Login & session policy

ADMINISTRATOR

Credentials

The administrator account is admin / Spb812. Hashed with PBKDF2-SHA256, 100,000 iterations, with a per-user salt, stored in users.password_hash.

Currently only the admin account can log in (v2.12.16, ongoing). Non-admin accounts are blocked at the login route. The gate is removed when the project owner says "unblock" (NOT on judgment).

Sessions

Cookie pms_session, HttpOnly, Secure, SameSite=Lax
14-day stale TTL — */10 * * * * cron sweep deletes expired and 14-day-stale rows hourly
The frontend reads /api/auth/me to know the current role; this is what powers the role badge in the header and the sidebar gating

Reset

If the password hash is corrupted (unlikely — would require a direct D1 write), restore the users row from the most recent R2 snapshot.

To rotate the password legitimately:

Compute a new PBKDF2 hash with a fresh salt (use the helper script in scripts/)
wrangler d1 execute pms-db --remote --command "UPDATE users SET password_hash = ? WHERE username = 'admin'"
Verify via /api/auth/login

Login & session policy ​

Credentials ​

Sessions ​

Reset ​

Credentials

Sessions

Reset