fa3c625fb8
docs: update ARCHITECTURE.md and README for history feature (v2)
2026-05-17 12:05:53 +01:00
2a674c6bcd
docs: replace ASCII art diagrams with Mermaid (renders natively in Gitea)
2026-05-17 12:03:49 +01:00
da0898f52a
feat: native HTTPS support with bundled snakeoil default cert
...
Build and Push Docker Image / build (push) Successful in 32s
CI / Security audit (push) Successful in 48s
CI / Tests & coverage (push) Successful in 56s
server/index.js:
- Import http and https modules
- Resolve TLS_ENABLED early (before Helmet) so upgradeInsecureRequests
CSP directive fires when TLS is active directly (not only via proxy)
- loadTlsCredentials() reads TLS_CERT/TLS_KEY (defaulting to bundled
snakeoil) and returns null on failure (graceful HTTP fallback)
- Start https.createServer or http.createServer depending on credentials
- Startup banner now shows protocol, TLS cert path, and snakeoil warning
certs/:
- Add bundled snakeoil self-signed certificate (RSA 2048, 10yr, SAN for
localhost + 127.0.0.1) for out-of-the-box HTTPS without configuration
- .gitignore allows only snakeoil.{crt,key} — real certs must not be
committed
Dockerfile:
- COPY certs/ into image so snakeoil default is always available
- HEALTHCHECK updated to https:// with --no-check-certificate
docker-compose.yaml:
- Port now exposes HTTPS directly by default
- TLS_CERT/TLS_KEY/TLS_ENABLED/TRUST_PROXY documented with Option A/B
- cert volume mount examples added (commented out)
- healthcheck updated to https with --no-check-certificate
.env.sample:
- New TLS/HTTPS section with TLS_ENABLED, TLS_CERT, TLS_KEY
- openssl self-signed cert generation example included
docs/ARCHITECTURE.md:
- Configuration table: TLS_ENABLED, TLS_CERT, TLS_KEY env vars added
- Docker image section: TLS default behaviour documented
- Docker Compose example: Option A (direct TLS) / Option B (proxy) layout
- Security checklist: HTTPS now first item, updated for TLS modes
2026-05-17 10:50:38 +01:00
224ec33a14
docs: migrate all diagrams from PlantUML to Mermaid
...
Build and Push Docker Image / build (push) Successful in 38s
CI / Security audit (push) Successful in 52s
CI / Tests & coverage (push) Successful in 1m0s
CI / Security audit (pull_request) Successful in 48s
CI / Tests & coverage (pull_request) Successful in 57s
- Replace section 13 of ARCHITECTURE.md with 9 inline Mermaid diagrams
(component, auth sequence, dashboard SSE sequence, polling sequence,
server class, data model, UI state, poller state, matching flowchart)
- Diagrams render natively in Gitea/GitHub — no CI job required
- Delete docs/diagrams/*.puml (all 9 files)
- Delete .gitea/workflows/render-diagrams.yml
- Update CI/CD table note and ToC entry
2026-05-17 10:37:46 +01:00
121c49b35b
docs: update ARCHITECTURE.md and README for 1.0.x fixes
...
Build and Push Docker Image / build (push) Successful in 22s
CI / Security audit (push) Successful in 1m0s
CI / Tests & coverage (push) Successful in 1m14s
ARCHITECTURE.md:
- Cookie secure flag: NODE_ENV → TRUST_PROXY (3 locations)
- upgrade-insecure-requests: document it gates on TRUST_PROXY not NODE_ENV
- Docker image note: NODE_ENV=production no longer implies secure cookies
- Security checklist: clarify TRUST_PROXY enables secure cookie + CSP + HSTS
- dashboard.js route table: add /stream endpoint note
- NODE_ENV env var table: correct description
README.md:
- qBittorrent availability: note red highlight when < 100%
- Login side-effects: secure cookie gated on TRUST_PROXY not NODE_ENV
2026-05-17 10:06:43 +01:00
abdd0da306
feat: replace client polling with Server-Sent Events (SSE)
...
Build and Push Docker Image / build (push) Successful in 23s
CI / Security audit (push) Successful in 38s
CI / Tests & coverage (push) Failing after 38s
Server:
- poller.js: add pollSubscribers Set with onPollComplete/offPollComplete;
notify all SSE callbacks immediately after every successful poll
- dashboard.js: add GET /api/dashboard/stream endpoint (text/event-stream)
- requireAuth enforced via cookie (no CSRF needed — GET is a safe method)
- X-Accel-Buffering: no for nginx proxy compatibility
- 25s heartbeat comments to survive proxy idle timeouts
- initial payload sent immediately on connect
- cleanup on req.close: deregister callback, stop heartbeat, remove client
- active client tracking updated: type='sse', connectedAt, no refreshRateMs
Frontend:
- app.js: replace setInterval/fetchUserDownloads with EventSource
- startSSE() opens /api/dashboard/stream; stopSSE() closes it
- first incoming message hides loading spinner
- showAll toggle re-opens stream with ?showAll=true param
- logout calls stopSSE() before POST /api/auth/logout
- status panel: fixed 5s refresh, shows SSE clients + connect duration
- statusRefreshHandle now always 5s, not tied to old refresh-rate selector
- index.html: remove now-unused refresh-rate <select> element
Docs:
- ARCHITECTURE.md §4.3: update poller description
- ARCHITECTURE.md §5: rename to SSE Stream (§5.2) + Download Matching (§5.3)
- ARCHITECTURE.md §7: update active client tracking description
- ARCHITECTURE.md §9: add /stream endpoint, update /status clients schema
- ARCHITECTURE.md §10: update key functions table; replace Auto-Refresh
section with Live Push via SSE
- class-server.puml: add /stream to dashboard routes; update ClientInfo
- component.puml: annotate dashboard with SSE note; update label
2026-05-17 08:35:22 +01:00
8c829f9651
docs: audit and update all documentation to reflect current codebase
...
Build and Push Docker Image / build (push) Successful in 35s
CI / Security audit (push) Successful in 58s
CI / Tests & coverage (push) Failing after 1m5s
ARCHITECTURE.md:
- Node version: 18+ → 22 (Alpine)
- Tech stack: add helmet, express-rate-limit, cookie-parser, testing tools
- Directory structure: add server/app.js, verifyCsrf.js, tokenStore.js,
sanitizeError.js, tests/, docs/, .gitea/workflows/, vitest.config.js
- §4.1: document app.js factory (createApp) vs index.js entry point;
CSP nonce, rate limiters, CSRF middleware, trust proxy
- §4.2: add CSRF Required column; document verifyCsrf; fix auth note
- §4.3: add tokenStore.js and sanitizeError.js descriptions
- §6 Auth flow: add rememberMe, rate limiter, stable DeviceId, server-side
token store, CSRF token issuance, correct cookie TTL (session/30d not 24h)
- §9 API: add csrfToken to login response, rememberMe field, 400/429 codes;
add GET /api/auth/csrf endpoint; fix /me response; fix /logout CSRF note
- §11 Config: add DATA_DIR, COOKIE_SECRET, TRUST_PROXY, NODE_ENV; split
into Core / Emby / Service Instances / Tuning sections
- §12 Deployment: update Dockerfile description to multi-stage node:22-alpine;
add COOKIE_SECRET, TRUST_PROXY, named volume to compose example;
add security hardening checklist; add CI/CD table
diagrams/seq-auth.puml:
- Add TokenStore participant
- Add rememberMe, CSRF token issuance, stable DeviceId note
- Add login rate limiter note
- Add GET /csrf refresh flow
- Add server-side token revocation on logout
diagrams/class-server.puml:
- Add app.js createApp() factory class
- Add verifyCsrf middleware class
- Add TokenStore and SanitizeError utility classes
- Update auth.js routes (add GET /csrf)
- Fix relationships: entry → appfn → routes
diagrams/component.puml:
- Add app.js factory component
- Add helmet, express-rate-limit components
- Add verifyCsrf middleware component
- Add tokenStore.js and sanitizeError.js utility components
- Fix wiring: entry → createApp() → mounts routes
Dockerfile:
- Fix stale comments referencing better-sqlite3 and SQLite
server/routes/auth.js:
- Fix stale comment: SQLite-backed → JSON file-backed
2026-05-17 08:05:08 +01:00
6675e5dcfe
docs: update architecture docs and diagrams for recent changes
...
Build and Push Docker Image / build (push) Successful in 24s
ARCHITECTURE.md:
- Directory structure: add middleware/requireAuth.js and favicon assets
- §4.1: remove CORS from middleware list
- §4.2: all proxy routes now auth-required via requireAuth; add
middleware description
- §6: cookie payload corrected (no token); document secure+sameSite
- §7: add emby:users cache key (60s TTL)
- §8: Download Object table: userTag → allTags/matchedUserTag/tagBadges
- §9 POST /login: document cookie security attributes
- §10: add Tag Badge Rendering section; remove hardcoded line count
Diagrams:
- class-server.puml: add requireAuth middleware module; update
dashboard.js methods (extractAllTags, extractUserTag w/ username,
buildTagBadges, getEmbyUsers); add TagBadge value class; add auth
relationships for all proxy routes
- class-data.puml: Download Object userTag → allTags/matchedUserTag/
tagBadges; add TagBadge class; remove token from Session Cookie
- seq-auth.puml: cookie payload no longer contains token; add
secure/sameSite note
- component.puml: remove CORS component; add requireAuth; consolidate
Emby connection to show tag badge + user-summary usage
- activity-matching.puml: update to extractAllTags/extractUserTag
(with username); showAll uses hasAnyTag; tagBadges built from
embyUserMap; add Emby user fetch step; update legend
- seq-dashboard.puml: add emby:users cache lookup / Emby fetch for
showAll; update matching groups to show tag classification; add
tag badge rendering note on renderDownloads()
2026-05-16 15:41:23 +01:00
e97bd3c67b
docs: comprehensive architecture documentation with PlantUML diagrams
...
- docs/ARCHITECTURE.md: full system overview, technology stack, directory
structure, component architecture, data flow, auth, polling/caching,
download matching pipeline, API reference, frontend architecture,
configuration, deployment guide
- docs/diagrams/component.puml: system component diagram
- docs/diagrams/seq-auth.puml: authentication sequence diagram
- docs/diagrams/seq-dashboard.puml: dashboard request sequence diagram
- docs/diagrams/seq-polling.puml: background polling cycle sequence
- docs/diagrams/class-server.puml: server-side class/module diagram
- docs/diagrams/class-data.puml: data model / entity diagram
- docs/diagrams/state-ui.puml: frontend UI state diagram
- docs/diagrams/state-poller.puml: poller state diagram
- docs/diagrams/activity-matching.puml: download matching activity diagram
2026-05-16 00:32:16 +01:00
