Problem
When the live login form reaches the Login credentials are not configured. path, the page fails closed correctly, but the user-facing recovery state is thin. The profile picker markup is still present in the page, yet visually hidden until unlock, and the error does not point a self-hosted admin toward the setup/recovery path.
This is good self-hosting polish: the security behavior should stay strict, but the UI should explain what happened and what a maintainer can safely do next.
Suggested Scope
- Update
templates/login.html and/or the login view context so the missing-credentials state has a clear, actionable message.
- Consider hiding or disabling profile-pick forms when credentials are unavailable, so the page does not imply that choosing a profile can work.
- Point users toward the appropriate first-run setup or maintainer recovery documentation without exposing secrets or local paths.
- Keep the existing fail-closed behavior in
api/routers/ui/login.py intact.
Files or Areas
api/routers/ui/login.py
templates/login.html
static/css/login.css
tests/test_login.py
- Optional docs:
README.md, docs/power-outage-recovery.md, or a small self-hosting note if needed
Acceptance Criteria
- The login page clearly distinguishes invalid credentials from missing/unconfigured credentials.
- The missing-credentials state does not present profile buttons as if they are usable.
- No
.env values, credential hints, database contents, local paths, or logs are rendered.
- Existing tests for
test_login_fails_closed_when_credentials_missing still pass.
- Add or update a focused test that asserts the missing-credentials page includes the recovery copy and does not expose an actionable profile picker.
Verification
pytest tests/test_login.py
- Optional visual check: open
/login, force the missing credential configuration in a test/dev environment, and confirm the recovery state is understandable.
Contributor Notes
First-time contributors are welcome to fork the repository and open a pull request that links this issue. Please keep the change focused on the missing-credentials user experience; avoid changing authentication policy, secret handling, or deployment scripts unless a maintainer asks for that in review.
Problem
When the live login form reaches the
Login credentials are not configured.path, the page fails closed correctly, but the user-facing recovery state is thin. The profile picker markup is still present in the page, yet visually hidden until unlock, and the error does not point a self-hosted admin toward the setup/recovery path.This is good self-hosting polish: the security behavior should stay strict, but the UI should explain what happened and what a maintainer can safely do next.
Suggested Scope
templates/login.htmland/or the login view context so the missing-credentials state has a clear, actionable message.api/routers/ui/login.pyintact.Files or Areas
api/routers/ui/login.pytemplates/login.htmlstatic/css/login.csstests/test_login.pyREADME.md,docs/power-outage-recovery.md, or a small self-hosting note if neededAcceptance Criteria
.envvalues, credential hints, database contents, local paths, or logs are rendered.test_login_fails_closed_when_credentials_missingstill pass.Verification
pytest tests/test_login.py/login, force the missing credential configuration in a test/dev environment, and confirm the recovery state is understandable.Contributor Notes
First-time contributors are welcome to fork the repository and open a pull request that links this issue. Please keep the change focused on the missing-credentials user experience; avoid changing authentication policy, secret handling, or deployment scripts unless a maintainer asks for that in review.