Skip to content

6arshid/password-protected-em

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
src
src
 
 
tests
tests
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
package.json
package.json
 
 
tsconfig.json
tsconfig.json
 
 
vitest.config.ts
vitest.config.ts
 
 

Repository files navigation

password-protected-em

Full-featured password protection plugin for EmDash CMS — global and per-content access control with brute-force protection, CAPTCHA, bypass links, analytics, and a fully customisable lock screen.

npm License: MIT

Features

  • Global & per-content protection — lock the entire site, individual pages, posts, categories, or the homepage
  • Multiple passwords per resource — assign several passwords to one piece of content; require any one or all of them
  • One-time & usage-limited passwords — automatically invalidate after N uses or a single unlock
  • Expiring passwords — set an ISO datetime after which a password stops working
  • Bypass tokens — generate secret access links and QR codes that skip the lock screen entirely
  • Brute-force protection — configurable failed-attempt limit and IP lockout duration
  • CAPTCHA support — reCAPTCHA v2/v3 and hCaptcha integrations
  • IP whitelist / blacklist — always-allow or always-block specific addresses and CIDR ranges
  • Remember-me sessions — configurable cookie lifetime so returning visitors stay unlocked
  • Maintenance mode — take the site offline for all visitors instantly
  • Fully customisable lock screen — title, logo, background colour, button colour, font colour, background image, dark mode, and custom CSS
  • Redirect after unlock — send visitors to a specific URL after a successful unlock
  • Email alerts — get notified when suspicious activity is detected
  • Access logs — full audit trail of unlock attempts (list, clear, export as CSV)
  • Analytics — summary stats and recent-event timeline for every protected resource
  • Admin dashboard widget — at-a-glance protection status on your EmDash dashboard

Installation

npm install @6arshid/plugin-password-protected-em
# or
pnpm add @6arshid-cms/plugin-password-protected-em

Quick Start

// live.config.ts
import { passwordProtectedPlugin } from "@6arshid/plugin-password-protected-em";

export default defineConfig({
  plugins: [passwordProtectedPlugin()],
});

That's it. The plugin registers its admin pages, dashboard widget, and public API endpoints automatically.

Plugin Options

Pass options to the constructor to control behaviour at the code level.

passwordProtectedPlugin({
  publicApi: true, // default
})
Option Type Default Description
publicApi boolean true Expose the visitor-facing unlock / logout / status / bypass API endpoints. Set to false if you handle unlocking entirely server-side.

Admin Settings

All other settings are configured through the EmDash admin panel under Password Protection → Settings. No code changes needed.

Brute-Force Protection

Setting Default Description
Max failed attempts 5 Failed unlock attempts before an IP is locked out
Lockout duration 30 min How long an IP stays locked after exceeding the limit

Sessions

Setting Default Description
Remember-me duration 7 days Lifetime of the session cookie set after a successful unlock

CAPTCHA

Setting Description
reCAPTCHA v2/v3 Enable Google reCAPTCHA on the lock screen. Paste your site key and secret key.
hCaptcha Enable hCaptcha on the lock screen. Paste your site key and secret key.

IP Rules

Setting Description
IP whitelist Comma-separated IPs or CIDRs that always bypass protection
IP blacklist Comma-separated IPs or CIDRs that are permanently blocked

Lock Screen Customisation

Setting Default Description
Title "Protected Content" Heading shown on the lock screen
Logo (none) URL of a logo image
Background colour #ffffff Lock screen background
Button colour #1a56db Unlock button background
Font colour #111827 Text colour
Background image (none) URL of a full-screen background image
Dark mode false Switch the lock screen to a dark theme
Custom CSS (none) Inject arbitrary CSS into the lock screen

Post-Unlock Behaviour

Setting Default Description
Redirect after unlock (stay on page) URL to redirect to after a successful unlock

Alerts

Setting Default Description
Email alerts false Send an email when suspicious activity is detected
Alert address (none) The email address that receives alert notifications

Password Options

Each password record supports the following fields, managed from Password Protection → Passwords in the admin:

Field Description
Label Human-readable name, e.g. "Client Access"
Scope global (site-wide) or a specific content ID
Content type site, page, post, category, or homepage
Expires at ISO datetime after which the password is invalid; leave empty for no expiry
Usage limit 0 = unlimited; any positive number = max unlock uses
One-time Invalidated after the first successful unlock
Active Enable or disable the password without deleting it
Bypass token Opaque token for secret access links and QR codes

Per-Content Configuration

Protect individual pieces of content from the EmDash content editor. Each configuration supports:

  • Selecting which passwords apply to that content
  • Require any (default) — visitor needs to satisfy any one of the assigned passwords
  • Require all — visitor must unlock every assigned password

Public API Endpoints

When publicApi is enabled (the default), the plugin exposes the following visitor-facing routes:

Route Description
unlock Submit a password to unlock content and receive a session token
logout Clear the current unlock session
status Check whether a piece of content is currently protected
bypass Redeem a bypass token to unlock content without a password

All admin routes (password CRUD, access logs, analytics, brute-force management) require authentication and are only accessible to logged-in EmDash users.

Admin Pages

The plugin adds the following pages to the EmDash admin panel:

Page Description
Password Protection Overview of all protected resources
Passwords Create, edit, and delete passwords
Settings Global configuration (brute-force, CAPTCHA, lock screen, etc.)
Access Logs Full audit trail of unlock attempts with export support

A Password Protection dashboard widget is also added to the main EmDash dashboard.

Capabilities

This plugin declares the following EmDash capability requirements:

Capability Reason
email:send Email alerts for suspicious activity
network:fetch CAPTCHA verification requests
page:inject Inject the lock screen into protected pages

Allowed outbound hosts: www.google.com (reCAPTCHA), hcaptcha.com.

License

MIT © 2024 EmDash Contributors

Developers

6arshid
6arshid 		hassantafreshi
Hassan Tafreshi 		aminkhadivar
Amin Khadivar

Repository: https://github.com/6arshid/password-protected-em

About

Password Protected Em — Lock Entire Site, Pages, Posts, Categories, and Partial Content

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages