fix: if roles changed after a restart of Dozzle, then it resets user session (#4139)

amir20 · web-flow · commit fb359cb9d58a · 2025-09-23T16:03:07.000Z
diff --git a/internal/auth/roles.go b/internal/auth/roles.go
@@ -17,8 +17,9 @@ const (
 
 const All = Shell | Actions | Download
 
+// ParseRole parses a comma-separated string of roles and returns the corresponding Role. Default is All for empty input.
 func ParseRole(commaValues string) Role {
-	if commaValues == "" {
+	if strings.TrimSpace(commaValues) == "" {
 		return All
 	}
 
diff --git a/internal/auth/simple.go b/internal/auth/simple.go
@@ -21,6 +21,7 @@ func NewSimpleAuth(userDatabase UserDatabase, ttl time.Duration) *simpleAuthCont
 	h := sha256.New()
 	for _, user := range userDatabase.Users {
 		h.Write([]byte(user.Password))
+		h.Write([]byte(user.RolesConfigured))
 	}
 
 	tokenAuth := jwtauth.New("HS256", h.Sum(nil), nil)
@@ -38,7 +39,7 @@ func (a *simpleAuthContext) CreateToken(username, password string) (string, erro
 		return "", ErrInvalidCredentials
 	}
 
-	claims := map[string]interface{}{"username": user.Username, "email": user.Email, "name": user.Name, "filter": user.Filter, "roles": user.RolesConfigured}
+	claims := map[string]interface{}{"username": user.Username, "email": user.Email, "name": user.Name, "filter": user.Filter, "roles": user.Roles}
 	jwtauth.SetIssuedNow(claims)
 
 	if a.ttl > 0 {
diff --git a/internal/auth/users.go b/internal/auth/users.go
@@ -112,6 +112,8 @@ func decodeUsersFromFile(path string) (UserDatabase, error) {
 		if user.Name == "" {
 			user.Name = username
 		}
+
+		user.Roles = ParseRole(user.RolesConfigured)
 	}
 
 	return users, nil
@@ -201,15 +203,18 @@ func UserFromContext(ctx context.Context) *User {
 			email := claims["email"].(string)
 			name := claims["name"].(string)
 			containerFilter := container.ContainerLabels{}
-			roles := All
+
 			if filter, ok := claims["filter"].(string); ok {
 				containerFilter, err = container.ParseContainerFilter(filter)
 				if err != nil {
 					log.Fatal().Err(err).Str("filter", filter).Msg("Failed to parse container filter")
 				}
 			}
-			if role, ok := claims["roles"].(string); ok {
-				roles = ParseRole(role)
+			roles := None
+			if r, ok := claims["roles"].(float64); ok {
+				roles = Role(r)
+			} else {
+				log.Warn().Interface("roles", claims["roles"]).Msg("Failed to parse roles from JWT claims")
 			}
 
 			user := newUser(username, email, name, containerFilter, roles)

Original file line number	Diff line number	Diff line change
`@@ -17,8 +17,9 @@ const (`
`17`	`17`
`18`	`18`	`const All = Shell \| Actions \| Download`
`19`	`19`
	`20`	`+// ParseRole parses a comma-separated string of roles and returns the corresponding Role. Default is All for empty input.`
`20`	`21`	`func ParseRole(commaValues string) Role {`
`21`		`- if commaValues == "" {`
	`22`	`+ if strings.TrimSpace(commaValues) == "" {`
`22`	`23`	`return All`
`23`	`24`	`}`
`24`	`25`
Original file line number	Diff line number	Diff line change
`@@ -21,6 +21,7 @@ func NewSimpleAuth(userDatabase UserDatabase, ttl time.Duration) *simpleAuthCont`
`21`	`21`	`h := sha256.New()`
`22`	`22`	`for _, user := range userDatabase.Users {`
`23`	`23`	`h.Write([]byte(user.Password))`
	`24`	`+ h.Write([]byte(user.RolesConfigured))`
`24`	`25`	`}`
`25`	`26`
`26`	`27`	`tokenAuth := jwtauth.New("HS256", h.Sum(nil), nil)`
`@@ -38,7 +39,7 @@ func (a *simpleAuthContext) CreateToken(username, password string) (string, erro`
`38`	`39`	`return "", ErrInvalidCredentials`
`39`	`40`	`}`
`40`	`41`
`41`		`- claims := map[string]interface{}{"username": user.Username, "email": user.Email, "name": user.Name, "filter": user.Filter, "roles": user.RolesConfigured}`
	`42`	`+ claims := map[string]interface{}{"username": user.Username, "email": user.Email, "name": user.Name, "filter": user.Filter, "roles": user.Roles}`
`42`	`43`	`jwtauth.SetIssuedNow(claims)`
`43`	`44`
`44`	`45`	`if a.ttl > 0 {`
Original file line number	Diff line number	Diff line change
`@@ -112,6 +112,8 @@ func decodeUsersFromFile(path string) (UserDatabase, error) {`
`112`	`112`	`if user.Name == "" {`
`113`	`113`	`user.Name = username`
`114`	`114`	`}`
	`115`	`+`
	`116`	`+ user.Roles = ParseRole(user.RolesConfigured)`
`115`	`117`	`}`
`116`	`118`
`117`	`119`	`return users, nil`
`@@ -201,15 +203,18 @@ func UserFromContext(ctx context.Context) *User {`
`201`	`203`	`email := claims["email"].(string)`
`202`	`204`	`name := claims["name"].(string)`
`203`	`205`	`containerFilter := container.ContainerLabels{}`
`204`		`- roles := All`
	`206`	`+`
`205`	`207`	`if filter, ok := claims["filter"].(string); ok {`
`206`	`208`	`containerFilter, err = container.ParseContainerFilter(filter)`
`207`	`209`	`if err != nil {`
`208`	`210`	`log.Fatal().Err(err).Str("filter", filter).Msg("Failed to parse container filter")`
`209`	`211`	`}`
`210`	`212`	`}`
`211`		`- if role, ok := claims["roles"].(string); ok {`
`212`		`- roles = ParseRole(role)`
	`213`	`+ roles := None`
	`214`	`+ if r, ok := claims["roles"].(float64); ok {`
	`215`	`+ roles = Role(r)`
	`216`	`+ } else {`
	`217`	`+ log.Warn().Interface("roles", claims["roles"]).Msg("Failed to parse roles from JWT claims")`
`213`	`218`	`}`
`214`	`219`
`215`	`220`	`user := newUser(username, email, name, containerFilter, roles)`