store and display deSEC password for user login at desec.io

Agent-Logs-Url: https://github.com/nextcloud/all-in-one/sessions/4e99bcbc-4f32-45e6-af08-5026ce4b1f45 Co-authored-by: szaimen <42591237+szaimen@users.noreply.github.com>
2026-05-21 02:40:09 +00:00 · 2026-04-24 21:48:19 +00:00
parent 83129d6a55
commit cb48bc5db0
4 changed files with 31 additions and 4 deletions
--- a/php/public/index.php
+++ b/php/public/index.php
@@ -182,6 +182,7 @@ $app->get('/containers', function (Request $request, Response $response, array $
        'community_containers_enabled' => $configurationManager->aioCommunityContainers,
        'bypass_container_update' => $bypass_container_update,
        'desec_email' => $configurationManager->desecEmail,
+        'desec_password' => $configurationManager->getDesecPassword(),
        'is_desec_domain' => $configurationManager->isDesecDomain(),
        'desec_account_registered' => $configurationManager->isDesecAccountRegistered(),
    ]);
--- a/php/src/Controller/DesecController.php
+++ b/php/src/Controller/DesecController.php
@@ -63,15 +63,16 @@ readonly class DesecController {
        try {
            if (!$accountAlreadyRegistered) {
                // Register an account at deSEC and obtain an API token.
-                // The password is intentionally ephemeral: only the API token is needed for
-                // subsequent calls, so the password does not need to be stored.
+                // The password is stored so the user can log in to desec.io directly if needed.
                $password = bin2hex(random_bytes(24));
                $token = $this->registerDesecAccount($email, $password);

-                // Persist the token and email immediately so that a subsequent domain-registration
-                // failure leaves the account credentials stored and allows the user to retry.
+                // Persist the token, password and email immediately so that a subsequent
+                // domain-registration failure leaves the account credentials stored and allows
+                // the user to retry.
                $this->configurationManager->startTransaction();
                $this->configurationManager->setDesecToken($token);
+                $this->configurationManager->setDesecPassword($password);
                $this->configurationManager->desecEmail = $email;
                $this->configurationManager->commitTransaction();
            }
--- a/php/src/Data/ConfigurationManager.php
+++ b/php/src/Data/ConfigurationManager.php
@@ -221,6 +221,22 @@ class ConfigurationManager
            : '';
    }

+    /**
+     * Stores the deSEC account password in the secrets store so the user can log in at desec.io.
+     */
+    public function setDesecPassword(string $password): void {
+        $secrets = $this->get('secrets', []);
+        $secrets['DESEC_PASSWORD'] = $password;
+        $this->set('secrets', $secrets);
+    }
+
+    public function getDesecPassword(): string {
+        $secrets = $this->get('secrets', []);
+        return isset($secrets['DESEC_PASSWORD']) && is_string($secrets['DESEC_PASSWORD'])
+            ? $secrets['DESEC_PASSWORD']
+            : '';
+    }
+
    /**
     * Returns true when the configured domain is a deSEC dedyn.io subdomain and a token is stored.
     */
--- a/php/templates/containers.twig
+++ b/php/templates/containers.twig
@@ -137,6 +137,7 @@
                                    <p><a target="_blank" href="https://desec.io">deSEC</a> offers free dynamic DNS subdomains under <strong>dedyn.io</strong>. AIO can register an account and a subdomain for you automatically. The <strong>caddy</strong> community container will be enabled as a reverse proxy, the <strong>dnsmasq</strong> container will be enabled for local DNS resolution, and the mastercontainer will keep your DNS record up to date automatically.</p>
                                    {% if desec_account_registered %}
                                        <p>Your deSEC account (<strong>{{ desec_email }}</strong>) was registered successfully but the domain could not be registered. Please enter a desired subdomain slug (the part before <code>.dedyn.io</code>) and try again, or leave it blank for a random one.</p>
+                                        <p>Your deSEC login credentials (for <a target="_blank" href="https://desec.io">desec.io</a>): Email: <strong>{{ desec_email }}</strong>, Password: <strong>{{ desec_password }}</strong>. Please save these in a safe place.</p>
                                        <form method="POST" action="api/desec/register" class="xhr">
                                            <input type="hidden" name="{{csrf.keys.name}}" value="{{csrf.name}}">
                                            <input type="hidden" name="{{csrf.keys.value}}" value="{{csrf.value}}">
@@ -398,6 +399,14 @@

                    {% if was_start_button_clicked == true %}

+                        {% if is_desec_domain %}
+                            <h2>deSEC account credentials</h2>
+                            <p>Your domain <strong>{{ domain }}</strong> is managed via <a target="_blank" href="https://desec.io">deSEC</a>. Below are your deSEC account credentials. You can use them to log in at <a target="_blank" href="https://desec.io">desec.io</a> to manage your domain directly.</p>
+                            <p>Email: <strong>{{ desec_email }}</strong></p>
+                            <p>Password: <strong>{{ desec_password }}</strong></p>
+                            <p>Please save these credentials in a safe place.</p>
+                        {% endif %}
+
                        {% if is_backup_section_enabled == false %}
                            <h2>Backup and restore</h2>
                            <p>The backup section is disabled via environmental variable.</p>