When deleting password file, still logged in clients can keep using ComfyUI

[gloin01]

I just wanted to change my password and realized that I could still use the UI as normal, even though I got tons of "Please set up your password before use. The token will be a hashed string derived from your password." messages in the console.

Don't know if this has any other security implications, other than not being able to block out old clients by using a password reset.

Tested using the newest ComfyUI version and version of this plugin as well as Firefox 132.0.2

[liusida]

This plugin is not constantly monitoring the PASSWORD file, so when we delete that file, ComfyUI doesn't know anything has happened.

But I don't want to increase the burden for the server to of monitoring this file, so is it acceptable to just restart ComfyUI after deleting that PASSWORD file?

[gloin01]

This actually isn't quite what I meant. This still happens, even when deleting the file while the server is stopped or when restarting. The problem is probably that whatever Auth token is saved in the Browser doesn't keep track of the used password hash and is still seen as valid.

So to reproduce:

1. Have a ComfyUI Server running with enabled password
2. Connect 2 Clients
3. Stop the server
4. Delete the password file
5. Start the server
6. Logout Client 1 to reset password
7. Restart ComfyUI again
8. Client 2 is still connected with full access

[liusida]

I see. You are right, restarting the server doesn't make the sessions obsolete. (I remember there's a reason for that, maybe because users don't want to re-login after installing a plugin and restarting the server;)

Please also remove another file before restart the server to discard every session:
<ComfyUI>/custom_nodes/ComfyUI-Login/.secret-key.txt