Lock down the webui

Not sure if it’s intentional, but i never have to login to the diyhue webui - it always auto-logins. Is there a way to disable this, and change the default password? thank you so much.

I’m running diyhue addon on homeassistant, if that makes any different.

You can change the password with a complicated method currently. Any failed login attempt will log the inserted password hash. You can copy that hash and update that in config.yaml file. You can logoff by clicking Logout in the main menu.

thanks for the reply! so if i click ‘logout’ it redirects to the login page, but doesn’t actually log out - if refresh, or open the url on the same (or totally different) browser, it auto-logins. never asks to type in anything…

what is the complicated method to change the pass? i dont mind generating a new hash and changing it in the .yaml file, just not sure what hashing method to use specifically. thanks again!

You are right, the session is not destroyed, this is a bug. To change the password simply try to login with the new password and monitor diyhue docker container output.
Sample for password 123456:

2022-09-27 16:58:01,021 - werkzeug - INFO - 172.17.0.1 - - [27/Sep/2022 16:58:01] “GET /api/8fd651a05e7911eca3d1dca632fe78b6/lights HTTP/1.1” 200 -
2022-09-27 16:58:01,023 - werkzeug - INFO - 172.17.0.1 - - [27/Sep/2022 16:58:01] “GET /api/8fd651a05e7911eca3d1dca632fe78b6/sensors HTTP/1.1” 200 -
pbkdf2:sha256:260000$P02ztghVqGxymKwh$8abfd6095349bae6be9e31539ddd583803132ab737d9e92f43122948d2d012a9
2022-09-27 16:58:02,158 - werkzeug - INFO - 172.17.0.1 - - [27/Sep/2022 16:58:02] “POST /login HTTP/1.1” 200 -
2022-09-27 16:58:02,392 - werkzeug - INFO - 172.17.0.1 - - [27/Sep/2022 16:58:02] “GET /favicon.ico HTTP/1.1” 200 -

the hash to have the password 123456 is pbkdf2:sha256:260000$P02ztghVqGxymKwh$8abfd6095349bae6be9e31539ddd583803132ab737d9e92f43122948d2d012a9

In config.yaml file you have by default this:

users:
  admin@diyhue.org:
    password: pbkdf2:sha256:150000$bqqXSOkI$199acdaf81c18f6ff2f29296872356f4eb78827784ce4b3f3b6262589c788742

Just replate the long hash and restart the docker container.