User Management

Overview

All panel administrator accounts are stored locally in a SQLite database at @distats_panel/database.sqlite. There is no external database, no MongoDB, no cloud service.

Creating an admin user

Use the Distats CLI to create a new administrator account:

npx distats-cli@latest create-user

The CLI will prompt you for:

Username — the login name for the account
Password — a secure password (stored as a hashed value, never in plain text)

What happens under the hood

The CLI reads your @distats_panel/database.sqlite database
The password is hashed using Node.js crypto.scrypt with a randomly generated salt
The resulting { username, hash, salt } record is inserted into the users table
You can then log in at http://localhost:3000 with those credentials

Password security

Distats Panel uses scrypt for password hashing — one of the strongest password derivation functions available in Node.js.

Property	Value
Algorithm	`crypto.scrypt` (Node.js built-in)
Salt	Randomly generated per user (128-bit)
Storage	Hash + salt stored in SQLite
Verification	Timing-safe comparison with `crypto.timingSafeEqual`

This approach is resistant to brute-force and rainbow table attacks.

Session management

Once a user logs in:

A JWT is created and signed using the session_secret from your config
The JWT is stored in an HTTP-only, encrypted cookie named distats_session
The cookie is automatically validated on every request by the Next.js middleware
When the session expires or is missing, the user is redirected to the login page

HTTP-only cookies cannot be accessed by JavaScript running in the browser, which protects against XSS token theft.

Logging out

Clicking the Logout button in the dashboard clears the distats_session cookie and redirects to the login page.

Managing users via the Admin panel

The dashboard includes an Admin → Users page where you can view all administrator accounts registered in your local SQLite database. Future CLI versions may support deleting or updating accounts directly.