Authentication
Secure admin panel access and login methods
ATStatus uses secure authentication to protect admin access. The system supports password-based authentication with optional two-factor authentication (2FA) for enhanced security.
Authentication Methods
Password Authentication
Primary authentication method using username and password credentials.
- Passwords are hashed using bcrypt
- Account lockout after failed attempts
- Session management with secure cookies
Two-Factor Authentication
Additional security layer using TOTP-based one-time codes.
Learn more about 2FA →Initial Setup
Default Admin Account
On first run, ATStatus creates an admin account using the configured environment variables:
Security Notice
Always set a strong ADMIN_PASSWORD in production. Never use default or weak passwords.
Session Management
Session Storage
Sessions are stored in the database with encrypted session tokens. Each session is tied to a specific user and device.
Session Duration
Sessions expire after a configurable period of inactivity. Default is 24 hours.
Secure Cookies
Authentication cookies are HTTP-only, secure (HTTPS), and SameSite to prevent CSRF and XSS attacks.
Security Features
Brute Force Protection
Account lockout and rate limiting after multiple failed login attempts.
CSRF Protection
Cross-site request forgery tokens on all state-changing operations.
Audit Logging
All authentication events are logged in the audit trail.
IP Restrictions
Optional IP allowlist for admin panel access.
Best Practices
- Use strong, unique passwords (minimum 12 characters)
- Enable two-factor authentication for all admin accounts
- Use HTTPS in production to encrypt all traffic
- Regularly review audit logs for suspicious activity
- Limit the number of admin accounts to only those who need access