From 969dc1abb1002ff2731e830994ab13dcb22bca7a Mon Sep 17 00:00:00 2001
From: DBT <nvue.dev@gmail.com>
Date: Wed, 25 Feb 2026 11:59:43 +0000
Subject: [PATCH] secure webui: require token auth on /webui page

---
 pkg/nodes/registry_server.go | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/pkg/nodes/registry_server.go b/pkg/nodes/registry_server.go
index 8c1629a..06da7b5 100644
--- a/pkg/nodes/registry_server.go
+++ b/pkg/nodes/registry_server.go
@@ -120,6 +120,10 @@ func (s *RegistryServer) handleWebUI(w http.ResponseWriter, r *http.Request) {
 		http.Error(w, "method not allowed", http.StatusMethodNotAllowed)
 		return
 	}
+	if !s.checkAuth(r) {
+		http.Error(w, "unauthorized", http.StatusUnauthorized)
+		return
+	}
 	w.Header().Set("Content-Type", "text/html; charset=utf-8")
 	_, _ = w.Write([]byte(webUIHTML))
 }