed this issue 2026-01-22 18:15:45 +00:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
renovate/all-minor-patch
renovate/react
renovate/better-sqlite3-12.x
renovate/major-vite
renovate/vite
feature/ui-improvements-and-tests
v3.0.4
v3.0.3
v3.0.2
v3.0.1
v3.0.0
v2.49.7
v2.49.6
v2.49.5
v2.49.4
v2.49.3
v2.49.2
v2.49.1
v2.49.0
v2.48.1
v2.48.0
v2.47.2
v2.47.1
v2.47.0
v2.46.0
v2.45.0
v2.44.0
v2.43.2
v2.43.1
v2.43.0
v2.42.0
v2.41.2
v2.41.1
v2.41.0
v2.40.1
v2.40.0
v2.39.0
v2.38.0
v2.37.0
v2.36.0
v2.35.0
v2.34.1
v2.34.0
v2.33.1
v2.33.0
v2.32.0
v2.31.1
v2.31.0
v2.30.0
v2.29.0
v2.28.0
v2.27.0
v2.26.0
v2.25.0
v2.24.0
v2.23.0
v2.22.0
v2.21.0
v2.20.0
v2.19.24
v2.19.23
v2.19.22
v2.19.21
v2.19.20
v2.19.19
v2.19.18
v2.19.17
v2.19.16
v2.19.15
v2.19.14
v2.19.13
v2.19.12
v2.19.11
v2.19.10
v2.19.9
v2.19.8
v2.19.7
v2.19.6
v2.19.5
v2.19.4
v2.19.3
v2.19.2
v2.19.1
v2.19.0
v2.18.2
v2.18.1
v2.18.0
v2.17.3
v2.17.2
v2.17.1
v2.17.0
v2.16.0
v2.15.0
v2.14.2
v2.14.1
v2.14.0
v2.13.2
v2.13.1
v2.13.0
v2.12.0
v2.11.3
v2.11.2
v2.11.1
v2.11.0
v2.10.0
v2.9.0
v2.8.0
v2.7.1
v2.7.0
v2.6.0
v2.5.1
v2.5.0
v2.4.5
v2.4.4
v2.4.3
v2.4.2
v2.4.1
v2.4.0
v2.3.0
v2.2.0
v2.1.0
v2.0.1
v2.0.0
v1.20.4
v1.20.3
v1.20.2
v1.20.1
v1.20.0
v1.19.0
v1.18.4
v1.18.3
v1.18.2
v1.18.1
v1.18.0
v1.17.0
v1.16.2
v1.16.1
v1.16.0
v1.15.1
v1.15.0
v1.14.2
v1.14.1
v1.14.0
v1.13.0
v1.12.0
v1.11.0
v1.10.0
v1.9.0
v1.8.1
v1.8.0
v1.7.0
v1.6.0
v1.5.0
v1.4.0
v1.3.8
v1.3.7
v1.3.6
v1.3.5
v1.3.4
v1.3.3
v1.3.2
v1.3.1
v1.3.0
v1.2.2
v1.2.1
v1.2.0
v1.1.0
v1.0.4
v1.0.3
v1.0.2
v1.0.1
v1.0.0
Labels
Clear labels   
good first issue

Good for newcomers

  
has-pr

Issue has an associated pull request

  
help wanted

Community contributions welcome

  
idea

Idea or concept - not yet ready for implementation

  
priority
critical
Urgent issue requiring immediate attention

  
priority
high
High priority issue

  
priority
low
Low priority issue

  
priority
medium
Medium priority issue

  
status
blocked
Blocked by external dependency

  
status
in-progress
Currently being worked on

  
status
needs-review
Awaiting code review

  
status
ready
Ready to be worked on

  
type
bug
Something isn't working

  
type
docs
Documentation improvements

  
type
enhancement
Improvement to existing functionality

  
type
feature
New feature or request

  
type
refactor
Code refactoring without functional changes

No labels
good first issue
has-pr
help wanted
idea
priority
critical
priority
high
priority
low
priority
medium
status
blocked
status
in-progress
status
needs-review
status
ready
type
bug
type
docs
type
enhancement
type
feature
type
refactor
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
customable/claude-mem#7
No description provided.