Skip to content

v1.0.231

Choose a tag to compare

@github-actions github-actions released this 27 Jun 15:24

✨ New: optional token auth for remote access

Exposing cockpit beyond your own machine — a tunnel, a LAN, a reverse proxy — used to mean anyone with the URL was in. You can now require a token for any non-local request, while local access stays frictionless.

cockpit --token <your-secret>     # off by default — omit it and nothing changes
  • Local stays open. Requests from localhost — your browser on the host, the cock CLI, /cg curls, the self-probe — are exempt and never need a token.
  • Remote must present the token, in any of three ways: an Authorization: Bearer <token> header, a cockpit_token cookie, or ?token=<token> on first visit (which sets the cookie and redirects to strip the param back out of the URL).
  • Tunnel-aware. A forwarding header (X-Forwarded-For / X-Real-IP / Forwarded) drops local trust, so a same-host tunnel or proxy — ngrok, Caddy, nginx — can't pose as localhost. HTTP, WebSocket, and the share server are all gated.

Set it with the flag, or the COCKPIT_TOKEN environment variable.

🐛 Fix: session search finds the right session

Searching the Recent Sessions and session-list modals now matches a session's summary/title and its full message text. Before, the summary line (kept only on disk) was never part of the search, and message text was truncated to 50 characters and sampled (first 5 + last 5 messages) — so long tails and mid-conversation matches silently fell through. Both modals now search the complete text.

📦 Misc: clearer tool-call titles

The tool-call modal now shows the query for ToolSearch and the subject for TaskCreate as its title line, the way Grep already shows its pattern.