Authentication
Configure authentication and session management
ATStatus uses a custom session-based authentication system with database-stored sessions and HMAC-signed cookies. This provides secure, stateful authentication with full control over session management.
Configuration
# Required
SESSION_SECRET="your-super-secret-key-minimum-32-characters"
ADMIN_PASSWORD="your-secure-admin-password"
CRON_SECRET="your-cron-secret-for-api-auth"
# Optional: Force cookies to be insecure (for HTTP LAN access)
# FORCE_SECURE_COOKIES="false"
Secret Key: Generate a secure secret with:
openssl rand -base64 32Session Management
Session Settings
| Setting | Default | Description |
|---|---|---|
| Strategy | Database | Sessions stored in database |
| Max Age | 24 hours | Session expiration time |
| Signature | HMAC-SHA256 | Cookie signature algorithm |
Session Features
- Sessions stored server-side in database (not JWT)
- HMAC signature verification on each request
- Device tracking (IP address, User-Agent)
- Session versioning for forced logout
- Automatic cleanup of expired sessions
Two-Factor Authentication (2FA)
Optional TOTP-based two-factor authentication:
- Time-based One-Time Passwords (TOTP)
- Compatible with Google Authenticator, Authy, etc.
- Backup codes for recovery
- Per-user 2FA enforcement
Users can enable 2FA in Admin → Account → Security.
Password Requirements
- Minimum 8 characters
- Stored with bcrypt hashing (cost factor 12)
User Roles
Four built-in roles with different access levels:
| Role | Description | Permissions |
|---|---|---|
| admin | Full system access | All permissions |
| editor | Manage incidents and components | Create, update, delete content |
| viewer | Read-only access to admin panel | View only |
| user | Public user (subscribers) | View status page, subscribe |