From ac9a567cf7f83202589bd3b0a3538de9b46324b4 Mon Sep 17 00:00:00 2001
From: Flegma <Flegma@users.noreply.github.com>
Date: Thu, 2 Apr 2026 15:13:08 +0200
Subject: [PATCH 1/2] fix: use dedicated secret for offline match auth instead
 of node name

Read OFFLINE_MATCHES_PASSWORD env var for basic auth, falling back to
NODE_NAME for backwards compatibility. NODE_NAME is publicly known
from K8s pod names and should not be used as a credential.

To complete the fix, set OFFLINE_MATCHES_PASSWORD in the DaemonSet
environment (e.g., from a K8s Secret).

Closes 5stackgg/5stack-panel#409
---
 src/configs/app.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/configs/app.ts b/src/configs/app.ts
index 54c68a2..ef75586 100644
--- a/src/configs/app.ts
+++ b/src/configs/app.ts
@@ -8,6 +8,6 @@ export default (): {
       ? parseInt(process.env.HEALTH_PORT)
       : 8585,
     basicAuthUser: "5s",
-    basicAuthPass: process.env.NODE_NAME as string,
+    basicAuthPass: process.env.OFFLINE_MATCHES_PASSWORD || process.env.NODE_NAME as string,
   },
 });

From 48dbc72e82bf6e06ab8eaabd77dc5a05b96a6f2e Mon Sep 17 00:00:00 2001
From: Flegma <Flegma@users.noreply.github.com>
Date: Thu, 2 Apr 2026 16:05:32 +0200
Subject: [PATCH 2/2] fix: wrap fallback expression in parentheses before as
 string cast

The as string cast should apply to the entire fallback expression,
not just process.env.NODE_NAME.
---
 src/configs/app.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/configs/app.ts b/src/configs/app.ts
index ef75586..cd4dab3 100644
--- a/src/configs/app.ts
+++ b/src/configs/app.ts
@@ -8,6 +8,6 @@ export default (): {
       ? parseInt(process.env.HEALTH_PORT)
       : 8585,
     basicAuthUser: "5s",
-    basicAuthPass: process.env.OFFLINE_MATCHES_PASSWORD || process.env.NODE_NAME as string,
+    basicAuthPass: (process.env.OFFLINE_MATCHES_PASSWORD || process.env.NODE_NAME) as string,
   },
 });