chore: bump version to 0.1.3

Merge develop into main for v0.1.3
2026-05-16 00:32:05 +01:00 · 2026-05-16 00:31:48 +01:00
49 changed files with 1664 additions and 5002 deletions
@@ -6,7 +6,6 @@ node_modules/
 .gitignore
 .DS_Store
 *.log
-**/*.log
 client/
 dist/
 build/
@@ -14,4 +13,3 @@ README.md
 .dockerignore
 Dockerfile
 .gitea/
-docs/
@@ -2,19 +2,6 @@
 PORT=3001
 LOG_LEVEL=info

-# Cookie signing secret for tamper-proof session cookies
-# Required in production. Generate with: openssl rand -hex 32
-COOKIE_SECRET=your_cookie_secret_here
-
-# Set to 1 (or a specific IP/CIDR) when running behind a reverse proxy
-# (Nginx, Caddy, Traefik) so Express trusts X-Forwarded-For/Proto.
-# Leave unset if sofarr is exposed directly.
-# TRUST_PROXY=1
-
-# Directory for persistent data (SQLite token store + logs)
-# Defaults to ./data relative to project root
-# DATA_DIR=/app/data
-
 # Background polling interval in ms (default: 5000)
 # Set to 0 or "off" to disable and fetch on-demand instead
 # POLL_INTERVAL=5000
@@ -14,26 +14,6 @@ PORT=3001
 # - silent: No logging
 LOG_LEVEL=info

-# Cookie signing secret for tamper-proof session cookies
-# Required in production (server exits on startup if unset).
-# Generate with: openssl rand -hex 32
-COOKIE_SECRET=your-cookie-secret-here
-
-# =============================================================================
-# REVERSE PROXY & DEPLOYMENT
-# =============================================================================
-
-# Set to 1 when running behind a reverse proxy (Nginx, Caddy, Traefik).
-# This makes Express trust X-Forwarded-For and X-Forwarded-Proto so that
-# req.ip reflects the real client IP and cookies are marked secure correctly.
-# Leave unset if sofarr is exposed directly to the internet.
-# TRUST_PROXY=1
-
-# Directory for persistent data (SQLite token store, server logs).
-# Must be writable by the process user (UID 1000 in the container).
-# Defaults to ./data relative to the project root.
-# DATA_DIR=/app/data
-
 # Background polling interval in milliseconds (default: 5000)
 # sofarr polls all services in the background and caches results so
 # dashboard requests are near-instant.
@@ -1,62 +0,0 @@
-name: CI
-
-on:
-  push:
-    branches: ["**"]
-  pull_request:
-    branches: ["**"]
-
-jobs:
-  audit:
-    name: Security audit
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Set up Node.js
-        uses: actions/setup-node@v4
-        with:
-          node-version: "22"
-          cache: "npm"
-
-      - name: Install dependencies
-        run: npm ci
-
-      - name: Run security audit (fail on high+)
-        run: npm audit --audit-level=high
-
-      - name: Check for critical vulnerabilities
-        run: npm audit --audit-level=critical --json | jq -e '.metadata.vulnerabilities.critical == 0' || (echo "Critical vulnerabilities found!" && exit 1)
-        continue-on-error: false
-
-  test:
-    name: Tests & coverage
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Set up Node.js
-        uses: actions/setup-node@v4
-        with:
-          node-version: "22"
-          cache: "npm"
-
-      - name: Install dependencies
-        run: npm ci
-
-      - name: Run tests with coverage
-        run: npm run test:coverage
-        env:
-          # Required by tokenStore (writable temp dir in CI)
-          DATA_DIR: /tmp/sofarr-ci-data
-          # Disable rate limiters so integration tests don't hit 429s
-          SKIP_RATE_LIMIT: "1"
-          NODE_ENV: test
-
-      - name: Upload coverage report
-        uses: actions/upload-artifact@v4
-        if: always()
-        with:
-          name: coverage-report
-          path: coverage/
-          retention-days: 14
@@ -1,12 +1,6 @@
 node_modules/
-coverage/
 .env
 dist/
 build/
 .DS_Store
 *.log
-**/*.log
-data/
-*.db
-*.db-wal
-*.db-shm
@@ -1,18 +1,4 @@
-# ---------------------------------------------------------------------------
-# Stage 1 — deps: install production dependencies only
-# ---------------------------------------------------------------------------
-FROM node:22-alpine AS deps
-
-WORKDIR /app
-
-# All dependencies are pure JavaScript — no native addons, no build tools.
-COPY package.json package-lock.json ./
-RUN npm ci --omit=dev
-
-# ---------------------------------------------------------------------------
-# Stage 2 — runtime image (minimal attack surface)
-# ---------------------------------------------------------------------------
-FROM node:22-alpine AS runtime
+FROM node:18-alpine

 LABEL org.opencontainers.image.title="sofarr"
 LABEL org.opencontainers.image.description="Personal media download dashboard for *arr services"
@@ -23,31 +9,18 @@ LABEL org.opencontainers.image.vendor="Gordon Bolton"
 LABEL org.opencontainers.image.licenses="MIT"
 LABEL custom.hardware.requirement="None - runs on any Docker-supported platform including ARM and x86_64"

-# Use the built-in non-root 'node' user (UID 1000) from the official image
-# The /app directory is owned by root; data directory is owned by node
 WORKDIR /app

-# Copy production deps from deps stage
-COPY --from=deps /app/node_modules ./node_modules
+# Copy package files and install dependencies
+COPY package.json package-lock.json ./
+RUN npm ci --omit=dev

-# Copy application source owned by root (read-only at runtime)
-COPY --chown=root:root server/ ./server/
-COPY --chown=root:root public/ ./public/
-COPY --chown=root:root package.json ./
-
-# Persistent data directory owned by node user (token store, logs)
-RUN mkdir -p /app/data && chown node:node /app/data
-
-ENV NODE_ENV=production
-ENV DATA_DIR=/app/data
-
-# Drop to non-root user for all subsequent operations
-USER node
+# Copy application source
+COPY server/ ./server/
+COPY public/ ./public/

 EXPOSE 3001

-# HEALTHCHECK — Docker will restart the container if this fails 3 times
-HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
-  CMD wget -qO- http://localhost:3001/health || exit 1
+ENV NODE_ENV=production

 CMD ["node", "server/index.js"]
@@ -308,17 +308,6 @@ Logs are written to both console and `server.log` file.
 - Check qBittorrent Web UI is enabled
 - Verify the URL includes the full path (e.g., `https://qb.example.com`)

-## Testing
-
-```bash
-npm test                # run all tests once
-npm run test:watch      # watch mode
-npm run test:coverage   # with V8 coverage report (outputs to coverage/)
-npm run test:ui         # interactive Vitest UI
-```
-
-115 tests across 8 test files covering the security-critical paths: auth middleware, CSRF protection, secret sanitization, config parsing, token store, and qBittorrent utilities. See [`tests/README.md`](tests/README.md) for design decisions and coverage targets.
-
 ## Development

 ```bash
@@ -1,148 +0,0 @@
-# Security Policy & Hardening Guide
-
-## Supported Versions
-
-| Version | Supported |
-|---------|-----------|
-| 0.2.x   | ✅ Yes    |
-| 0.1.x   | ❌ No     |
-
-## Reporting a Vulnerability
-
-Please **do not** open a public issue for security vulnerabilities.
-Email: gordon@i3omb.com — expect acknowledgement within 48 hours.
-
---
-
-## Threat Model
-
-sofarr is a personal dashboard intended for a small trusted group (household/team).
-It proxies requests to *arr stack services using stored API keys and authenticates
-users via Emby. The primary threat surface when exposed to the public internet:
-
-| Threat | Mitigations |
-|--------|-------------|
-| Credential brute-force | Rate limiting (10 fails/15 min per IP), account lockout window |
-| Session hijacking | HMAC-signed cookies, `httpOnly`, `secure`, `sameSite=strict`, short TTL |
-| CSRF | Double-submit cookie pattern (`X-CSRF-Token` header required on all mutations) |
-| API key leakage via errors | `sanitizeError()` redacts keys/tokens from all error responses and logs |
-| Token theft after logout | Server-side token store; Emby token revoked on logout |
-| XSS → token theft | `httpOnly` cookies; CSP with per-request nonce blocks inline injection |
-| Clickjacking | `X-Frame-Options: DENY` + CSP `frame-ancestors 'none'` |
-| Info disclosure via headers | Helmet v7 removes `X-Powered-By`, sets `noSniff`, `xssFilter`, etc. |
-| Privilege escalation (container) | Non-root user (UID 1000), `no-new-privileges`, all caps dropped |
-| Unbounded log growth | Size-based rotation: 10 MB cap, 3 rotated files kept |
-| Dependency vulnerabilities | `npm audit --audit-level=high` in CI on every push |
-
---
-
-## Production Deployment Checklist
-
-### Required
-
- [ ] `COOKIE_SECRET` set to a random 32-byte hex string (`openssl rand -hex 32`)
- [ ] `NODE_ENV=production`
- [ ] `TRUST_PROXY=1` set if behind a reverse proxy
- [ ] sofarr bound to `127.0.0.1` only (not `0.0.0.0`) — expose via proxy
- [ ] HTTPS enforced by the reverse proxy with a valid certificate
- [ ] Firewall rules: only 443/80 open externally; 3001 not directly exposed
-
-### Recommended
-
- [ ] Reverse proxy: Nginx, Caddy, or Traefik with TLS termination
- [ ] Set `Strict-Transport-Security` at proxy level (sofarr also sends HSTS)
- [ ] `DATA_DIR` on a named Docker volume (not bind-mounted to sensitive host path)
- [ ] Rotate `COOKIE_SECRET` periodically (causes all users to re-login)
- [ ] Enable Docker's `--read-only` flag (already in `docker-compose.yaml`)
- [ ] Monitor `/health` endpoint with an uptime checker
-
-### Docker Secrets (alternative to env vars)
-
-For production environments that support Docker secrets, you can mount secret
-files and reference them:
-
-```yaml
-secrets:
-  cookie_secret:
-    file: ./secrets/cookie_secret.txt
-  emby_api_key:
-    file: ./secrets/emby_api_key.txt
-
-services:
-  sofarr:
-    secrets:
-      - cookie_secret
-      - emby_api_key
-    environment:
-      - COOKIE_SECRET_FILE=/run/secrets/cookie_secret
-      - EMBY_API_KEY_FILE=/run/secrets/emby_api_key
-```
-
-> Note: File-based secret loading requires application code support.
-> Currently sofarr reads secrets from environment variables only.
-> Mounting secrets as env vars (via `environment:` in compose) is the
-> current supported approach.
-
---
-
-## Reverse Proxy Example (Caddy)
-
-```caddy
-sofarr.example.com {
-    reverse_proxy localhost:3001
-    header {
-        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
-        X-Robots-Tag "noindex, nofollow"
-    }
-}
-```
-
-## Reverse Proxy Example (Nginx)
-
-```nginx
-server {
-    listen 443 ssl;
-    server_name sofarr.example.com;
-
-    ssl_certificate     /etc/letsencrypt/live/sofarr.example.com/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/sofarr.example.com/privkey.pem;
-
-    location / {
-        proxy_pass http://127.0.0.1:3001;
-        proxy_set_header Host $host;
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme;
-    }
-}
-```
-
---
-
-## Security Headers (emitted by sofarr)
-
-| Header | Value |
-|--------|-------|
-| `Content-Security-Policy` | `default-src 'self'; script-src 'self' 'nonce-…'; style-src 'self' 'nonce-…'; img-src 'self' data: blob:; object-src 'none'; frame-ancestors 'none'` |
-| `Strict-Transport-Security` | `max-age=31536000; includeSubDomains; preload` (production only) |
-| `X-Content-Type-Options` | `nosniff` |
-| `X-Frame-Options` | `DENY` |
-| `Referrer-Policy` | `strict-origin-when-cross-origin` |
-| `Permissions-Policy` | `camera=(), microphone=(), geolocation=(), payment=(), usb=()` |
-
---
-
-## Rate Limits
-
-| Endpoint | Limit |
-|----------|-------|
-| `POST /api/auth/login` | 10 failed attempts per 15 min per IP |
-| All `/api/*` routes | 300 requests per 15 min per IP |
-
---
-
-## Supply Chain
-
- All dependencies pinned to minor version ranges in `package.json`
- `npm audit --audit-level=high` runs in CI on every push and pull request
- `npm audit fix` should be run when vulnerabilities are reported
@@ -1,45 +1,17 @@
+version: "3"
 services:
  sofarr:
    image: docker.i3omb.com/sofarr:latest
    container_name: sofarr
    restart: unless-stopped
    ports:
-      - "127.0.0.1:3001:3001"   # bind to loopback only — expose via reverse proxy
+      - "3001:3001"
    environment:
      - PORT=3001
-      - NODE_ENV=production
-      - LOG_LEVEL=info
-      # Set to 1 when running behind a reverse proxy (Nginx, Caddy, Traefik)
-      # so Express trusts X-Forwarded-For and X-Forwarded-Proto headers.
-      - TRUST_PROXY=1
-      # --- Replace placeholders with real values or use Docker secrets ---
-      - COOKIE_SECRET=change-me-generate-with-openssl-rand-hex-32
      - EMBY_URL=https://emby.example.com
      - EMBY_API_KEY=your-emby-api-key
      - SONARR_INSTANCES=[{"name":"main","url":"https://sonarr.example.com","apiKey":"your-sonarr-api-key"}]
      - RADARR_INSTANCES=[{"name":"main","url":"https://radarr.example.com","apiKey":"your-radarr-api-key"}]
      - SABNZBD_INSTANCES=[{"name":"main","url":"https://sabnzbd.example.com","apiKey":"your-sabnzbd-api-key"}]
      - QBITTORRENT_INSTANCES=[{"name":"main","url":"https://qbittorrent.example.com","username":"admin","password":"your-password"}]
-    volumes:
-      # Persistent volume for SQLite token store and log file
-      - sofarr-data:/app/data
-    # Run as the built-in non-root 'node' user (UID/GID 1000)
-    user: "1000:1000"
-    # Read-only root filesystem; only the data volume is writable
-    read_only: true
-    tmpfs:
-      - /tmp                    # Node.js needs a writable /tmp
-    security_opt:
-      - no-new-privileges:true  # prevent privilege escalation via setuid binaries
-    cap_drop:
-      - ALL                     # drop all Linux capabilities
-    cap_add: []                 # add back none — Node.js needs no special caps
-    healthcheck:
-      test: ["CMD", "wget", "-qO-", "http://localhost:3001/health"]
-      interval: 30s
-      timeout: 5s
-      retries: 3
-      start_period: 10s
-
-volumes:
-  sofarr-data:
+      - LOG_LEVEL=info
@@ -80,42 +80,18 @@ Admin users can view all users' downloads, see server status, cache statistics,

 ## 2. Technology Stack

-### Runtime & Framework
-
 | Layer | Technology | Purpose |
-|-------|-----------|------|
-| **Runtime** | Node.js 22 (Alpine) | Server runtime |
+|-------|-----------|---------|
+| **Runtime** | Node.js 18+ | Server runtime |
 | **Framework** | Express 4.x | HTTP server, routing, middleware |
 | **HTTP Client** | axios 1.x | External API communication |
 | **Frontend** | Vanilla JS + CSS | Single-page app, no build step |
-| **Containerisation** | Docker multi-stage (Alpine) | Production deployment |
+| **Auth** | Emby API + httpOnly cookies | Session management |
+| **Caching** | In-memory Map with TTL | Reduce external API load |
+| **Scheduling** | `setInterval` | Background polling |
+| **Containerisation** | Docker (Alpine) | Production deployment |
 | **Logging** | Custom logger + `console.*` | File + stdout logging with levels |

-### Security Middleware
-
-| Package | Purpose |
-|---------|--------|
-| `helmet` 7.x | HTTP security headers (CSP with per-request nonce, HSTS, referrer policy) |
-| `express-rate-limit` 7.x | 300 req/15 min general limiter; 10 failed attempts/15 min login limiter |
-| `cookie-parser` 1.x | Signed cookie support (HMAC via `COOKIE_SECRET`) |
-
-### Auth & Session
-
-| Component | Technology | Details |
-|-----------|-----------|--------|
-| **Identity** | Emby API | `POST /Users/authenticatebyname` |
-| **Session cookie** | `httpOnly` + `sameSite: strict` | Signed when `COOKIE_SECRET` set |
-| **CSRF protection** | Double-submit cookie pattern | `csrf_token` cookie + `X-CSRF-Token` header |
-| **Token store** | JSON file (`DATA_DIR/tokens.json`) | Atomic writes, 31-day TTL, hourly pruning |
-
-### Testing
-
-| Tool | Purpose |
-|------|---------|
-| `vitest` 4.x | Test runner (V8 coverage built-in) |
-| `supertest` 7.x | HTTP integration testing |
-| `nock` 14.x | HTTP interception at Node layer (works with CJS `require('axios')`) |
-
 ---

 ## 3. Directory Structure
@@ -123,49 +99,27 @@ Admin users can view all users' downloads, see server status, cache statistics,
 ```
 sofarr/
 ├── server/                     # Backend application
-│   ├── index.js                # Entry point: logging setup, server listen, poller start
-│   ├── app.js                  # Express app factory (imported by index.js and tests)
+│   ├── index.js                # Entry point: Express setup, middleware, startup
 │   ├── routes/
-│   │   ├── auth.js             # POST /login, GET /me, GET /csrf, POST /logout
-│   │   ├── dashboard.js        # GET /user-downloads, /user-summary, /status, /cover-art
+│   │   ├── auth.js             # POST /login, GET /me, POST /logout
+│   │   ├── dashboard.js        # GET /user-downloads, /user-summary, /status
 │   │   ├── emby.js             # Proxy routes to Emby API
 │   │   ├── sabnzbd.js          # Proxy routes to SABnzbd API
 │   │   ├── sonarr.js           # Proxy routes to Sonarr API
 │   │   └── radarr.js           # Proxy routes to Radarr API
-│   ├── middleware/
-│   │   ├── requireAuth.js      # httpOnly cookie auth enforcement
-│   │   └── verifyCsrf.js       # CSRF double-submit cookie validation
 │   └── utils/
 │       ├── cache.js            # MemoryCache class (Map + TTL + stats)
 │       ├── config.js           # Multi-instance service configuration parser
-│       ├── logger.js           # File logger (DATA_DIR/server.log)
+│       ├── logger.js           # File logger (server.log)
 │       ├── poller.js           # Background polling engine + timing
-│       ├── qbittorrent.js      # qBittorrent client with auth + torrent mapping
-│       ├── sanitizeError.js    # Redacts secrets from error messages before logging
-│       └── tokenStore.js       # JSON file-backed Emby token store (atomic, TTL)
+│       └── qbittorrent.js      # qBittorrent client with auth + torrent mapping
 ├── public/                     # Static frontend (served by Express)
 │   ├── index.html              # HTML shell: splash, login, dashboard
 │   ├── app.js                  # All frontend logic (auth, rendering, status)
 │   ├── style.css               # Themes, layout, responsive design
-│   ├── favicon.ico             # Multi-size favicon (16/32/48px)
-│   ├── favicon-32.png          # 32px PNG favicon
-│   ├── favicon-192.png         # 192px PNG (apple-touch-icon / PWA)
 │   └── images/                 # Logo / splash screen assets
-├── tests/
-│   ├── README.md               # Testing approach, design decisions, coverage targets
-│   ├── setup.js                # Global setup: isolated DATA_DIR, rate-limit bypass
-│   ├── unit/                   # Pure unit tests (no HTTP)
-│   └── integration/            # Supertest integration tests (nock for external HTTP)
-├── docs/
-│   ├── ARCHITECTURE.md         # This document
-│   └── diagrams/               # PlantUML source files
-├── .gitea/workflows/
-│   ├── ci.yml                  # Security audit + test/coverage CI jobs
-│   ├── build-image.yml         # Docker image build and push
-│   └── create-release.yml      # Release tagging workflow
-├── Dockerfile                  # Multi-stage production container image (node:22-alpine)
+├── Dockerfile                  # Production container image
 ├── docker-compose.yaml         # Example compose deployment
-├── vitest.config.js            # Test runner configuration with per-file coverage thresholds
 ├── package.json                # Dependencies and scripts
 ├── .env.sample                 # Annotated environment variable template
 └── README.md                   # User-facing documentation
@@ -175,45 +129,28 @@ sofarr/

 ## 4. Component Architecture

-### 4.1 Application Factory (`server/app.js`) and Entry Point (`server/index.js`)
+### 4.1 Server Entry Point (`server/index.js`)

-**`server/app.js`** is a `createApp(options?)` factory that builds and returns the configured Express `app` instance. It is imported by both `server/index.js` (production) and the test suite. Keeping app creation separate from `app.listen()` means tests get a clean instance without triggering log-file setup, `process.exit()` calls, or the background poller.
-
-`createApp` responsibilities:
- Configure `trust proxy` from `TRUST_PROXY` env var
- Apply `helmet` with a per-request CSP nonce (`crypto.randomBytes(16)`) for inline styles/scripts
- Add `Permissions-Policy` header
- Apply the general API rate limiter (300 req / 15 min per IP)
- Mount `cookie-parser` (signed when `COOKIE_SECRET` is set)
- Mount `express.json` (64 KB body limit)
- Expose `/health` and `/ready` endpoints (no auth, no rate limit)
- Mount `/api/auth` routes **before** CSRF middleware (login/logout are exempt)
- Mount `verifyCsrf` for all subsequent `/api` routes
- Mount remaining route modules under `/api/*`
- Register global error handler (500 with sanitized message)
-
-**`server/index.js`** entry point responsibilities:
- Load `.env` via `dotenv`
- Configure structured logging (`LOG_LEVEL`) with `console.*` redirection to both stdout and `DATA_DIR/server.log`
- Call `createApp()`, serve `public/` as static files, start `app.listen()`
+Responsibilities:
+- Load environment variables via `dotenv`
+- Configure structured logging with level filtering (`LOG_LEVEL`)
+- Redirect `console.*` to both stdout and `server.log`
+- Mount Express middleware (CORS, cookie-parser, JSON, static files)
+- Mount route modules under `/api/*`
 - Start the background poller

 ### 4.2 Route Modules

-| Module | Mount Point | Auth Required | CSRF Required | Purpose |
-|--------|------------|:-------------:|:-------------:|--------|
-| `auth.js` | `/api/auth` | No | No | Login, session check, CSRF token, logout |
-| `dashboard.js` | `/api/dashboard` | Yes (`requireAuth`) | Yes | Aggregated download data, status, cover-art proxy |
-| `emby.js` | `/api/emby` | Yes (`requireAuth`) | Yes | Proxy to Emby API |
-| `sabnzbd.js` | `/api/sabnzbd` | Yes (`requireAuth`) | Yes | Proxy to SABnzbd API |
-| `sonarr.js` | `/api/sonarr` | Yes (`requireAuth`) | Yes | Proxy to Sonarr API |
-| `radarr.js` | `/api/radarr` | Yes (`requireAuth`) | Yes | Proxy to Radarr API |
+| Module | Mount Point | Auth Required | Purpose |
+|--------|------------|---------------|---------|
+| `auth.js` | `/api/auth` | No | Login, session check, logout |
+| `dashboard.js` | `/api/dashboard` | Yes (cookie) | Aggregated download data, status |
+| `emby.js` | `/api/emby` | No | Proxy to Emby API |
+| `sabnzbd.js` | `/api/sabnzbd` | No | Proxy to SABnzbd API |
+| `sonarr.js` | `/api/sonarr` | No | Proxy to Sonarr API |
+| `radarr.js` | `/api/radarr` | No | Proxy to Radarr API |

-**`requireAuth`** (`server/middleware/requireAuth.js`) reads the `emby_user` cookie (signed if `COOKIE_SECRET` is set) and attaches the parsed `{ id, name, isAdmin }` user to `req.user`. Returns `401` if the cookie is absent, tampered, or schema-invalid.
-
-**`verifyCsrf`** (`server/middleware/verifyCsrf.js`) implements the double-submit cookie pattern for all state-changing requests (`POST`, `PUT`, `PATCH`, `DELETE`). Compares the `csrf_token` cookie against the `X-CSRF-Token` request header using `crypto.timingSafeEqual`. Safe methods (`GET`, `HEAD`, `OPTIONS`) are exempt. Auth routes are mounted **before** this middleware (login/logout are exempt by design — `sameSite: strict` provides equivalent protection).
-
-> **Note:** The proxy routes (`emby`, `sabnzbd`, `sonarr`, `radarr`) exist for direct API access. The dashboard itself reads from the poller cache — it does not proxy through these routes.
+> **Note:** The proxy routes (`emby`, `sabnzbd`, `sonarr`, `radarr`) use legacy single-instance env vars and are largely unused by the dashboard — they exist for direct API access. The dashboard reads from the poller cache.

 ### 4.3 Utility Modules

@@ -223,13 +160,9 @@ sofarr/

 **`poller.js`** — Background polling engine. Fetches data from all configured service instances in parallel with per-task timing. Stores results in the cache with a configurable TTL. Can be disabled entirely (`POLL_INTERVAL=0`), in which case data is fetched on-demand per dashboard request.

-**`qbittorrent.js`** — `QBittorrentClient` class with cookie-based authentication, automatic re-auth on 403, and persistent client instances. Includes torrent-to-download mapping (`mapTorrentToDownload`) and formatting utilities (`formatBytes`, `formatSpeed`, `formatEta`).
+**`qbittorrent.js`** — `QBittorrentClient` class with cookie-based authentication, automatic re-auth on 403, and persistent client instances. Includes torrent-to-download mapping (`mapTorrentToDownload`) and formatting utilities.

-**`tokenStore.js`** — JSON file-backed store (`DATA_DIR/tokens.json`) for Emby `AccessToken`s. Tokens are stored server-side and **never sent to the client**. Writes are atomic (write to `.tmp` then rename). Entries expire after 31 days (slightly longer than the maximum 30-day cookie). Pruning runs on startup and hourly.
-
-**`sanitizeError.js`** — Redacts secrets from error message strings before they are logged or returned in API responses. Patterns: URL query-param secrets (`apikey=`, `token=`, etc.), HTTP auth headers (`Authorization:`, `X-Emby-Authorization:`, etc.), Bearer tokens, and basic-auth credentials in URLs.
-
-**`logger.js`** — Simple file appender writing timestamped messages to `DATA_DIR/server.log`.
+**`logger.js`** — Simple file appender writing timestamped messages to `server.log`.

 ---

@@ -272,19 +205,12 @@ When a user requests `/api/dashboard/user-downloads`:

 ### Flow

-1. User submits credentials (+ optional `rememberMe`) via the login form
-2. Backend applies the **login rate limiter** (max 10 failed attempts per IP per 15-minute window; successful requests don't count)
-3. Backend calls Emby `POST /Users/authenticatebyname` using a deterministic `DeviceId` derived from the username — this causes Emby to reuse the existing session rather than creating a new one on every login
-4. On success, fetches full user profile (`GET /Users/{id}`) to determine admin status
-5. Stores the Emby `AccessToken` in **`tokenStore`** (server-side, never sent to the client)
-6. Sets an `httpOnly` `emby_user` cookie containing only `{ id, name, isAdmin }`:
-   - **`rememberMe: true`** → persistent cookie, `Max-Age` 30 days
-   - **`rememberMe: false`** → session cookie (no `Max-Age`; expires when browser closes)
-   - `secure` flag enabled when `NODE_ENV=production`
-   - Signed with HMAC when `COOKIE_SECRET` is set
-7. Issues a `csrf_token` cookie (`httpOnly: false` so JS can read it) containing a 32-byte random hex token
-8. Returns `{ success: true, user, csrfToken }` — the SPA stores `csrfToken` in memory and sends it as `X-CSRF-Token` on all subsequent state-changing requests
-9. All subsequent dashboard requests read the `emby_user` cookie for identity via `requireAuth`
+1. User submits credentials via the login form
+2. Backend calls Emby `POST /Users/authenticatebyname`
+3. On success, fetches full user profile to determine admin status
+4. Sets an `httpOnly` cookie (`emby_user`) containing: `{ id, name, isAdmin, token }`
+5. Cookie expires after 24 hours
+6. All subsequent dashboard requests read this cookie for identity

 ### Authorisation Matrix

@@ -327,7 +253,6 @@ Users are matched to downloads via tags in Sonarr/Radarr:
 | `poll:radarr-history` | `{ records }` — lightweight, no embedded objects | Radarr history |
 | `poll:radarr-tags` | `[{id, label}]` | Radarr tag API |
 | `poll:qbittorrent` | `[torrent, ...]` | qBittorrent all torrents |
-| `emby:users` | `Map<lowerName, displayName>` | Full Emby user list (60s TTL) |

 ### TTL Strategy

@@ -389,9 +314,7 @@ Each matched download produces an object with:
 | `eta` | string | Estimated time remaining |
 | `seriesName` / `movieName` | string | Friendly media title |
 | `episodeInfo` / `movieInfo` | object | Full *arr queue/history record |
-| `allTags` | string[] | All resolved tag labels on the series/movie |
-| `matchedUserTag` | string / null | Tag label matching the requesting user, or `null` |
-| `tagBadges` | `{label, matchedUser}[]` / undefined | (Admin `showAll` only) Each tag classified against full Emby user list |
+| `userTag` | string | Matched user tag |
 | `importIssues` | string[] / null | Import warning/error messages |
 | `downloadPath` | string / null | (Admin) Download client path |
 | `targetPath` | string / null | (Admin) *arr target path |
@@ -403,76 +326,47 @@ Each matched download produces an object with:

 ### `POST /api/auth/login`

-Authenticate a user via Emby. Rate-limited to **10 failed attempts per IP per 15 minutes**.
+Authenticate a user via Emby.

 **Request Body:**
 ```json
-{ "username": "string", "password": "string", "rememberMe": false }
+{ "username": "string", "password": "string" }
 ```

-| Field | Required | Description |
-|-------|:--------:|-----------|
-| `username` | Yes | Max 128 chars, must be a non-empty string |
-| `password` | Yes | Max 256 chars |
-| `rememberMe` | No | `true` = 30-day persistent cookie; `false`/omitted = session cookie |
-
 **Response (200):**
 ```json
 {
  "success": true,
-  "user": { "id": "string", "name": "string", "isAdmin": false },
-  "csrfToken": "64-char hex string"
+  "user": { "id": "string", "name": "string", "isAdmin": true }
 }
 ```

-**Response (400):** Invalid input (empty/overlong username or password).
-
 **Response (401):**
 ```json
 { "success": false, "error": "Invalid username or password" }
 ```

-**Response (429):** Too many failed attempts from this IP.
-
-**Side Effects:**
- Sets `emby_user` cookie: `httpOnly`, `sameSite: strict`, `secure` in production, signed if `COOKIE_SECRET` is set. Payload: `{ id, name, isAdmin }`. The Emby `AccessToken` is **never** included.
- Sets `csrf_token` cookie: `httpOnly: false` (JS-readable), same security flags. 64-char hex.
- Stores the Emby `AccessToken` server-side in `tokenStore` (used only for server-side Emby logout).
+**Side Effect:** Sets `emby_user` httpOnly cookie (24h TTL).

 ---

 ### `GET /api/auth/me`

-Check current session (no auth required — returns unauthenticated state rather than 401).
+Check current session.

-**Response (authenticated):**
+**Response:**
 ```json
-{ "authenticated": true, "user": { "id": "string", "name": "string", "isAdmin": false } }
+{
+  "authenticated": true,
+  "user": { "id": "string", "name": "string", "isAdmin": false }
+}
 ```

-**Response (not authenticated):**
-```json
-{ "authenticated": false }
-```
-
---
-
-### `GET /api/auth/csrf`
-
-Issue a fresh CSRF token. Used by the SPA after a page reload when the in-memory `csrfToken` variable is lost.
-
-**Response (200):**
-```json
-{ "csrfToken": "64-char hex string" }
-```
-
-**Side Effect:** Sets a new `csrf_token` cookie.
-
 ---

 ### `POST /api/auth/logout`

-Clear session and revoke the Emby token server-side. Does **not** require a CSRF token (auth routes are mounted before `verifyCsrf`; `sameSite: strict` provides equivalent protection).
+Clear session cookie.

 ---

@@ -553,7 +447,7 @@ Admin-only per-user download counts (fetches live from APIs, not cached).

 ## 10. Frontend Architecture

-The frontend is a **vanilla JavaScript SPA** with no build step. All logic resides in `app.js`, styled by `style.css`, and structured by `index.html`.
+The frontend is a **vanilla JavaScript SPA** with no build step. All logic resides in `app.js` (754 lines), styled by `style.css`, and structured by `index.html`.

 ### UI States

@@ -579,7 +473,7 @@ The frontend is a **vanilla JavaScript SPA** with no build step. All logic resid
 | `handleLogin()` | Authenticate, fade login → splash → dashboard |
 | `fetchUserDownloads()` | GET `/user-downloads`, update state, re-render |
 | `renderDownloads()` | Diff-based card rendering (create/update/remove) |
-| `createDownloadCard()` | Build DOM for a single download card; renders tag badges |
+| `createDownloadCard()` | Build DOM for a single download card |
 | `updateDownloadCard()` | Update existing card in-place (progress, speed, etc.) |
 | `toggleStatusPanel()` | Show/hide admin status panel |
 | `renderStatusPanel()` | Build status HTML (server, polling, cache, clients) |
@@ -595,15 +489,6 @@ Three CSS themes via `data-theme` attribute on `<html>`:

 Theme selection persists in `localStorage`.

-### Tag Badge Rendering
-
-Download cards render tag badges in the card header:
-
- **Normal user view**: a single accent-coloured badge showing the tag label that matched the current user's username (via `matchedUserTag`).
- **Admin `showAll` view**: all tags on the download are rendered using `tagBadges[]`:
-  - Tags with **no matching Emby user** → amber badge showing the raw tag label (leftmost)
-  - Tags **matched to a known Emby user** → accent badge showing the Emby display name (rightmost)
-
 ### Auto-Refresh

 The dashboard polls the server at the user-selected interval (1s, 5s, 10s, or Off). The status panel auto-refreshes in sync. Client refresh rate is sent to the server on each request for active-client tracking.
@@ -614,47 +499,26 @@ The dashboard polls the server at the user-selected interval (1s, 5s, 10s, or Of

 ### Environment Variables

-#### Core
-
 | Variable | Required | Default | Description |
 |----------|:--------:|---------|-------------|
 | `PORT` | No | `3001` | Server listen port |
-| `NODE_ENV` | No | — | Set to `production` to enable `secure` cookies and HTTPS upgrades |
-| `DATA_DIR` | No | `./data` | Directory for `tokens.json` and `server.log`. Must be writable by the server process. In Docker: `/app/data` (named volume). |
-| `COOKIE_SECRET` | No | — | If set, signs all session cookies with HMAC-SHA256. Strongly recommended in production. |
-| `TRUST_PROXY` | No | — | Express `trust proxy` setting. Set to `1` (or a hop count) when behind a reverse proxy (nginx, Traefik, etc.) so `req.ip` and `req.secure` are correct. |
-
-#### Emby
-
-| Variable | Required | Default | Description |
-|----------|:--------:|---------|-------------|
-| `EMBY_URL` | Yes | — | Emby/Jellyfin base URL (e.g. `https://emby.example.com`) |
-| `EMBY_API_KEY` | Yes | — | Emby API key (used by the poller to list users for tag badge classification) |
-
-#### Service Instances
-
-| Variable | Required | Default | Description |
-|----------|:--------:|---------|-------------|
+| `EMBY_URL` | Yes | — | Emby/Jellyfin server URL |
+| `EMBY_API_KEY` | Yes | — | Emby API key |
 | `SONARR_INSTANCES` | Yes* | — | JSON array of Sonarr instances |
-| `SONARR_URL` | Yes* | — | Legacy: single Sonarr URL |
-| `SONARR_API_KEY` | Yes* | — | Legacy: single Sonarr API key |
+| `SONARR_URL` | Yes* | — | Legacy single Sonarr URL |
+| `SONARR_API_KEY` | Yes* | — | Legacy single Sonarr API key |
 | `RADARR_INSTANCES` | Yes* | — | JSON array of Radarr instances |
-| `RADARR_URL` | Yes* | — | Legacy: single Radarr URL |
-| `RADARR_API_KEY` | Yes* | — | Legacy: single Radarr API key |
+| `RADARR_URL` | Yes* | — | Legacy single Radarr URL |
+| `RADARR_API_KEY` | Yes* | — | Legacy single Radarr API key |
 | `SABNZBD_INSTANCES` | Yes* | — | JSON array of SABnzbd instances |
-| `SABNZBD_URL` | Yes* | — | Legacy: single SABnzbd URL |
-| `SABNZBD_API_KEY` | Yes* | — | Legacy: single SABnzbd API key |
+| `SABNZBD_URL` | Yes* | — | Legacy single SABnzbd URL |
+| `SABNZBD_API_KEY` | Yes* | — | Legacy single SABnzbd API key |
 | `QBITTORRENT_INSTANCES` | No | — | JSON array of qBittorrent instances |
+| `POLL_INTERVAL` | No | `5000` | Poll interval in ms, or `off`/`0` to disable |
+| `LOG_LEVEL` | No | `info` | `debug`, `info`, `warn`, `error`, `silent` |

 \* Either `*_INSTANCES` (JSON array) or legacy `*_URL` + `*_API_KEY` format is required.

-#### Tuning
-
-| Variable | Required | Default | Description |
-|----------|:--------:|---------|-------------|
-| `POLL_INTERVAL` | No | `5000` | Poll interval in ms. Set to `0`, `off`, or `false` to disable background polling (on-demand mode). |
-| `LOG_LEVEL` | No | `info` | `debug`, `info`, `warn`, `error`, `silent` |
-
 ### Instance JSON Format

 ```json
@@ -678,20 +542,24 @@ qBittorrent instances use `username` and `password` instead of `apiKey`.

 ## 12. Deployment

-### Docker image
+### Docker

-The production image uses a two-stage build on `node:22-alpine`:
-
-1. **`deps` stage** — runs `npm ci --omit=dev` to install only production dependencies.
-2. **`runtime` stage** — copies `node_modules`, `server/`, `public/`, and `package.json`. Runs as the built-in non-root `node` user (UID 1000). `/app/data` is owned by `node` for writable token store and logs.
-
-Key environment variables set in the image:
- `NODE_ENV=production` — enables secure cookies and HTTPS upgrade CSP directive
- `DATA_DIR=/app/data` — token store and log file location
+```dockerfile
+FROM node:18-alpine
+WORKDIR /app
+COPY package.json package-lock.json ./
+RUN npm ci --omit=dev
+COPY server/ ./server/
+COPY public/ ./public/
+EXPOSE 3001
+ENV NODE_ENV=production
+CMD ["node", "server/index.js"]
+```

 ### Docker Compose

 ```yaml
+version: "3"
 services:
  sofarr:
    image: docker.i3omb.com/sofarr:latest
@@ -700,10 +568,6 @@ services:
    ports:
      - "3001:3001"
    environment:
-      - NODE_ENV=production
-      - DATA_DIR=/app/data
-      - COOKIE_SECRET=change-me-to-a-long-random-string
-      - TRUST_PROXY=1                 # set if behind nginx/Traefik
      - EMBY_URL=https://emby.example.com
      - EMBY_API_KEY=your-emby-api-key
      - SONARR_INSTANCES=[{"name":"main","url":"...","apiKey":"..."}]
@@ -712,31 +576,8 @@ services:
      - QBITTORRENT_INSTANCES=[{"name":"main","url":"...","username":"...","password":"..."}]
      - POLL_INTERVAL=5000
      - LOG_LEVEL=info
-    volumes:
-      - sofarr-data:/app/data         # persists tokens.json and server.log
-
-volumes:
-  sofarr-data:
 ```

-### Security hardening checklist
-
- **Set `COOKIE_SECRET`** — enables HMAC-signed cookies, preventing client-side forgery.
- **Set `TRUST_PROXY=1`** when behind a reverse proxy — ensures `req.secure` is `true` so the `secure` cookie flag is enforced and HTTPS-upgrade CSP fires.
- **Mount a named volume** for `DATA_DIR` — token store and log file survive container recreates.
- **Use HTTPS** — the CSP includes `upgrade-insecure-requests` in production and the HSTS header is set with a 1-year `maxAge`.
- **Rate limiting** — the login endpoint is limited to 10 failed attempts per IP per 15 minutes; all API endpoints share a 300 req/15 min window. Set `TRUST_PROXY` correctly so the client IP is not the proxy's IP.
-
-### CI / CD
-
-The `.gitea/workflows/` directory contains three pipeline definitions:
-
-| File | Trigger | Purpose |
-|------|---------|--------|
-| `ci.yml` | Every push / PR | Security audit (`npm audit --audit-level=high`) + tests with V8 coverage |
-| `build-image.yml` | Push to `main` / `develop` | Build and push Docker image to `docker.i3omb.com` |
-| `create-release.yml` | Tag push (`v*`) | Create a Gitea release |
-
 ---

 ## 13. UML Diagrams (PlantUML)
@@ -22,12 +22,6 @@ end note
 :Build **sonarrTagMap** (tagId → label)
 Build **radarrTagMap** (tagId → label);

-if (showAll?) then (yes)
-  :Fetch full Emby user list
-  Build **embyUserMap** (lowerName → displayName)
-  [cached 60s];  
-endif
-
 :Initialise **userDownloads** = [];

 partition "Process SABnzbd Queue Slots" {
@@ -38,20 +32,13 @@ partition "Process SABnzbd Queue Slots" {
    if (Title matches Sonarr **queue** record?) then (yes)
      :series = seriesMap.get(match.seriesId)\n|| match.series;
      if (series exists?) then (yes)
-        :allTags = extractAllTags(series.tags, sonarrTagMap)
-matchedUserTag = extractUserTag(series.tags, sonarrTagMap, username);
-        if (showAll AND hasAnyTag?) then (yes)
+        :userTag = extractUserTag(series.tags, sonarrTagMap);
+        if (showAll OR tagMatchesUser?) then (yes)
          :Build download object (type=series)
          Add coverArt, status, progress, speed, eta
-          Add allTags, matchedUserTag
-          Add tagBadges = buildTagBadges(allTags, embyUserMap)
          Add importIssues if any
          Add admin fields (paths, arrLink);
          :Push to **userDownloads**;
-        elseif (NOT showAll AND matchedUserTag?) then (yes)
-          :Build download object (type=series)
-          Add matchedUserTag;
-          :Push to **userDownloads**;
        endif
      endif
    endif
@@ -59,19 +46,13 @@ matchedUserTag = extractUserTag(series.tags, sonarrTagMap, username);
    if (Title matches Radarr **queue** record?) then (yes)
      :movie = moviesMap.get(match.movieId)\n|| match.movie;
      if (movie exists?) then (yes)
-        :allTags = extractAllTags(movie.tags, radarrTagMap)
-matchedUserTag = extractUserTag(movie.tags, radarrTagMap, username);
-        if (showAll AND hasAnyTag?) then (yes)
+        :userTag = extractUserTag(movie.tags, radarrTagMap);
+        if (showAll OR tagMatchesUser?) then (yes)
          :Build download object (type=movie)
          Add coverArt, status, progress, speed, eta
-          Add allTags, matchedUserTag, tagBadges
          Add importIssues if any
          Add admin fields (paths, arrLink);
          :Push to **userDownloads**;
-        elseif (NOT showAll AND matchedUserTag?) then (yes)
-          :Build download object (type=movie)
-          Add matchedUserTag;
-          :Push to **userDownloads**;
        endif
      endif
    endif
@@ -86,20 +67,16 @@ partition "Process SABnzbd History Slots" {
    if (Title matches Sonarr **history** record?) then (yes)
      :series = seriesMap.get(match.seriesId)\n|| match.series;
      if (series found?) then (yes)
-        :extractAllTags + extractUserTag(username)
-Build download (type=series, completedAt)
-Add allTags, matchedUserTag, tagBadges if showAll;
-        :Push to **userDownloads** if showAll+anyTag or matchedUserTag;
+        :Check user tag, build download\n(type=series, with completedAt);
+        :Push to **userDownloads** if tag matches;
      endif
    endif

    if (Title matches Radarr **history** record?) then (yes)
      :movie = moviesMap.get(match.movieId)\n|| match.movie;
      if (movie found?) then (yes)
-        :extractAllTags + extractUserTag(username)
-Build download (type=movie, completedAt)
-Add allTags, matchedUserTag, tagBadges if showAll;
-        :Push to **userDownloads** if showAll+anyTag or matchedUserTag;
+        :Check user tag, build download\n(type=movie, with completedAt);
+        :Push to **userDownloads** if tag matches;
      endif
    endif
  endwhile (no)
@@ -142,15 +119,10 @@ legend right
  (bidirectional substring, case-insensitive):
  ""rTitle.includes(dlTitle) || dlTitle.includes(rTitle)""

-  **Tag Matching Logic** (tagMatchesUser):
+  **Tag Matching Logic**:
  1. Exact: tag.toLowerCase() === username
  2. Sanitised: sanitizeTagLabel(tag) === sanitizeTagLabel(username)
     (handles Ombi-mangled email-style usernames)
-
-  **extractAllTags**: returns all resolved tag labels
-  **extractUserTag**: returns the ONE label matching current user
-  **buildTagBadges**: classifies each tag against full Emby user
-    list → { label, matchedUser: displayName | null }
 end legend

@enduml
@@ -153,9 +153,7 @@ package "sofarr Internal Models" {
    + movieName : string | null
    + episodeInfo : object | null
    + movieInfo : object | null
-    + allTags : string[]
-    + matchedUserTag : string | null
-    + tagBadges : TagBadge[] | undefined
+    + userTag : string
    + importIssues : string[] | null
    + downloadPath : string | null
    + targetPath : string | null
@@ -172,11 +170,6 @@ package "sofarr Internal Models" {
    + completedAt : string
  }

-  class "TagBadge" as tagbadge <<value>> {
-    + label : string
-    + matchedUser : string | null
-  }
-
  class "API Response\n/user-downloads" as apir {
    + user : string
    + isAdmin : boolean
@@ -208,7 +201,7 @@ package "sofarr Internal Models" {
    + id : string
    + name : string
    + isAdmin : boolean
-    ' Note: Emby AccessToken intentionally excluded
+    + token : string
  }

  apir *-- dl
@@ -222,9 +215,7 @@ sabh ..> dl : matched &\ntransformed
 qbt ..> dl : mapTorrentToDownload()
 ss ..> dl : coverArt, seriesName,\npath, tags
 rm ..> dl : coverArt, movieName,\npath, tags
-tag ..> dl : allTags / matchedUserTag
+tag ..> dl : userTag resolution
 eu ..> cookie : login creates
-eu ..> tagbadge : buildTagBadges()
-dl *-- tagbadge : tagBadges[]

@enduml
@@ -9,33 +9,19 @@ package "server/index.js" as entry {
    - logFile : WriteStream
    + shouldLog(level) : boolean
    --
-    Logging setup, app.listen(),
-    static files, startPoller()
-  }
-}
-
-package "server/app.js" as appfactory {
-  class "createApp(options?)" as appfn <<factory>> {
-    + createApp(skipRateLimits?) : Express
-    --
-    Mounts helmet (CSP nonce),
-    rate limiters, cookie-parser,
-    auth routes (pre-CSRF),
-    verifyCsrf, all other routes,
-    /health, /ready, error handler
+    Configures Express app,
+    mounts routes, starts poller
  }
 }

 package "server/routes" {
  class "auth.js" as auth <<router>> {
-    + POST /login (rate-limited)
+    + POST /login
    + GET /me
-    + GET /csrf
    + POST /logout
    --
    Authenticates via Emby API
-    Issues emby_user + csrf_token cookies
-    Stores/revokes Emby tokens server-side
+    Sets/reads httpOnly cookie
  }

  class "dashboard.js" as dashboard <<router>> {
@@ -47,10 +33,7 @@ package "server/routes" {
    + GET /status
    --
    - getCoverArt(item) : string|null
-    - extractAllTags(tags, tagMap) : string[]
-    - extractUserTag(tags, tagMap, username) : string|null
-    - buildTagBadges(allTags, embyUserMap) : TagBadge[]
-    - getEmbyUsers() : Promise<Map>
+    - extractUserTag(tags, tagMap) : string|null
    - sanitizeTagLabel(input) : string
    - tagMatchesUser(tag, username) : boolean
    - getImportIssues(record) : string[]|null
@@ -86,27 +69,6 @@ package "server/routes" {
  }
 }

-package "server/middleware" {
-  class "requireAuth.js" as requireauth <<middleware>> {
-    + requireAuth(req, res, next) : void
-    --
-    Reads emby_user cookie (signed if COOKIE_SECRET)
-    Validates schema: id, name, isAdmin
-    Attaches user to req.user
-    Returns 401 if absent/tampered/invalid
-  }
-
-  class "verifyCsrf.js" as verifycsrf <<middleware>> {
-    + verifyCsrf(req, res, next) : void
-    --
-    Exempt: GET, HEAD, OPTIONS
-    Compares csrf_token cookie
-    vs X-CSRF-Token header
-    using crypto.timingSafeEqual
-    Returns 403 on mismatch/missing
-  }
-}
-
 package "server/utils" {
  class "MemoryCache" as cache {
    - store : Map<string, CacheEntry>
@@ -196,32 +158,6 @@ package "server/utils" {
    + logToFile(message) : void
  }

-  class "TokenStore" as tokenstore <<module>> {
-    - store : Object (in-memory)
-    - STORE_PATH : string (DATA_DIR/tokens.json)
-    - TOKEN_TTL_MS : 31 days
-    --
-    + storeToken(userId, accessToken) : void
-    + getToken(userId) : {accessToken}|null
-    + clearToken(userId) : void
-    --
-    Atomic write (.tmp → rename)
-    Pruned on startup + hourly
-  }
-
-  class "SanitizeError" as sanitize <<module>> {
-    + sanitizeError(err) : string
-    --
-    Redacts: query-param secrets,
-    auth headers, bearer tokens,
-    basic-auth URLs
-  }
-
-  class "TagBadge" as tb <<value>> {
-    + label : string
-    + matchedUser : string | null
-  }
-
  class "ClientInfo" as ci <<value>> {
    + user : string
    + refreshRateMs : number
@@ -230,25 +166,14 @@ package "server/utils" {
 }

 ' Relationships
-ep --> appfn : createApp()
+ep --> auth
+ep --> dashboard
+ep --> emby_r
+ep --> sab_r
+ep --> sonarr_r
+ep --> radarr_r
 ep --> poller : startPoller()

-appfn --> auth : /api/auth (pre-CSRF)
-appfn --> verifycsrf : /api (all routes below)
-appfn --> dashboard
-appfn --> emby_r
-appfn --> sab_r
-appfn --> sonarr_r
-appfn --> radarr_r
-
-dashboard --> requireauth : uses
-emby_r --> requireauth : uses
-sab_r --> requireauth : uses
-sonarr_r --> requireauth : uses
-radarr_r --> requireauth : uses
-
-auth --> tokenstore : storeToken / getToken / clearToken
-
 dashboard --> cache : read/write
 dashboard --> poller : pollAllServices()
 dashboard --> qbt_mod : mapTorrentToDownload()
@@ -269,7 +194,4 @@ dashboard *-- ci : stores in activeClients

 config ..> inst : returns

-auth ..> sanitize : sanitizeError on catch
-dashboard ..> sanitize : sanitizeError on catch
-
@enduml
@@ -15,21 +15,15 @@ package "Browser" as browser {

 package "Express Server" as server {

-  [index.js\nEntry Point] as entry
-  [app.js\ncreatApp() factory] as appfactory
-
  package "Middleware" {
-    [helmet\n(CSP nonce, HSTS)] as hm
-    [express-rate-limit\n(API + login)] as rl
-    [cookie-parser\n(signed cookies)] as cp
-    [express.json\n(64kb limit)] as ej
+    [CORS] as cors
+    [cookie-parser] as cp
+    [express.json] as ej
    [express.static] as es
-    [requireAuth.js] as requireauth
-    [verifyCsrf.js\n(double-submit)] as verifycsrf
  }

  package "Routes" as routes {
-    [auth.js\n/api/auth\n(pre-CSRF)] as auth
+    [auth.js\n/api/auth] as auth
    [dashboard.js\n/api/dashboard] as dashboard
    [emby.js\n/api/emby] as emby_route
    [sabnzbd.js\n/api/sabnzbd] as sab_route
@@ -42,35 +36,23 @@ package "Express Server" as server {
    [cache.js\nMemoryCache] as cache
    [config.js] as config
    [qbittorrent.js\nQBittorrentClient] as qbt
-    [tokenStore.js\n(tokens.json)] as tokenstore
-    [sanitizeError.js] as sanitize
    [logger.js] as logger
  }

-  entry --> appfactory : createApp()
-  entry --> es : serve public/
+  [index.js\nEntry Point] as entry
+
+  entry --> cors
+  entry --> cp
+  entry --> ej
+  entry --> es
+  entry --> auth
+  entry --> dashboard
+  entry --> emby_route
+  entry --> sab_route
+  entry --> sonarr_route
+  entry --> radarr_route
  entry --> poller : startPoller()

-  appfactory --> hm
-  appfactory --> rl
-  appfactory --> cp
-  appfactory --> ej
-  appfactory --> auth : mount before verifyCsrf
-  appfactory --> verifycsrf : applied to all /api below
-  appfactory --> dashboard
-  appfactory --> emby_route
-  appfactory --> sab_route
-  appfactory --> sonarr_route
-  appfactory --> radarr_route
-
-  emby_route --> requireauth
-  sab_route --> requireauth
-  sonarr_route --> requireauth
-  radarr_route --> requireauth
-  dashboard --> requireauth
-
-  auth --> tokenstore : storeToken / getToken / clearToken
-
  dashboard --> cache : read poll:* keys
  dashboard --> poller : pollAllServices()\n(on-demand mode)
  dashboard --> config : getSonarrInstances()\ngetRadarrInstances()
@@ -83,9 +65,6 @@ package "Express Server" as server {

  qbt --> config : getQbittorrentInstances()
  qbt --> logger
-
-  auth ..> sanitize
-  dashboard ..> sanitize
 }

 cloud "External Services" as external {
@@ -97,7 +76,7 @@ cloud "External Services" as external {
 }

 auth --> emby : authenticate\nuser profile
-dashboard --> emby : GET /Users\n(user-summary + tag badge classification)
+dashboard ..> emby : /user-summary\n(live fetch)
 emby_route --> emby
 sab_route --> sab
 sonarr_route --> sonarr
@@ -5,7 +5,6 @@ title sofarr — Authentication Sequence
 actor User as user
 participant "Browser\n(app.js)" as browser
 participant "Express\n/api/auth" as auth
-participant "TokenStore\n(tokens.json)" as tokens
 participant "Emby\nServer" as emby

 == Page Load ==
@@ -13,19 +12,14 @@ user -> browser : Navigate to sofarr
 activate browser
 browser -> auth : GET /api/auth/me
 activate auth
-auth -> auth : Read emby_user cookie\n(signed if COOKIE_SECRET set)
+auth -> auth : Read emby_user cookie
 alt Cookie exists and valid
  auth --> browser : { authenticated: true, user: { name, isAdmin } }
-  browser -> auth : GET /api/auth/csrf
-  activate auth
-  auth -> auth : Generate 32-byte hex csrfToken
-  auth --> browser : { csrfToken } + Set csrf_token cookie
-  deactivate auth
-  browser -> browser : store csrfToken in memory
  browser -> browser : showDashboard()
+  browser -> browser : fetchUserDownloads(true)
  browser -> browser : startAutoRefresh()
  browser -> browser : dismissSplash()
-else No cookie / tampered
+else No cookie
  auth --> browser : { authenticated: false }
  browser -> browser : dismissSplash()
  browser -> browser : showLogin()
@@ -33,69 +27,38 @@ end
 deactivate auth

 == Login ==
-user -> browser : Enter username + password\n(+ optional rememberMe checkbox)
-browser -> auth : POST /api/auth/login\n{ username, password, rememberMe }
+user -> browser : Enter username + password
+browser -> auth : POST /api/auth/login\n{ username, password }
 activate auth
-note right of auth
-  Rate limiter: max 10 failed
-  attempts per IP / 15 min
-  (successful requests excluded)
-end note
-auth -> emby : POST /Users/authenticatebyname\n{ Username, Pw }\nX-Emby-Authorization: MediaBrowser\nDeviceId = sha256(username)[0:16]
+auth -> emby : POST /Users/authenticatebyname\n{ Username, Pw }
 activate emby
 alt Valid credentials
-  emby --> auth : { User: { Id }, AccessToken }
-  auth -> emby : GET /Users/{userId}\nX-MediaBrowser-Token: AccessToken
+  emby --> auth : { User: { Id, ... }, AccessToken }
+  auth -> emby : GET /Users/{userId}
  emby --> auth : { Name, Policy: { IsAdministrator } }
  deactivate emby
-  auth -> tokens : storeToken(userId, AccessToken)
-  note right of tokens
-    Stored server-side only.
-    Never sent to the client.
-    31-day TTL, atomic JSON write.
-  end note
-  auth -> auth : Set emby_user cookie\n{ id, name, isAdmin }\nhttpOnly, sameSite=strict\nsecure (prod), signed (COOKIE_SECRET)\nrememberMe=true → Max-Age 30d\nrememberMe=false → session cookie
-  auth -> auth : Generate csrfToken\n(32-byte random hex)
-  auth -> auth : Set csrf_token cookie\nhttpOnly=false (JS-readable)\nsameSite=strict, secure (prod)
-  auth --> browser : { success: true, user, csrfToken }
-  browser -> browser : store csrfToken in memory
+  auth -> auth : Set httpOnly cookie\nemby_user = { id, name, isAdmin, token }\n(24h TTL)
+  auth --> browser : { success: true, user: { name, isAdmin } }
  browser -> browser : fadeOutLogin()
+  browser -> browser : showSplash()
  browser -> browser : showDashboard()
+  browser -> browser : fetchUserDownloads(true)
  browser -> browser : startAutoRefresh()
  browser -> browser : dismissSplash()
 else Invalid credentials
  emby --> auth : 401 Error
  deactivate emby
-  auth --> browser : { success: false, error: "Invalid username or password" }
+  auth --> browser : { success: false, error: "Invalid..." }
  browser -> browser : showLoginError()
 end
 deactivate auth

-== CSRF Token Refresh (after page reload) ==
-note over browser : csrfToken lost from memory\non hard page reload
-browser -> auth : GET /api/auth/csrf
-activate auth
-auth -> auth : Generate new csrfToken
-auth --> browser : { csrfToken } + new csrf_token cookie
-deactivate auth
-browser -> browser : store new csrfToken in memory
-
 == Logout ==
 user -> browser : Click Logout
 browser -> browser : stopAutoRefresh()
-browser -> auth : POST /api/auth/logout\n(no CSRF required — auth routes\nexempt; sameSite:strict protects)
+browser -> auth : POST /api/auth/logout
 activate auth
-auth -> auth : Parse emby_user cookie → user
-auth -> tokens : getToken(user.id)
-activate tokens
-tokens --> auth : { accessToken }
-deactivate tokens
-auth -> emby : POST /Sessions/Logout\nX-MediaBrowser-Token: accessToken
-activate emby
-emby --> auth : 204 / error (ignored)
-deactivate emby
-auth -> tokens : clearToken(user.id)
-auth -> auth : clearCookie(emby_user)\nclearCookie(csrf_token)
+auth -> auth : Clear emby_user cookie
 auth --> browser : { success: true }
 deactivate auth
 browser -> browser : showLogin()
@@ -50,28 +50,19 @@ dashboard -> dashboard : Build seriesMap from\nSonarr queue records
 dashboard -> dashboard : Build moviesMap from\nRadarr queue records
 dashboard -> dashboard : Build tag maps\n(id → label)

-alt showAll=true
-  dashboard -> cache : get('emby:users')
-  alt cache miss
-    dashboard -> ext : GET /Users (Emby)
-    ext --> dashboard : [{ Name, ... }]
-    dashboard -> cache : set('emby:users', map, 60s)
-  end
-  dashboard -> dashboard : Build embyUserMap\n(lowerName → displayName)
-end
-
 group SABnzbd Queue Matching
  loop each queue slot
    dashboard -> dashboard : Match title vs Sonarr queue
    dashboard -> dashboard : Match title vs Radarr queue
-    dashboard -> dashboard : extractAllTags() + extractUserTag(username)\nInclude if: showAll+anyTag OR matchedUserTag\nAttach allTags, matchedUserTag\nIf showAll: tagBadges = buildTagBadges(embyUserMap)
+    dashboard -> dashboard : Resolve series/movie\n→ extract user tag\n→ filter by username
  end
 end

 group SABnzbd History Matching
  loop each history slot
-    dashboard -> dashboard : Match title vs Sonarr/Radarr history
-    dashboard -> dashboard : Same tag extraction + inclusion logic
+    dashboard -> dashboard : Match title vs Sonarr history
+    dashboard -> dashboard : Match title vs Radarr history
+    dashboard -> dashboard : Resolve via seriesMap/moviesMap\n→ extract user tag\n→ filter
  end
 end

@@ -81,20 +72,14 @@ group qBittorrent Matching
    dashboard -> dashboard : 2. Match vs Radarr queue
    dashboard -> dashboard : 3. Match vs Sonarr history
    dashboard -> dashboard : 4. Match vs Radarr history
-    dashboard -> dashboard : mapTorrentToDownload()\n→ enrich: allTags, matchedUserTag, tagBadges
+    dashboard -> dashboard : mapTorrentToDownload()\n→ enrich with series/movie info
  end
 end

 dashboard --> browser : { user, isAdmin,\ndownloads: [...] }
 deactivate dashboard

-browser -> browser : renderDownloads() (diff-based)
-note right
-  createDownloadCard() renders tag badges:
-  - Normal: accent badge for matchedUserTag
-  - showAll: amber badges (unmatched tags)
-            accent badges (matched → show Emby displayName)
-end note
+browser -> browser : renderDownloads()\n(diff-based update)
 deactivate browser

@enduml
@@ -1,35 +1,24 @@
 {
  "name": "sofarr",
-  "version": "0.2.0",
+  "version": "0.1.3",
  "description": "A personal media download dashboard that shows your downloads 'so far' while you relax on the sofa waiting for your *arr services to finish",
  "main": "server/index.js",
  "scripts": {
    "dev": "nodemon server/index.js",
    "start": "node server/index.js",
-    "install:all": "npm install",
-    "test": "vitest run",
-    "test:watch": "vitest",
-    "test:coverage": "vitest run --coverage",
-    "test:ui": "vitest --ui",
-    "audit": "npm audit --audit-level=high",
-    "audit:fix": "npm audit fix",
-    "audit:critical": "npm audit --audit-level=critical"
+    "install:all": "npm install"
  },
  "dependencies": {
-    "axios": "^1.6.0",
-    "cookie-parser": "^1.4.6",
-    "dotenv": "^16.3.1",
    "express": "^4.18.2",
-    "express-rate-limit": "^7.0.0",
-    "helmet": "^7.0.0"
+    "cors": "^2.8.5",
+    "dotenv": "^16.3.1",
+    "axios": "^1.6.0",
+    "node-cron": "^3.0.3",
+    "cookie-parser": "^1.4.6"
  },
  "devDependencies": {
-    "@vitest/coverage-v8": "^4.1.6",
-    "concurrently": "^7.6.0",
-    "nock": "^14.0.15",
-    "nodemon": "^3.1.14",
-    "supertest": "^7.2.2",
-    "vitest": "^4.1.6"
+    "nodemon": "^2.0.22",
+    "concurrently": "^7.6.0"
  },
  "keywords": [
    "sabnzbd",
@@ -4,7 +4,6 @@ let refreshInterval = null;
 let currentRefreshRate = 5000; // default 5 seconds
 let isAdmin = false;
 let showAll = false;
-let csrfToken = null; // double-submit CSRF token, sent as X-CSRF-Token on mutating requests
 const SPLASH_MIN_MS = 1200; // minimum splash display time

 // Apply saved theme immediately (before DOMContentLoaded to avoid flash)
@@ -100,15 +99,7 @@ function dismissSplash(startTime) {
    setTimeout(() => {
      const splash = document.getElementById('splash-screen');
      splash.classList.add('fade-out');
-      // Fallback: resolve after transition duration + buffer in case
-      // transitionend never fires (e.g. display was toggled in same frame)
-      const TRANSITION_MS = 400;
-      const fallback = setTimeout(() => {
-        splash.style.display = 'none';
-        resolve();
-      }, TRANSITION_MS + 100);
      splash.addEventListener('transitionend', () => {
-        clearTimeout(fallback);
        splash.style.display = 'none';
        resolve();
      }, { once: true });
@@ -119,15 +110,9 @@ function dismissSplash(startTime) {
 async function checkAuthentication() {
  const splashStart = Date.now();
  try {
-    // Fetch both auth state and a fresh CSRF token in parallel
-    const [meRes, csrfRes] = await Promise.all([
-      fetch('/api/auth/me'),
-      fetch('/api/auth/csrf')
-    ]);
-    const data = await meRes.json();
-    const csrfData = await csrfRes.json();
-    if (csrfData.csrfToken) csrfToken = csrfData.csrfToken;
-
+    const response = await fetch('/api/auth/me');
+    const data = await response.json();
+    
    if (data.authenticated) {
      currentUser = data.user;
      isAdmin = !!data.user.isAdmin;
@@ -151,7 +136,6 @@ async function handleLogin(e) {
  
  const username = document.getElementById('username').value;
  const password = document.getElementById('password').value;
-  const rememberMe = document.getElementById('remember-me').checked;
  
  try {
    const response = await fetch('/api/auth/login', {
@@ -159,7 +143,7 @@ async function handleLogin(e) {
      headers: {
        'Content-Type': 'application/json'
      },
-      body: JSON.stringify({ username, password, rememberMe })
+      body: JSON.stringify({ username, password })
    });
    
    const data = await response.json();
@@ -167,15 +151,9 @@ async function handleLogin(e) {
    if (data.success) {
      currentUser = data.user;
      isAdmin = !!data.user.isAdmin;
-      // Store CSRF token returned by login for use in subsequent requests
-      if (data.csrfToken) csrfToken = data.csrfToken;
-      // Fade out login, then show splash while loading data.
-      // requestAnimationFrame ensures the browser paints the splash at
-      // opacity:1 before dismissSplash adds fade-out, so the CSS
-      // transition fires and transitionend is guaranteed.
+      // Fade out login, then show splash while loading data
      await fadeOutLogin();
      showSplash();
-      await new Promise(r => requestAnimationFrame(() => requestAnimationFrame(r)));
      showDashboard();
      const splashStart = Date.now();
      await fetchUserDownloads(true);
@@ -194,11 +172,9 @@ async function handleLogout() {
  try {
    stopAutoRefresh();
    await fetch('/api/auth/logout', {
-      method: 'POST',
-      headers: csrfToken ? { 'X-CSRF-Token': csrfToken } : {}
+      method: 'POST'
    });
    currentUser = null;
-    csrfToken = null;
    downloads = [];
    showLogin();
  } catch (err) {
@@ -387,11 +363,7 @@ function createDownloadCard(download) {
    const coverDiv = document.createElement('div');
    coverDiv.className = 'download-cover';
    const coverImg = document.createElement('img');
-    // Proxy cover art through the server so the CSP img-src 'self' rule
-    // is satisfied (external poster URLs would be blocked otherwise).
-    coverImg.src = download.coverArt
-      ? '/api/dashboard/cover-art?url=' + encodeURIComponent(download.coverArt)
-      : '';
+    coverImg.src = download.coverArt;
    coverImg.alt = download.movieName || download.seriesName || download.title;
    coverImg.loading = 'lazy';
    coverDiv.appendChild(coverImg);
@@ -462,30 +434,11 @@ function createDownloadCard(download) {
    infoDiv.appendChild(movie);
  }

-  if (showAll && download.tagBadges && download.tagBadges.length > 0) {
-    // In showAll mode: render all tags classified by whether they match an Emby user.
-    // Unmatched (no known Emby user) → amber, leftmost.
-    // Matched → show Emby display name in accent colour, rightmost.
-    const unmatched = download.tagBadges.filter(b => !b.matchedUser);
-    const matched = download.tagBadges.filter(b => b.matchedUser);
-    for (const b of unmatched) {
-      const badge = document.createElement('span');
-      badge.className = 'download-user-badge unmatched';
-      badge.textContent = b.label;
-      header.appendChild(badge);
-    }
-    for (const b of matched) {
-      const badge = document.createElement('span');
-      badge.className = 'download-user-badge';
-      badge.textContent = b.matchedUser;
-      header.appendChild(badge);
-    }
-  } else if (download.matchedUserTag) {
-    // Normal (non-showAll) view: show only the current user's matched tag
-    const matchedBadge = document.createElement('span');
-    matchedBadge.className = 'download-user-badge';
-    matchedBadge.textContent = download.matchedUserTag;
-    header.appendChild(matchedBadge);
+  if (showAll && download.userTag) {
+    const userBadge = document.createElement('span');
+    userBadge.className = 'download-user-badge';
+    userBadge.textContent = download.userTag;
+    header.appendChild(userBadge);
  }
  
  const details = document.createElement('div');
@@ -4,10 +4,6 @@
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>sofarr - Your Downloads Dashboard</title>
-    <link rel="icon" type="image/x-icon" href="favicon.ico">
-    <link rel="icon" type="image/png" sizes="32x32" href="favicon-32.png">
-    <link rel="apple-touch-icon" sizes="192x192" href="favicon-192.png">
-    <meta name="theme-color" content="#1a1a2e">
    <link rel="stylesheet" href="style.css">
 </head>
 <body>
@@ -31,12 +27,6 @@
                        <label for="password">Password:</label>
                        <input type="password" id="password" name="password" required>
                    </div>
-                    <div class="form-group form-group--checkbox">
-                        <label class="checkbox-label">
-                            <input type="checkbox" id="remember-me" name="rememberMe">
-                            <span>Keep me logged in</span>
-                        </label>
-                    </div>
                    <button type="submit" class="login-btn">Login</button>
                </form>
                <div id="login-error" class="error-message" style="display: none;"></div>
@@ -64,8 +64,6 @@
  --footer-text: rgba(255, 255, 255, 0.9);
  --input-bg: #ffffff;
  --select-bg: #ffffff;
-  --unmatched-tag-bg: #fff3e0;
-  --unmatched-tag-color: #e65100;
 }

 [data-theme="dark"] {
@@ -102,8 +100,6 @@
  --footer-text: rgba(200, 200, 220, 0.8);
  --input-bg: #2a2a3d;
  --select-bg: #2a2a3d;
-  --unmatched-tag-bg: #3d2a00;
-  --unmatched-tag-color: #ffb74d;
 }

 [data-theme="mono"] {
@@ -140,8 +136,6 @@
  --footer-text: rgba(180, 180, 180, 0.7);
  --input-bg: #252525;
  --select-bg: #252525;
-  --unmatched-tag-bg: #2a2a2a;
-  --unmatched-tag-color: #a0a0a0;
 }

 /* ===== Base ===== */
@@ -384,9 +378,8 @@ body {

 .download-header {
  display: flex;
-  flex-wrap: wrap;
+  justify-content: space-between;
  align-items: center;
-  gap: 4px;
  margin-bottom: 4px;
 }

@@ -445,9 +438,9 @@ body {
  margin-bottom: 2px;
  font-size: 0.9rem;
  font-weight: 600;
-  overflow-wrap: break-word;
-  word-break: break-word;
+  white-space: nowrap;
  overflow: hidden;
+  text-overflow: ellipsis;
 }

 .download-series,
@@ -530,8 +523,7 @@ body {
  color: var(--danger);
  font-size: 0.72rem;
  font-weight: 500;
-  overflow-wrap: break-word;
-  word-break: break-word;
+  white-space: nowrap;
 }

 /* ===== Footer ===== */
@@ -612,32 +604,6 @@ body {
  border-color: var(--accent);
 }

-.form-group--checkbox {
-  margin-bottom: 20px;
-}
-
-.checkbox-label {
-  display: flex;
-  align-items: center;
-  gap: 8px;
-  cursor: pointer;
-  font-size: 0.9rem;
-  color: var(--text-secondary);
-  user-select: none;
-}
-
-.checkbox-label input[type="checkbox"] {
-  width: 16px;
-  height: 16px;
-  accent-color: var(--accent);
-  cursor: pointer;
-  flex-shrink: 0;
-}
-
-.checkbox-label span {
-  line-height: 1;
-}
-
 .login-btn {
  width: 100%;
  padding: 10px;
@@ -705,9 +671,9 @@ body {
  font-size: 0.7rem;
  font-family: 'SF Mono', 'Fira Code', 'Fira Mono', Menlo, Consolas, monospace;
  color: var(--text-muted);
-  overflow-wrap: break-word;
-  word-break: break-all;
+  white-space: nowrap;
  overflow: hidden;
+  text-overflow: ellipsis;
 }

 .path-label {
@@ -763,13 +729,6 @@ body {
  background: var(--accent-light);
  color: var(--accent);
  margin-left: auto;
-  white-space: nowrap;
-}
-
-.download-user-badge.unmatched {
-  background: var(--unmatched-tag-bg);
-  color: var(--unmatched-tag-color);
-  margin-left: 0;
 }

 /* ===== Status Button ===== */
@@ -980,39 +939,17 @@ body {

 /* ===== Mobile ===== */
@media (max-width: 768px) {
-  .app {
-    padding: 10px;
-  }
-
  .app-header {
    flex-direction: column;
    align-items: flex-start;
-    padding: 10px 12px;
-    gap: 8px;
+    padding: 12px 14px;
  }

  .header-controls {
-    width: 100%;
    flex-wrap: wrap;
    gap: 8px;
  }

-  .user-info {
-    width: 100%;
-    justify-content: space-between;
-    box-sizing: border-box;
-  }
-
-  .admin-controls {
-    width: 100%;
-    flex-wrap: wrap;
-    gap: 6px;
-  }
-
-  .downloads-container {
-    padding: 12px;
-  }
-
  .download-card {
    padding: 8px 10px;
  }
@@ -1033,60 +970,4 @@ body {
  .status-grid {
    grid-template-columns: 1fr;
  }
-
-  .status-table {
-    font-size: 0.72rem;
-  }
-
-  .status-table th,
-  .status-table td {
-    padding: 4px 4px;
-  }
-
-  .status-table td code {
-    word-break: break-all;
-  }
-
-  .timing-label {
-    width: 90px;
-  }
-
-  .timing-value {
-    width: 40px;
-  }
-
-  .import-issue-badge:hover::after {
-    left: auto;
-    right: 0;
-    max-width: calc(100vw - 24px);
-  }
-}
-
-/* ===== Very small screens (≤ 400px) ===== */
-@media (max-width: 400px) {
-  .app {
-    padding: 6px;
-  }
-
-  .download-cover {
-    display: none;
-  }
-
-  .theme-switcher {
-    flex-shrink: 0;
-  }
-
-  .user-info {
-    font-size: 0.78rem;
-    padding: 5px 10px;
-  }
-
-  .download-card {
-    padding: 8px;
-  }
-
-  .timing-label {
-    width: 75px;
-    font-size: 0.7rem;
-  }
 }
@@ -1,113 +0,0 @@
-/**
- * Express application factory — imported by both server/index.js (production)
- * and the test suite. Keeping app creation separate from app.listen() means
- * tests can import a fresh instance without starting a real server or
- * triggering the side-effects in index.js (log files, process.exit, poller).
- */
-
-const express = require('express');
-const cookieParser = require('cookie-parser');
-const helmet = require('helmet');
-const rateLimit = require('express-rate-limit');
-const crypto = require('crypto');
-
-const sabnzbdRoutes = require('./routes/sabnzbd');
-const sonarrRoutes = require('./routes/sonarr');
-const radarrRoutes = require('./routes/radarr');
-const embyRoutes = require('./routes/emby');
-const dashboardRoutes = require('./routes/dashboard');
-const authRoutes = require('./routes/auth');
-const verifyCsrf = require('./middleware/verifyCsrf');
-
-function createApp({ skipRateLimits = false } = {}) {
-  const app = express();
-
-  if (process.env.TRUST_PROXY) {
-    const trustValue = /^\d+$/.test(process.env.TRUST_PROXY)
-      ? parseInt(process.env.TRUST_PROXY, 10)
-      : process.env.TRUST_PROXY;
-    app.set('trust proxy', trustValue);
-  }
-
-  // Per-request CSP nonce
-  app.use((req, res, next) => {
-    res.locals.cspNonce = crypto.randomBytes(16).toString('base64');
-    next();
-  });
-
-  app.use((req, res, next) => {
-    helmet({
-      contentSecurityPolicy: {
-        directives: {
-          defaultSrc: ["'self'"],
-          scriptSrc: ["'self'", (req, res) => `'nonce-${res.locals.cspNonce}'`],
-          styleSrc: ["'self'", (req, res) => `'nonce-${res.locals.cspNonce}'`],
-          imgSrc: ["'self'", 'data:', 'blob:'],
-          fontSrc: ["'self'", 'data:'],
-          connectSrc: ["'self'"],
-          objectSrc: ["'none'"],
-          baseUri: ["'self'"],
-          frameAncestors: ["'none'"],
-          formAction: ["'self'"],
-          upgradeInsecureRequests: process.env.NODE_ENV === 'production' ? [] : null
-        }
-      },
-      hsts: { maxAge: 31536000, includeSubDomains: true, preload: true },
-      referrerPolicy: { policy: 'strict-origin-when-cross-origin' },
-      crossOriginEmbedderPolicy: false
-    })(req, res, next);
-  });
-
-  app.use((req, res, next) => {
-    res.setHeader('Permissions-Policy', 'camera=(), microphone=(), geolocation=(), payment=(), usb=()');
-    next();
-  });
-
-  const apiLimiter = rateLimit({
-    windowMs: 15 * 60 * 1000,
-    max: skipRateLimits ? Number.MAX_SAFE_INTEGER : 300,
-    standardHeaders: true,
-    legacyHeaders: false,
-    message: { error: 'Too many requests, please try again later' }
-  });
-
-  app.use(cookieParser(process.env.COOKIE_SECRET || undefined));
-  app.use(express.json({ limit: '64kb' }));
-
-  // Health / readiness (no auth, no rate-limit)
-  app.get('/health', (req, res) => {
-    res.json({ status: 'ok', uptime: process.uptime() });
-  });
-
-  app.get('/ready', (req, res) => {
-    const ready = !!(process.env.EMBY_URL);
-    if (ready) {
-      res.json({ status: 'ready' });
-    } else {
-      res.status(503).json({ status: 'not ready', reason: 'EMBY_URL not configured' });
-    }
-  });
-
-  // API routes
-  app.use('/api', apiLimiter);
-  app.use('/api/auth', authRoutes);
-
-  // CSRF protection for all state-changing API requests below
-  app.use('/api', verifyCsrf);
-  app.use('/api/sabnzbd', sabnzbdRoutes);
-  app.use('/api/sonarr', sonarrRoutes);
-  app.use('/api/radarr', radarrRoutes);
-  app.use('/api/emby', embyRoutes);
-  app.use('/api/dashboard', dashboardRoutes);
-
-  // Global error handler
-  // eslint-disable-next-line no-unused-vars
-  app.use((err, req, res, next) => {
-    console.error('[Server] Unhandled error:', err.message);
-    res.status(500).json({ error: 'Internal server error' });
-  });
-
-  return app;
-}
-
-module.exports = { createApp };
@@ -1,9 +1,7 @@
 const express = require('express');
+const cors = require('cors');
 const path = require('path');
 const cookieParser = require('cookie-parser');
-const helmet = require('helmet');
-const rateLimit = require('express-rate-limit');
-const crypto = require('crypto');
 const fs = require('fs');
 require('dotenv').config();

@@ -12,29 +10,7 @@ require('dotenv').config();
 const LOG_LEVELS = { debug: 0, info: 1, warn: 2, error: 3, silent: 4 };
 const currentLevel = LOG_LEVELS[(process.env.LOG_LEVEL || 'info').toLowerCase()] || 1;

-// Log file lives in DATA_DIR so the non-root container user can write to it
-const DATA_DIR = process.env.DATA_DIR || path.join(__dirname, '../data');
-if (!fs.existsSync(DATA_DIR)) fs.mkdirSync(DATA_DIR, { recursive: true });
-
-const LOG_PATH = path.join(DATA_DIR, 'server.log');
-const LOG_MAX_BYTES = 10 * 1024 * 1024; // 10 MB per file
-const LOG_KEEP = 3;                      // keep 3 rotated files
-
-function rotateLogIfNeeded() {
-  try {
-    const stat = fs.statSync(LOG_PATH);
-    if (stat.size < LOG_MAX_BYTES) return;
-    for (let i = LOG_KEEP - 1; i >= 1; i--) {
-      const src = `${LOG_PATH}.${i}`;
-      const dst = `${LOG_PATH}.${i + 1}`;
-      if (fs.existsSync(src)) fs.renameSync(src, dst);
-    }
-    fs.renameSync(LOG_PATH, `${LOG_PATH}.1`);
-  } catch { /* ignore rotation errors — don't crash the server */ }
-}
-
-rotateLogIfNeeded();
-const logFile = fs.createWriteStream(LOG_PATH, { flags: 'a' });
+const logFile = fs.createWriteStream(path.join(__dirname, '../server.log'), { flags: 'a' });
 const originalConsoleLog = console.log;
 const originalConsoleError = console.error;
 const originalConsoleWarn = console.warn;
@@ -78,173 +54,25 @@ const radarrRoutes = require('./routes/radarr');
 const embyRoutes = require('./routes/emby');
 const dashboardRoutes = require('./routes/dashboard');
 const authRoutes = require('./routes/auth');
-const verifyCsrf = require('./middleware/verifyCsrf');
 const { startPoller, POLL_INTERVAL, POLLING_ENABLED } = require('./utils/poller');

-// ---------------------------------------------------------------------------
-// Startup environment validation
-// ---------------------------------------------------------------------------
-const cookieSecret = process.env.COOKIE_SECRET;
-if (!cookieSecret && process.env.NODE_ENV === 'production') {
-  console.error('[Security] COOKIE_SECRET is not set in production — aborting.');
-  process.exit(1);
-} else if (!cookieSecret) {
-  console.warn('[Security] COOKIE_SECRET not set — unsigned cookies (dev only)');
-}
-if (!process.env.EMBY_URL && process.env.NODE_ENV === 'production') {
-  console.error('[Config] EMBY_URL is required');
-  process.exit(1);
-}
-
 const app = express();
 const PORT = process.env.PORT || 3001;

-// ---------------------------------------------------------------------------
-// Trust proxy — required when behind Nginx/Caddy/Traefik so that
-// req.ip reflects the real client IP (not 127.0.0.1) and
-// req.secure is true when the upstream TLS is terminated by the proxy.
-// Set TRUST_PROXY=1 (or a specific IP/CIDR) via env.
-// ---------------------------------------------------------------------------
-if (process.env.TRUST_PROXY) {
-  const trustValue = /^\d+$/.test(process.env.TRUST_PROXY)
-    ? parseInt(process.env.TRUST_PROXY, 10)
-    : process.env.TRUST_PROXY;
-  app.set('trust proxy', trustValue);
-}
+app.use(cors());
+app.use(cookieParser());
+app.use(express.json());
+app.use(express.static(path.join(__dirname, '../public')));

-// ---------------------------------------------------------------------------
-// Helmet v7 — security response headers
-// CSP uses a per-request nonce injected into index.html so inline scripts
-// and styles are allowed only with a valid nonce, not blanket unsafe-inline.
-// ---------------------------------------------------------------------------
-app.use((req, res, next) => {
-  // Generate a fresh nonce for every request
-  res.locals.cspNonce = crypto.randomBytes(16).toString('base64');
-  next();
-});
-
-app.use((req, res, next) => {
-  helmet({
-    contentSecurityPolicy: {
-      directives: {
-        defaultSrc: ["'self'"],
-        scriptSrc: ["'self'", (req, res) => `'nonce-${res.locals.cspNonce}'`],
-        styleSrc: ["'self'", (req, res) => `'nonce-${res.locals.cspNonce}'`],
-        imgSrc: ["'self'", 'data:', 'blob:'],
-        fontSrc: ["'self'", 'data:'],
-        connectSrc: ["'self'"],
-        objectSrc: ["'none'"],
-        baseUri: ["'self'"],
-        frameAncestors: ["'none'"],
-        formAction: ["'self'"],
-        upgradeInsecureRequests: process.env.NODE_ENV === 'production' ? [] : null
-      }
-    },
-    hsts: {
-      maxAge: 31536000,       // 1 year
-      includeSubDomains: true,
-      preload: true
-    },
-    referrerPolicy: { policy: 'strict-origin-when-cross-origin' },
-    crossOriginEmbedderPolicy: false // not needed for this SPA
-  })(req, res, next);
-});
-
-// Permissions-Policy — disable powerful browser features not needed by the app
-app.use((req, res, next) => {
-  res.setHeader(
-    'Permissions-Policy',
-    'camera=(), microphone=(), geolocation=(), payment=(), usb=()'
-  );
-  next();
-});
-
-// ---------------------------------------------------------------------------
-// General API rate limiter — applies to all /api/* routes
-// More specific limiters (e.g. login) apply on top of this.
-// ---------------------------------------------------------------------------
-const apiLimiter = rateLimit({
-  windowMs: 15 * 60 * 1000,   // 15 minutes
-  max: 300,                    // 300 requests per IP per window (generous for polling)
-  standardHeaders: true,
-  legacyHeaders: false,
-  message: { error: 'Too many requests, please try again later' }
-});
-
-// ---------------------------------------------------------------------------
-// Body parsing & cookies
-// ---------------------------------------------------------------------------
-app.use(cookieParser(cookieSecret || undefined));
-app.use(express.json({ limit: '64kb' })); // prevent oversized JSON payloads
-
-// ---------------------------------------------------------------------------
-// Health / readiness endpoints (no auth, no rate-limit)
-// Used by Docker HEALTHCHECK and orchestrators.
-// ---------------------------------------------------------------------------
-app.get('/health', (req, res) => {
-  res.json({ status: 'ok', uptime: process.uptime() });
-});
-
-app.get('/ready', (req, res) => {
-  // Confirm critical config is present
-  const ready = !!(process.env.EMBY_URL);
-  if (ready) {
-    res.json({ status: 'ready' });
-  } else {
-    res.status(503).json({ status: 'not ready', reason: 'EMBY_URL not configured' });
-  }
-});
-
-// ---------------------------------------------------------------------------
-// Static files — served before API routes
-// index.html is served manually so we can inject the CSP nonce
-// ---------------------------------------------------------------------------
-const PUBLIC_DIR = path.join(__dirname, '../public');
-const INDEX_HTML = path.join(PUBLIC_DIR, 'index.html');
-
-// Serve all static assets (js, css, images, icons) except index.html
-app.use(express.static(PUBLIC_DIR, { index: false }));
-
-// Serve index.html with nonce injected into the <script> and <link> tags
-function serveIndex(req, res) {
-  fs.readFile(INDEX_HTML, 'utf8', (err, html) => {
-    if (err) return res.status(500).send('Internal Server Error');
-    const nonce = res.locals.cspNonce;
-    // Inject nonce into <script> and <link rel="stylesheet"> tags
-    const patched = html
-      .replace(/<script([^>]*)>/gi, `<script nonce="${nonce}"$1>`)
-      .replace(/<link([^>]*rel=["']stylesheet["'][^>]*)>/gi, `<link nonce="${nonce}"$1>`);
-    res.setHeader('Content-Type', 'text/html; charset=utf-8');
-    res.send(patched);
-  });
-}
-
-// ---------------------------------------------------------------------------
-// API routes (rate-limited; auth routes exempt CSRF for login/csrf endpoints)
-// CSRF protection applies to all state-changing /api/* requests except
-// /api/auth/login (pre-auth) and /api/auth/csrf (issues the token).
-// ---------------------------------------------------------------------------
-app.use('/api', apiLimiter);
-app.use('/api/auth', authRoutes);
-
-// All routes below this point require CSRF validation on mutating methods
-app.use('/api', verifyCsrf);
 app.use('/api/sabnzbd', sabnzbdRoutes);
 app.use('/api/sonarr', sonarrRoutes);
 app.use('/api/radarr', radarrRoutes);
 app.use('/api/emby', embyRoutes);
 app.use('/api/dashboard', dashboardRoutes);
+app.use('/api/auth', authRoutes);

-// SPA catch-all — serve index.html for any unmatched path
-app.get('*', serveIndex);
-
-// ---------------------------------------------------------------------------
-// Global error handler — never leak stack traces to clients
-// ---------------------------------------------------------------------------
-// eslint-disable-next-line no-unused-vars
-app.use((err, req, res, next) => {
-  console.error('[Server] Unhandled error:', err.message);
-  res.status(500).json({ error: 'Internal server error' });
+app.get('/', (req, res) => {
+  res.sendFile(path.join(__dirname, '../public/index.html'));
 });

 app.listen(PORT, () => {
@@ -253,7 +81,6 @@ app.listen(PORT, () => {
  console.log(`  Server running on port ${PORT}`);
  console.log(`  Log level: ${process.env.LOG_LEVEL || 'info'}`);
  console.log(`  Polling: ${POLLING_ENABLED ? POLL_INTERVAL + 'ms' : 'disabled (on-demand)'}`);
-  console.log(`  Trust proxy: ${process.env.TRUST_PROXY || 'disabled'}`);
  console.log(`=================================`);
  startPoller();
 });
@@ -1,21 +0,0 @@
-function requireAuth(req, res, next) {
-  const signed = !!process.env.COOKIE_SECRET;
-  const raw = signed ? req.signedCookies.emby_user : req.cookies.emby_user;
-  if (!raw || raw === false) {
-    return res.status(401).json({ error: 'Not authenticated' });
-  }
-  let u;
-  try {
-    u = JSON.parse(raw);
-  } catch {
-    return res.status(401).json({ error: 'Invalid session' });
-  }
-  // Schema validation
-  if (typeof u.id !== 'string' || !u.id) return res.status(401).json({ error: 'Invalid session' });
-  if (typeof u.name !== 'string' || !u.name) return res.status(401).json({ error: 'Invalid session' });
-  if (typeof u.isAdmin !== 'boolean') u.isAdmin = !!u.isAdmin;
-  req.user = u;
-  next();
-}
-
-module.exports = requireAuth;
@@ -1,42 +0,0 @@
-/**
- * CSRF protection using the double-submit cookie pattern.
- *
- * On login the server issues a random `csrf_token` cookie (httpOnly:false
- * so JS can read it). The SPA must send the same value in the
- * `X-CSRF-Token` request header for every state-changing request (POST,
- * PUT, PATCH, DELETE).
- *
- * Because the `sameSite: strict` session cookie already provides strong
- * protection in modern browsers, this acts as defence-in-depth for
- * older browsers and any edge cases.
- *
- * Safe methods (GET, HEAD, OPTIONS) are exempted.
- */
-
-const SAFE_METHODS = new Set(['GET', 'HEAD', 'OPTIONS']);
-
-function verifyCsrf(req, res, next) {
-  if (SAFE_METHODS.has(req.method)) return next();
-
-  const cookieToken = req.cookies.csrf_token;
-  const headerToken = req.headers['x-csrf-token'];
-
-  if (!cookieToken || !headerToken) {
-    return res.status(403).json({ error: 'CSRF token missing' });
-  }
-
-  // Constant-time comparison to prevent timing attacks
-  if (cookieToken.length !== headerToken.length) {
-    return res.status(403).json({ error: 'CSRF token invalid' });
-  }
-
-  const a = Buffer.from(cookieToken);
-  const b = Buffer.from(headerToken);
-  if (!require('crypto').timingSafeEqual(a, b)) {
-    return res.status(403).json({ error: 'CSRF token invalid' });
-  }
-
-  next();
-}
-
-module.exports = verifyCsrf;
@@ -1,105 +1,60 @@
 const express = require('express');
 const axios = require('axios');
-const crypto = require('crypto');
-const rateLimit = require('express-rate-limit');
 const router = express.Router();

-// Persistent JSON file-backed token store — survives restarts
-const { storeToken, getToken, clearToken } = require('../utils/tokenStore');
-
-// Read EMBY_URL at request time (not module load time) so the value
-// can be overridden by environment variables set after the module loads.
-const getEmbyUrl = () => process.env.EMBY_URL;
-
-// Strict login limiter: 10 attempts per 15 min, then locked for the window.
-// Set SKIP_RATE_LIMIT=1 in the test environment to prevent the limiter from
-// interfering with integration tests (all requests come from 127.0.0.1).
-const loginLimiter = rateLimit({
-  windowMs: 15 * 60 * 1000,
-  max: process.env.SKIP_RATE_LIMIT ? Number.MAX_SAFE_INTEGER : 10,
-  standardHeaders: true,
-  legacyHeaders: false,
-  skipSuccessfulRequests: true, // only count failures toward the limit
-  message: { success: false, error: 'Too many login attempts, please try again later' }
-});
+const EMBY_URL = process.env.EMBY_URL;
+const EMBY_API_KEY = process.env.EMBY_API_KEY;

 // Authenticate user with Emby
-router.post('/login', loginLimiter, async (req, res) => {
+router.post('/login', async (req, res) => {
  try {
-    const { username, password, rememberMe } = req.body;
-
-    // Input validation — reject obviously invalid inputs before hitting Emby
-    if (typeof username !== 'string' || username.trim().length === 0 || username.length > 128) {
-      return res.status(400).json({ success: false, error: 'Invalid username' });
-    }
-    if (typeof password !== 'string' || password.length === 0 || password.length > 256) {
-      return res.status(400).json({ success: false, error: 'Invalid password' });
-    }
+    const { username, password } = req.body;
    
-    console.log(`[Auth] Attempting login for user: ${username.trim()}`);
+    console.log(`[Auth] Attempting login for user: ${username}`);
    
-    // Authenticate with Emby using a stable DeviceId derived from the username.
-    // Using a deterministic DeviceId causes Emby to reuse the existing session
-    // for this device rather than creating a new one on each login.
-    const stableDeviceId = 'sofarr-' + crypto.createHash('sha256').update(username.trim().toLowerCase()).digest('hex').slice(0, 16);
-    const authResponse = await axios.post(`${getEmbyUrl()}/Users/authenticatebyname`, {
-      Username: username.trim(),
+    // Authenticate with Emby
+    const authResponse = await axios.post(`${EMBY_URL}/Users/authenticatebyname`, {
+      Username: username,
      Pw: password
    }, {
      headers: {
-        'X-Emby-Authorization': `MediaBrowser Client="sofarr", Device="sofarr", DeviceId="${stableDeviceId}", Version="1.0.0"`
+        'X-Emby-Authorization': `MediaBrowser Client="MediaDashboard", Device="Browser", DeviceId="dashboard-${Date.now()}", Version="1.0.0"`
      }
    });
    
    const authData = authResponse.data;
+    console.log(`[Auth] Emby auth response:`, JSON.stringify(authData));
    
    // Get user info using the access token
-    const userResponse = await axios.get(`${getEmbyUrl()}/Users/${authData.User.Id || authData.User.id}`, {
+    const userResponse = await axios.get(`${EMBY_URL}/Users/${authData.User.Id || authData.User.id}`, {
      headers: {
        'X-MediaBrowser-Token': authData.AccessToken
      }
    });
    
    const user = userResponse.data;
-    const isAdmin = !!(user.Policy && user.Policy.IsAdministrator);
-    console.log(`[Auth] Login successful for user: ${user.Name}, isAdmin: ${isAdmin}`);
-
-    // Store token server-side; it is never sent to the client.
-    storeToken(user.Id, authData.AccessToken);
+    console.log(`[Auth] User info:`, JSON.stringify(user));
+    console.log(`[Auth] Login successful for user: ${user.Name}`);
    
-    // Set authentication cookie (signed when COOKIE_SECRET is set).
-    // rememberMe=true  → persistent cookie, expires in 30 days
-    // rememberMe=false → session cookie, expires when browser closes
-    // secure is always true — the app should sit behind HTTPS in production;
-    // behind a reverse proxy set TRUST_PROXY=1 so req.secure works correctly.
-    const cookiePayload = JSON.stringify({ id: user.Id, name: user.Name, isAdmin });
-    const signed = !!process.env.COOKIE_SECRET;
-    const cookieOptions = {
+    // Set authentication cookie
+    const isAdmin = !!(user.Policy && user.Policy.IsAdministrator);
+    res.cookie('emby_user', JSON.stringify({
+      id: user.Id,
+      name: user.Name,
+      isAdmin: isAdmin,
+      token: authData.AccessToken
+    }), {
      httpOnly: true,
-      secure: process.env.NODE_ENV === 'production',
-      sameSite: 'strict',
-      signed,
-      path: '/'
-    };
-    if (rememberMe) {
-      cookieOptions.maxAge = 30 * 24 * 60 * 60 * 1000; // 30 days
-    }
-    res.cookie('emby_user', cookiePayload, cookieOptions);
-
-    // Issue a CSRF token tied to this session so state-changing endpoints
-    // can validate the double-submit cookie pattern
-    const csrfToken = crypto.randomBytes(32).toString('hex');
-    res.cookie('csrf_token', csrfToken, {
-      httpOnly: false, // intentionally readable by JS for the double-submit pattern
-      secure: process.env.NODE_ENV === 'production',
-      sameSite: 'strict',
-      path: '/'
+      maxAge: 24 * 60 * 60 * 1000 // 24 hours
    });
    
    res.json({
      success: true,
-      user: { id: user.Id, name: user.Name, isAdmin },
-      csrfToken
+      user: {
+        id: user.Id,
+        name: user.Name,
+        isAdmin: isAdmin
+      }
    });
  } catch (error) {
    console.error(`[Auth] Login failed:`, error.message);
@@ -110,75 +65,33 @@ router.post('/login', loginLimiter, async (req, res) => {
  }
 });

-function parseSessionCookie(req) {
-  const signed = !!process.env.COOKIE_SECRET;
-  const raw = signed ? req.signedCookies.emby_user : req.cookies.emby_user;
-  if (!raw || raw === false) return null; // false = tampered signed cookie
-  try {
-    const u = JSON.parse(raw);
-    // Schema validation: require id (string), name (string), isAdmin (boolean)
-    if (typeof u.id !== 'string' || !u.id) return null;
-    if (typeof u.name !== 'string' || !u.name) return null;
-    if (typeof u.isAdmin !== 'boolean') u.isAdmin = !!u.isAdmin;
-    return u;
-  } catch {
-    return null;
-  }
-}
-
 // Get current authenticated user
 router.get('/me', (req, res) => {
-  const user = parseSessionCookie(req);
-  if (!user) return res.json({ authenticated: false });
-  res.json({
-    authenticated: true,
-    user: { id: user.id, name: user.name, isAdmin: user.isAdmin }
-  });
-});
-
-// CSRF token refresh — lets the SPA get a new token without re-logging-in
-// (e.g. after a page reload where the JS variable was lost)
-router.get('/csrf', (req, res) => {
-  const csrfToken = crypto.randomBytes(32).toString('hex');
-  res.cookie('csrf_token', csrfToken, {
-    httpOnly: false,
-    secure: process.env.NODE_ENV === 'production',
-    sameSite: 'strict',
-    path: '/'
-  });
-  res.json({ csrfToken });
+  try {
+    const userCookie = req.cookies.emby_user;
+    
+    if (!userCookie) {
+      return res.json({ authenticated: false });
+    }
+    
+    const user = JSON.parse(userCookie);
+    res.json({
+      authenticated: true,
+      user: {
+        id: user.id,
+        name: user.name,
+        isAdmin: !!user.isAdmin
+      }
+    });
+  } catch (error) {
+    console.error(`[Auth] Error getting current user:`, error.message);
+    res.json({ authenticated: false });
+  }
 });

 // Logout
-router.post('/logout', async (req, res) => {
-  const user = parseSessionCookie(req);
-  if (user) {
-    const stored = getToken(user.id);
-    if (stored) {
-      try {
-        await axios.post(`${getEmbyUrl()}/Sessions/Logout`, {}, {
-          headers: { 'X-MediaBrowser-Token': stored.accessToken }
-        });
-        console.log(`[Auth] Revoked Emby token for user: ${user.name}`);
-      } catch (err) {
-        console.warn(`[Auth] Failed to revoke Emby token for ${user.name}:`, err.message);
-      }
-      clearToken(user.id);
-    }
-  }
-  res.clearCookie('emby_user', {
-    httpOnly: true,
-    secure: process.env.NODE_ENV === 'production',
-    sameSite: 'strict',
-    signed: !!process.env.COOKIE_SECRET,
-    path: '/'
-  });
-  res.clearCookie('csrf_token', {
-    httpOnly: false,
-    secure: process.env.NODE_ENV === 'production',
-    sameSite: 'strict',
-    path: '/'
-  });
+router.post('/logout', (req, res) => {
+  res.clearCookie('emby_user');
  res.json({ success: true });
 });

@@ -1,14 +1,14 @@
 const express = require('express');
 const router = express.Router();
-const requireAuth = require('../middleware/requireAuth');

 const axios = require('axios');
 const { mapTorrentToDownload } = require('../utils/qbittorrent');
 const cache = require('../utils/cache');
 const { pollAllServices, getLastPollTimings, POLLING_ENABLED } = require('../utils/poller');
 const { getSonarrInstances, getRadarrInstances } = require('../utils/config');
-const sanitizeError = require('../utils/sanitizeError');

+const EMBY_URL = process.env.EMBY_URL;
+const EMBY_API_KEY = process.env.EMBY_API_KEY;

 // Helper function to extract poster/cover art URL from a movie or series object
 function getCoverArt(item) {
@@ -20,26 +20,24 @@ function getCoverArt(item) {
  return fanart ? (fanart.remoteUrl || fanart.url || null) : null;
 }

-// Return all resolved tag labels for a series/movie.
-// For Radarr: tags is array of IDs, tagMap is id -> label mapping.
-// For Sonarr: tags are objects with a label property.
-function extractAllTags(tags, tagMap) {
-  if (!tags || tags.length === 0) return [];
+// Helper function to extract user tag from series/movie
+// For Radarr: tags is array of IDs, tagMap is id -> label mapping
+// For Sonarr: tags is array of objects with label property
+function extractUserTag(tags, tagMap) {
+  if (!tags || tags.length === 0) return null;
+  
+  // If tagMap provided (Radarr), look up label by ID
  if (tagMap) {
-    return tags.map(id => tagMap.get(id)).filter(Boolean);
+    for (const tagId of tags) {
+      const label = tagMap.get(tagId);
+      if (label) return label;
+    }
+    return null;
  }
-  return tags.map(t => t && t.label).filter(Boolean);
-}
-
-// Return the tag label that matches the current username, or null.
-function extractUserTag(tags, tagMap, username) {
-  const allLabels = extractAllTags(tags, tagMap);
-  if (!allLabels.length) return null;
-  if (username) {
-    const match = allLabels.find(label => tagMatchesUser(label, username));
-    if (match) return match;
-  }
-  return null;
+  
+  // Sonarr style - tags are objects with label
+  const userTag = tags.find(tag => tag && tag.label);
+  return userTag ? userTag.label : null;
 }

 // Replicate Ombi's StringHelper.SanitizeTagLabel: lowercase, replace non-alphanumeric with hyphen, collapse, trim
@@ -94,41 +92,6 @@ function getRadarrLink(movie) {
  return `${movie._instanceUrl}/movie/${movie.titleSlug}`;
 }

-// Fetch all Emby users and return a Map<lowerName -> displayName> (and sanitized variants).
-// Result is cached for 60s to avoid hammering Emby on every dashboard poll.
-async function getEmbyUsers() {
-  const cached = cache.get('emby:users');
-  if (cached) return cached;
-  try {
-    const response = await axios.get(`${process.env.EMBY_URL}/Users`, {
-      headers: { 'X-MediaBrowser-Token': process.env.EMBY_API_KEY }
-    });
-    // Build map: both raw lowercase and sanitized form -> display name
-    const map = new Map();
-    for (const u of response.data) {
-      const name = u.Name || '';
-      map.set(name.toLowerCase(), name);
-      map.set(sanitizeTagLabel(name), name);
-    }
-    cache.set('emby:users', map, 60000);
-    return map;
-  } catch (err) {
-    console.error('[Dashboard] Failed to fetch Emby users:', err.message);
-    return new Map();
-  }
-}
-
-// Classify each tag label: matched to a known Emby user, or unmatched.
-// Returns array of { label, matchedUser: string|null }
-function buildTagBadges(allTags, embyUserMap) {
-  return allTags.map(label => {
-    const lower = label.toLowerCase();
-    const sanitized = sanitizeTagLabel(label);
-    const displayName = embyUserMap.get(lower) || embyUserMap.get(sanitized) || null;
-    return { label, matchedUser: displayName };
-  });
-}
-
 // Track active dashboard clients: Map<username, { refreshRateMs, lastSeen }>
 const activeClients = new Map();
 const CLIENT_STALE_MS = 30000; // consider client gone after 30s of no requests
@@ -143,9 +106,15 @@ function getActiveClients() {
 }

 // Get user downloads for authenticated user
-router.get('/user-downloads', requireAuth, async (req, res) => {
+router.get('/user-downloads', async (req, res) => {
  try {
-    const user = req.user;
+    // Get authenticated user from cookie
+    const userCookie = req.cookies.emby_user;
+    if (!userCookie) {
+      return res.status(401).json({ error: 'Not authenticated' });
+    }
+    
+    const user = JSON.parse(userCookie);
    const username = user.name.toLowerCase();
    const usernameSanitized = sanitizeTagLabel(user.name);
    const isAdmin = !!user.isAdmin;
@@ -210,9 +179,6 @@ router.get('/user-downloads', requireAuth, async (req, res) => {
    const sonarrTagMap = new Map(sonarrTagsResults.flatMap(t => t.data || []).map(t => [t.id, t.label]));
    const radarrTagMap = new Map(radarrTags.data.map(t => [t.id, t.label]));

-    // When showing all downloads, fetch full Emby user list to classify tags
-    const embyUserMap = showAll ? await getEmbyUsers() : new Map();
-
    console.log(`[Dashboard] Cache data - Series: ${seriesMap.size}, Movies: ${moviesMap.size}, qBit: ${qbittorrentTorrents.length}`);

    // Match SABnzbd downloads to Sonarr/Radarr activity
@@ -258,10 +224,8 @@ router.get('/user-downloads', requireAuth, async (req, res) => {
          if (sonarrMatch && sonarrMatch.seriesId) {
            const series = seriesMap.get(sonarrMatch.seriesId) || sonarrMatch.series;
            if (series) {
-              const allTags = extractAllTags(series.tags, sonarrTagMap);
-              const matchedUserTag = extractUserTag(series.tags, sonarrTagMap, username);
-              const hasAnyTag = allTags.length > 0;
-              if (showAll ? hasAnyTag : !!matchedUserTag) {
+              const userTag = extractUserTag(series.tags, sonarrTagMap);
+              if (userTag && (showAll || tagMatchesUser(userTag, username))) {
                const dlObj = {
                  type: 'series',
                  title: nzbName,
@@ -275,9 +239,7 @@ router.get('/user-downloads', requireAuth, async (req, res) => {
                  eta: slot.timeleft,
                  seriesName: series.title,
                  episodeInfo: sonarrMatch,
-                  allTags,
-                  matchedUserTag: matchedUserTag || null,
-                  tagBadges: showAll ? buildTagBadges(allTags, embyUserMap) : undefined
+                  userTag: userTag
                };
                const issues = getImportIssues(sonarrMatch);
                if (issues) dlObj.importIssues = issues;
@@ -300,10 +262,8 @@ router.get('/user-downloads', requireAuth, async (req, res) => {
          if (radarrMatch && radarrMatch.movieId) {
            const movie = moviesMap.get(radarrMatch.movieId) || radarrMatch.movie;
            if (movie) {
-              const allTags = extractAllTags(movie.tags, radarrTagMap);
-              const matchedUserTag = extractUserTag(movie.tags, radarrTagMap, username);
-              const hasAnyTag = allTags.length > 0;
-              if (showAll ? hasAnyTag : !!matchedUserTag) {
+              const userTag = extractUserTag(movie.tags, radarrTagMap);
+              if (userTag && (showAll || tagMatchesUser(userTag, username))) {
                const dlObj = {
                  type: 'movie',
                  title: nzbName,
@@ -317,9 +277,7 @@ router.get('/user-downloads', requireAuth, async (req, res) => {
                  eta: slot.timeleft,
                  movieName: movie.title,
                  movieInfo: radarrMatch,
-                  allTags,
-                  matchedUserTag: matchedUserTag || null,
-                  tagBadges: showAll ? buildTagBadges(allTags, embyUserMap) : undefined
+                  userTag: userTag
                };
                const issues = getImportIssues(radarrMatch);
                if (issues) dlObj.importIssues = issues;
@@ -359,10 +317,8 @@ router.get('/user-downloads', requireAuth, async (req, res) => {
          if (sonarrMatch && sonarrMatch.seriesId) {
            const series = seriesMap.get(sonarrMatch.seriesId) || sonarrMatch.series;
            if (series) {
-              const allTags = extractAllTags(series.tags, sonarrTagMap);
-              const matchedUserTag = extractUserTag(series.tags, sonarrTagMap, username);
-              const hasAnyTag = allTags.length > 0;
-              if (showAll ? hasAnyTag : !!matchedUserTag) {
+              const userTag = extractUserTag(series.tags, sonarrTagMap);
+              if (userTag && (showAll || tagMatchesUser(userTag, username))) {
                const dlObj = {
                  type: 'series',
                  title: nzbName,
@@ -372,9 +328,7 @@ router.get('/user-downloads', requireAuth, async (req, res) => {
                  completedAt: slot.completed_time,
                  seriesName: series.title,
                  episodeInfo: sonarrMatch,
-                  allTags,
-                  matchedUserTag: matchedUserTag || null,
-                  tagBadges: showAll ? buildTagBadges(allTags, embyUserMap) : undefined
+                  userTag: userTag
                };
                if (isAdmin) {
                  dlObj.downloadPath = slot.storage || null;
@@ -395,10 +349,8 @@ router.get('/user-downloads', requireAuth, async (req, res) => {
          if (radarrMatch && radarrMatch.movieId) {
            const movie = moviesMap.get(radarrMatch.movieId) || radarrMatch.movie;
            if (movie) {
-              const allTags = extractAllTags(movie.tags, radarrTagMap);
-              const matchedUserTag = extractUserTag(movie.tags, radarrTagMap, username);
-              const hasAnyTag = allTags.length > 0;
-              if (showAll ? hasAnyTag : !!matchedUserTag) {
+              const userTag = extractUserTag(movie.tags, radarrTagMap);
+              if (userTag && (showAll || tagMatchesUser(userTag, username))) {
                const dlObj = {
                  type: 'movie',
                  title: nzbName,
@@ -408,9 +360,7 @@ router.get('/user-downloads', requireAuth, async (req, res) => {
                  completedAt: slot.completed_time,
                  movieName: movie.title,
                  movieInfo: radarrMatch,
-                  allTags,
-                  matchedUserTag: matchedUserTag || null,
-                  tagBadges: showAll ? buildTagBadges(allTags, embyUserMap) : undefined
+                  userTag: userTag
                };
                if (isAdmin) {
                  dlObj.downloadPath = slot.storage || null;
@@ -438,10 +388,12 @@ router.get('/user-downloads', requireAuth, async (req, res) => {
    
    // Show movies/series tagged for this user (from embedded objects in queue/history)
    const userMovies = Array.from(moviesMap.values()).filter(m => {
-      return !!extractUserTag(m.tags, radarrTagMap, username);
+      const tag = extractUserTag(m.tags, radarrTagMap);
+      return tag && tagMatchesUser(tag, username);
    });
    const userSeries = Array.from(seriesMap.values()).filter(s => {
-      return !!extractUserTag(s.tags, sonarrTagMap, username);
+      const tag = extractUserTag(s.tags, sonarrTagMap);
+      return tag && tagMatchesUser(tag, username);
    });
    console.log(`[Dashboard] Movies tagged for ${username}:`, userMovies.map(m => m.title));
    console.log(`[Dashboard] Series tagged for ${username}:`, userSeries.map(s => s.title));
@@ -465,19 +417,15 @@ router.get('/user-downloads', requireAuth, async (req, res) => {
        if (sonarrMatch && sonarrMatch.seriesId) {
          const series = seriesMap.get(sonarrMatch.seriesId) || sonarrMatch.series;
          if (series) {
-            const allTags = extractAllTags(series.tags, sonarrTagMap);
-            const matchedUserTag = extractUserTag(series.tags, sonarrTagMap, username);
-            const hasAnyTag = allTags.length > 0;
-            if (showAll ? hasAnyTag : !!matchedUserTag) {
+            const userTag = extractUserTag(series.tags, sonarrTagMap);
+            if (userTag && (showAll || tagMatchesUser(userTag, username))) {
              console.log(`[Dashboard] Matched torrent "${torrentName}" to Sonarr series "${series.title}"`);
              const download = mapTorrentToDownload(torrent);
              download.type = 'series';
              download.coverArt = getCoverArt(series);
              download.seriesName = series.title;
              download.episodeInfo = sonarrMatch;
-              download.allTags = allTags;
-              download.matchedUserTag = matchedUserTag || null;
-              download.tagBadges = showAll ? buildTagBadges(allTags, embyUserMap) : undefined;
+              download.userTag = userTag;
              const sonarrIssues = getImportIssues(sonarrMatch);
              if (sonarrIssues) download.importIssues = sonarrIssues;
              if (isAdmin) {
@@ -500,19 +448,15 @@ router.get('/user-downloads', requireAuth, async (req, res) => {
        if (radarrMatch && radarrMatch.movieId) {
          const movie = moviesMap.get(radarrMatch.movieId) || radarrMatch.movie;
          if (movie) {
-            const allTags = extractAllTags(movie.tags, radarrTagMap);
-            const matchedUserTag = extractUserTag(movie.tags, radarrTagMap, username);
-            const hasAnyTag = allTags.length > 0;
-            if (showAll ? hasAnyTag : !!matchedUserTag) {
+            const userTag = extractUserTag(movie.tags, radarrTagMap);
+            if (userTag && (showAll || tagMatchesUser(userTag, username))) {
              console.log(`[Dashboard] Matched torrent "${torrentName}" to Radarr movie "${movie.title}"`);
              const download = mapTorrentToDownload(torrent);
              download.type = 'movie';
              download.coverArt = getCoverArt(movie);
              download.movieName = movie.title;
              download.movieInfo = radarrMatch;
-              download.allTags = allTags;
-              download.matchedUserTag = matchedUserTag || null;
-              download.tagBadges = showAll ? buildTagBadges(allTags, embyUserMap) : undefined;
+              download.userTag = userTag;
              const radarrIssues = getImportIssues(radarrMatch);
              if (radarrIssues) download.importIssues = radarrIssues;
              if (isAdmin) {
@@ -535,19 +479,15 @@ router.get('/user-downloads', requireAuth, async (req, res) => {
        if (sonarrHistoryMatch && sonarrHistoryMatch.seriesId) {
          const series = seriesMap.get(sonarrHistoryMatch.seriesId) || sonarrHistoryMatch.series;
          if (series) {
-            const allTags = extractAllTags(series.tags, sonarrTagMap);
-            const matchedUserTag = extractUserTag(series.tags, sonarrTagMap, username);
-            const hasAnyTag = allTags.length > 0;
-            if (showAll ? hasAnyTag : !!matchedUserTag) {
+            const userTag = extractUserTag(series.tags, sonarrTagMap);
+            if (userTag && (showAll || tagMatchesUser(userTag, username))) {
              console.log(`[Dashboard] Matched torrent "${torrentName}" to Sonarr history "${series.title}"`);
              const download = mapTorrentToDownload(torrent);
              download.type = 'series';
              download.coverArt = getCoverArt(series);
              download.seriesName = series.title;
              download.episodeInfo = sonarrHistoryMatch;
-              download.allTags = allTags;
-              download.matchedUserTag = matchedUserTag || null;
-              download.tagBadges = showAll ? buildTagBadges(allTags, embyUserMap) : undefined;
+              download.userTag = userTag;
              if (isAdmin) {
                download.downloadPath = download.savePath || null;
                download.targetPath = series.path || null;
@@ -568,19 +508,15 @@ router.get('/user-downloads', requireAuth, async (req, res) => {
        if (radarrHistoryMatch && radarrHistoryMatch.movieId) {
          const movie = moviesMap.get(radarrHistoryMatch.movieId) || radarrHistoryMatch.movie;
          if (movie) {
-            const allTags = extractAllTags(movie.tags, radarrTagMap);
-            const matchedUserTag = extractUserTag(movie.tags, radarrTagMap, username);
-            const hasAnyTag = allTags.length > 0;
-            if (showAll ? hasAnyTag : !!matchedUserTag) {
+            const userTag = extractUserTag(movie.tags, radarrTagMap);
+            if (userTag && (showAll || tagMatchesUser(userTag, username))) {
              console.log(`[Dashboard] Matched torrent "${torrentName}" to Radarr history "${movie.title}"`);
              const download = mapTorrentToDownload(torrent);
              download.type = 'movie';
              download.coverArt = getCoverArt(movie);
              download.movieName = movie.title;
              download.movieInfo = radarrHistoryMatch;
-              download.allTags = allTags;
-              download.matchedUserTag = matchedUserTag || null;
-              download.tagBadges = showAll ? buildTagBadges(allTags, embyUserMap) : undefined;
+              download.userTag = userTag;
              if (isAdmin) {
                download.downloadPath = download.savePath || null;
                download.targetPath = movie.path || null;
@@ -611,19 +547,19 @@ router.get('/user-downloads', requireAuth, async (req, res) => {
  } catch (error) {
    console.error(`[Dashboard] Error fetching user downloads:`, error.message);
    console.error(`[Dashboard] Full error:`, error);
-    res.status(500).json({ error: 'Failed to fetch user downloads', details: sanitizeError(error) });
+    res.status(500).json({ error: 'Failed to fetch user downloads', details: error.message });
  }
 });

 // Get all users with their download counts
-router.get('/user-summary', requireAuth, async (req, res) => {
+router.get('/user-summary', async (req, res) => {
  try {
    const sonarrInstances = getSonarrInstances();
    const radarrInstances = getRadarrInstances();

    // Get all Emby users
-    const usersResponse = await axios.get(`${process.env.EMBY_URL}/Users`, {
-      headers: { 'X-MediaBrowser-Token': process.env.EMBY_API_KEY }
+    const usersResponse = await axios.get(`${EMBY_URL}/Users`, {
+      headers: { 'X-MediaBrowser-Token': EMBY_API_KEY }
    });

    // Get all series, movies, and tags from all instances
@@ -667,32 +603,40 @@ router.get('/user-summary', requireAuth, async (req, res) => {

    // Process series tags
    allSeries.forEach(series => {
-      const tags = extractAllTags(series.tags, sonarrTagMap);
-      tags.forEach(userTag => {
-        const uname = userTag.toLowerCase();
-        if (userDownloads[uname]) userDownloads[uname].seriesCount++;
-      });
+      const userTag = extractUserTag(series.tags, sonarrTagMap);
+      if (userTag) {
+        const username = userTag.toLowerCase();
+        if (userDownloads[username]) {
+          userDownloads[username].seriesCount++;
+        }
+      }
    });

    // Process movie tags
    allMovies.forEach(movie => {
-      const tags = extractAllTags(movie.tags, radarrTagMap);
-      tags.forEach(userTag => {
-        const uname = userTag.toLowerCase();
-        if (userDownloads[uname]) userDownloads[uname].movieCount++;
-      });
+      const userTag = extractUserTag(movie.tags, radarrTagMap);
+      if (userTag) {
+        const username = userTag.toLowerCase();
+        if (userDownloads[username]) {
+          userDownloads[username].movieCount++;
+        }
+      }
    });

    res.json(Object.values(userDownloads));
  } catch (error) {
-    res.status(500).json({ error: 'Failed to fetch user summary', details: sanitizeError(error) });
+    res.status(500).json({ error: 'Failed to fetch user summary', details: error.message });
  }
 });

 // Admin-only status page with cache stats
-router.get('/status', requireAuth, (req, res) => {
+router.get('/status', (req, res) => {
  try {
-    const user = req.user;
+    const userCookie = req.cookies.emby_user;
+    if (!userCookie) {
+      return res.status(401).json({ error: 'Not authenticated' });
+    }
+    const user = JSON.parse(userCookie);
    if (!user.isAdmin) {
      return res.status(403).json({ error: 'Admin access required' });
    }
@@ -721,41 +665,4 @@ router.get('/status', requireAuth, (req, res) => {
  }
 });

-// Cover art proxy — fetches external poster images server-side so the
-// browser loads them from 'self' and the CSP img-src stays tight.
-// Requires authentication. Only proxies http/https URLs.
-router.get('/cover-art', requireAuth, async (req, res) => {
-  const { url } = req.query;
-  if (!url || typeof url !== 'string') {
-    return res.status(400).json({ error: 'Missing url parameter' });
-  }
-  let parsed;
-  try {
-    parsed = new URL(url);
-  } catch {
-    return res.status(400).json({ error: 'Invalid url' });
-  }
-  if (parsed.protocol !== 'http:' && parsed.protocol !== 'https:') {
-    return res.status(400).json({ error: 'Only http/https URLs are supported' });
-  }
-  try {
-    const response = await axios.get(url, {
-      responseType: 'stream',
-      timeout: 8000,
-      maxContentLength: 5 * 1024 * 1024 // 5 MB max
-    });
-    const contentType = response.headers['content-type'] || 'image/jpeg';
-    // Only proxy image content types
-    if (!contentType.startsWith('image/')) {
-      return res.status(400).json({ error: 'Remote URL is not an image' });
-    }
-    res.setHeader('Content-Type', contentType);
-    res.setHeader('Cache-Control', 'public, max-age=86400'); // 24h browser cache
-    res.setHeader('X-Content-Type-Options', 'nosniff');
-    response.data.pipe(res);
-  } catch (err) {
-    res.status(502).json({ error: 'Failed to fetch cover art' });
-  }
-});
-
 module.exports = router;
@@ -1,52 +1,51 @@
 const express = require('express');
 const axios = require('axios');
 const router = express.Router();
-const requireAuth = require('../middleware/requireAuth');
-const sanitizeError = require('../utils/sanitizeError');

-router.use(requireAuth);
+const EMBY_URL = process.env.EMBY_URL;
+const EMBY_API_KEY = process.env.EMBY_API_KEY;

 // Get active sessions
 router.get('/sessions', async (req, res) => {
  try {
-    const response = await axios.get(`${process.env.EMBY_URL}/Sessions`, {
-      headers: { 'X-MediaBrowser-Token': process.env.EMBY_API_KEY }
+    const response = await axios.get(`${EMBY_URL}/Sessions`, {
+      headers: { 'X-MediaBrowser-Token': EMBY_API_KEY }
    });
    res.json(response.data);
  } catch (error) {
-    res.status(500).json({ error: 'Failed to fetch Emby sessions', details: sanitizeError(error) });
+    res.status(500).json({ error: 'Failed to fetch Emby sessions', details: error.message });
  }
 });

 // Get user by ID
 router.get('/users/:id', async (req, res) => {
  try {
-    const response = await axios.get(`${process.env.EMBY_URL}/Users/${req.params.id}`, {
-      headers: { 'X-MediaBrowser-Token': process.env.EMBY_API_KEY }
+    const response = await axios.get(`${EMBY_URL}/Users/${req.params.id}`, {
+      headers: { 'X-MediaBrowser-Token': EMBY_API_KEY }
    });
    res.json(response.data);
  } catch (error) {
-    res.status(500).json({ error: 'Failed to fetch user details', details: sanitizeError(error) });
+    res.status(500).json({ error: 'Failed to fetch user details', details: error.message });
  }
 });

 // Get all users
 router.get('/users', async (req, res) => {
  try {
-    const response = await axios.get(`${process.env.EMBY_URL}/Users`, {
-      headers: { 'X-MediaBrowser-Token': process.env.EMBY_API_KEY }
+    const response = await axios.get(`${EMBY_URL}/Users`, {
+      headers: { 'X-MediaBrowser-Token': EMBY_API_KEY }
    });
    res.json(response.data);
  } catch (error) {
-    res.status(500).json({ error: 'Failed to fetch users', details: sanitizeError(error) });
+    res.status(500).json({ error: 'Failed to fetch users', details: error.message });
  }
 });

 // Get current user by session ID
 router.get('/session/:sessionId/user', async (req, res) => {
  try {
-    const response = await axios.get(`${process.env.EMBY_URL}/Sessions`, {
-      headers: { 'X-MediaBrowser-Token': process.env.EMBY_API_KEY }
+    const response = await axios.get(`${EMBY_URL}/Sessions`, {
+      headers: { 'X-MediaBrowser-Token': EMBY_API_KEY }
    });
    
    const session = response.data.find(s => s.Id === req.params.sessionId);
@@ -54,13 +53,13 @@ router.get('/session/:sessionId/user', async (req, res) => {
      return res.status(404).json({ error: 'Session not found' });
    }
    
-    const userResponse = await axios.get(`${process.env.EMBY_URL}/Users/${session.UserId}`, {
-      headers: { 'X-MediaBrowser-Token': process.env.EMBY_API_KEY }
+    const userResponse = await axios.get(`${EMBY_URL}/Users/${session.UserId}`, {
+      headers: { 'X-MediaBrowser-Token': EMBY_API_KEY }
    });
    
    res.json(userResponse.data);
  } catch (error) {
-    res.status(500).json({ error: 'Failed to fetch user from session', details: sanitizeError(error) });
+    res.status(500).json({ error: 'Failed to fetch user from session', details: error.message });
  }
 });

@@ -1,57 +1,56 @@
 const express = require('express');
 const axios = require('axios');
 const router = express.Router();
-const requireAuth = require('../middleware/requireAuth');
-const sanitizeError = require('../utils/sanitizeError');

-router.use(requireAuth);
+const RADARR_URL = process.env.RADARR_URL;
+const RADARR_API_KEY = process.env.RADARR_API_KEY;

 // Get queue
 router.get('/queue', async (req, res) => {
  try {
-    const response = await axios.get(`${process.env.RADARR_URL}/api/v3/queue`, {
-      headers: { 'X-Api-Key': process.env.RADARR_API_KEY }
+    const response = await axios.get(`${RADARR_URL}/api/v3/queue`, {
+      headers: { 'X-Api-Key': RADARR_API_KEY }
    });
    res.json(response.data);
  } catch (error) {
-    res.status(500).json({ error: 'Failed to fetch Radarr queue', details: sanitizeError(error) });
+    res.status(500).json({ error: 'Failed to fetch Radarr queue', details: error.message });
  }
 });

 // Get history
 router.get('/history', async (req, res) => {
  try {
-    const response = await axios.get(`${process.env.RADARR_URL}/api/v3/history`, {
-      headers: { 'X-Api-Key': process.env.RADARR_API_KEY },
+    const response = await axios.get(`${RADARR_URL}/api/v3/history`, {
+      headers: { 'X-Api-Key': RADARR_API_KEY },
      params: { pageSize: req.query.pageSize || 50 }
    });
    res.json(response.data);
  } catch (error) {
-    res.status(500).json({ error: 'Failed to fetch Radarr history', details: sanitizeError(error) });
+    res.status(500).json({ error: 'Failed to fetch Radarr history', details: error.message });
  }
 });

 // Get movie details
 router.get('/movies/:id', async (req, res) => {
  try {
-    const response = await axios.get(`${process.env.RADARR_URL}/api/v3/movie/${req.params.id}`, {
-      headers: { 'X-Api-Key': process.env.RADARR_API_KEY }
+    const response = await axios.get(`${RADARR_URL}/api/v3/movie/${req.params.id}`, {
+      headers: { 'X-Api-Key': RADARR_API_KEY }
    });
    res.json(response.data);
  } catch (error) {
-    res.status(500).json({ error: 'Failed to fetch movie details', details: sanitizeError(error) });
+    res.status(500).json({ error: 'Failed to fetch movie details', details: error.message });
  }
 });

 // Get all movies with tags
 router.get('/movies', async (req, res) => {
  try {
-    const response = await axios.get(`${process.env.RADARR_URL}/api/v3/movie`, {
-      headers: { 'X-Api-Key': process.env.RADARR_API_KEY }
+    const response = await axios.get(`${RADARR_URL}/api/v3/movie`, {
+      headers: { 'X-Api-Key': RADARR_API_KEY }
    });
    res.json(response.data);
  } catch (error) {
-    res.status(500).json({ error: 'Failed to fetch movies', details: sanitizeError(error) });
+    res.status(500).json({ error: 'Failed to fetch movies', details: error.message });
  }
 });

@@ -1,41 +1,40 @@
 const express = require('express');
 const axios = require('axios');
 const router = express.Router();
-const requireAuth = require('../middleware/requireAuth');
-const sanitizeError = require('../utils/sanitizeError');

-router.use(requireAuth);
+const SABNZBD_URL = process.env.SABNZBD_URL;
+const SABNZBD_API_KEY = process.env.SABNZBD_API_KEY;

 // Get current queue
 router.get('/queue', async (req, res) => {
  try {
-    const response = await axios.get(`${process.env.SABNZBD_URL}/api`, {
+    const response = await axios.get(`${SABNZBD_URL}/api`, {
      params: {
        mode: 'queue',
-        apikey: process.env.SABNZBD_API_KEY,
+        apikey: SABNZBD_API_KEY,
        output: 'json'
      }
    });
    res.json(response.data);
  } catch (error) {
-    res.status(500).json({ error: 'Failed to fetch SABnzbd queue', details: sanitizeError(error) });
+    res.status(500).json({ error: 'Failed to fetch SABnzbd queue', details: error.message });
  }
 });

 // Get history
 router.get('/history', async (req, res) => {
  try {
-    const response = await axios.get(`${process.env.SABNZBD_URL}/api`, {
+    const response = await axios.get(`${SABNZBD_URL}/api`, {
      params: {
        mode: 'history',
-        apikey: process.env.SABNZBD_API_KEY,
+        apikey: SABNZBD_API_KEY,
        output: 'json',
        limit: req.query.limit || 50
      }
    });
    res.json(response.data);
  } catch (error) {
-    res.status(500).json({ error: 'Failed to fetch SABnzbd history', details: sanitizeError(error) });
+    res.status(500).json({ error: 'Failed to fetch SABnzbd history', details: error.message });
  }
 });

@@ -1,57 +1,56 @@
 const express = require('express');
 const axios = require('axios');
 const router = express.Router();
-const requireAuth = require('../middleware/requireAuth');
-const sanitizeError = require('../utils/sanitizeError');

-router.use(requireAuth);
+const SONARR_URL = process.env.SONARR_URL;
+const SONARR_API_KEY = process.env.SONARR_API_KEY;

 // Get queue
 router.get('/queue', async (req, res) => {
  try {
-    const response = await axios.get(`${process.env.SONARR_URL}/api/v3/queue`, {
-      headers: { 'X-Api-Key': process.env.SONARR_API_KEY }
+    const response = await axios.get(`${SONARR_URL}/api/v3/queue`, {
+      headers: { 'X-Api-Key': SONARR_API_KEY }
    });
    res.json(response.data);
  } catch (error) {
-    res.status(500).json({ error: 'Failed to fetch Sonarr queue', details: sanitizeError(error) });
+    res.status(500).json({ error: 'Failed to fetch Sonarr queue', details: error.message });
  }
 });

 // Get history
 router.get('/history', async (req, res) => {
  try {
-    const response = await axios.get(`${process.env.SONARR_URL}/api/v3/history`, {
-      headers: { 'X-Api-Key': process.env.SONARR_API_KEY },
+    const response = await axios.get(`${SONARR_URL}/api/v3/history`, {
+      headers: { 'X-Api-Key': SONARR_API_KEY },
      params: { pageSize: req.query.pageSize || 50 }
    });
    res.json(response.data);
  } catch (error) {
-    res.status(500).json({ error: 'Failed to fetch Sonarr history', details: sanitizeError(error) });
+    res.status(500).json({ error: 'Failed to fetch Sonarr history', details: error.message });
  }
 });

 // Get series details
 router.get('/series/:id', async (req, res) => {
  try {
-    const response = await axios.get(`${process.env.SONARR_URL}/api/v3/series/${req.params.id}`, {
-      headers: { 'X-Api-Key': process.env.SONARR_API_KEY }
+    const response = await axios.get(`${SONARR_URL}/api/v3/series/${req.params.id}`, {
+      headers: { 'X-Api-Key': SONARR_API_KEY }
    });
    res.json(response.data);
  } catch (error) {
-    res.status(500).json({ error: 'Failed to fetch series details', details: sanitizeError(error) });
+    res.status(500).json({ error: 'Failed to fetch series details', details: error.message });
  }
 });

 // Get all series with tags
 router.get('/series', async (req, res) => {
  try {
-    const response = await axios.get(`${process.env.SONARR_URL}/api/v3/series`, {
-      headers: { 'X-Api-Key': process.env.SONARR_API_KEY }
+    const response = await axios.get(`${SONARR_URL}/api/v3/series`, {
+      headers: { 'X-Api-Key': SONARR_API_KEY }
    });
    res.json(response.data);
  } catch (error) {
-    res.status(500).json({ error: 'Failed to fetch series', details: sanitizeError(error) });
+    res.status(500).json({ error: 'Failed to fetch series', details: error.message });
  }
 });

@@ -1,12 +1,7 @@
 const fs = require('fs');
 const path = require('path');

-// Use DATA_DIR so the non-root container user (UID 1000) can write logs.
-// Falls back to ../../data/server.log (same directory index.js uses).
-const DATA_DIR = process.env.DATA_DIR || path.join(__dirname, '../../data');
-if (!fs.existsSync(DATA_DIR)) fs.mkdirSync(DATA_DIR, { recursive: true });
-
-const logFile = fs.createWriteStream(path.join(DATA_DIR, 'server.log'), { flags: 'a' });
+const logFile = fs.createWriteStream(path.join(__dirname, '../../server.log'), { flags: 'a' });

 function logToFile(message) {
  logFile.write(`[${new Date().toISOString()}] ${message}\n`);
@@ -1,21 +0,0 @@
-// Query-param secrets (SABnzbd apikey, generic token/password params)
-const QUERY_SECRET_PATTERN = /([?&](?:apikey|token|password|api_key|key|secret)=)[^&\s#]*/gi;
-// HTTP auth header values (X-Api-Key, X-MediaBrowser-Token, Authorization, X-Emby-Authorization)
-// Redact everything after the colon to end-of-line (MediaBrowser headers span the full line)
-const HEADER_PATTERN = /(?:x-api-key|x-mediabrowser-token|x-emby-authorization|authorization)\s*:[^\n]*/gi;
-// Bearer tokens
-const BEARER_PATTERN = /bearer\s+[A-Za-z0-9\-._~+/]+=*/gi;
-// Basic auth credentials in URLs (http://user:pass@host)
-const BASIC_AUTH_URL_PATTERN = /\/\/[^:@/\s]+:[^@/\s]+@/gi;
-
-function sanitizeError(err) {
-  let msg = (err && err.message) ? err.message : String(err);
-  msg = msg.replace(QUERY_SECRET_PATTERN, '$1[REDACTED]');
-  msg = msg.replace(HEADER_PATTERN, (m) => m.split(/[\s:]/)[0] + ':[REDACTED]');
-  msg = msg.replace(BEARER_PATTERN, 'bearer [REDACTED]');
-  msg = msg.replace(BASIC_AUTH_URL_PATTERN, '//[REDACTED]@');
-  // Never leak stack traces to API responses
-  return msg;
-}
-
-module.exports = sanitizeError;
@@ -1,97 +0,0 @@
-/**
- * Persistent token store backed by a JSON file.
- *
- * Pure JavaScript — no native addons, no build tools required.
- * Survives process restarts so users are not logged out on redeploy.
- *
- * Tokens are stored in DATA_DIR/tokens.json (default: ./data locally,
- * /app/data in the container). Writes are atomic: data is written to a
- * temp file then renamed so a crash mid-write never corrupts the store.
- *
- * Format: { "<userId>": { accessToken: "...", createdAt: <unix ms> } }
- *
- * Expired entries (older than TOKEN_TTL_DAYS) are pruned on startup
- * and once per hour.
- */
-
-const path = require('path');
-const fs = require('fs');
-
-const TOKEN_TTL_DAYS = 31; // slightly longer than max cookie lifetime (30d)
-const TOKEN_TTL_MS = TOKEN_TTL_DAYS * 24 * 60 * 60 * 1000;
-
-const DATA_DIR = process.env.DATA_DIR || path.join(__dirname, '../../data');
-if (!fs.existsSync(DATA_DIR)) {
-  fs.mkdirSync(DATA_DIR, { recursive: true });
-}
-
-const STORE_PATH = path.join(DATA_DIR, 'tokens.json');
-const STORE_TMP  = STORE_PATH + '.tmp';
-
-// Load store from disk, return empty object on any error
-function load() {
-  try {
-    return JSON.parse(fs.readFileSync(STORE_PATH, 'utf8'));
-  } catch {
-    return {};
-  }
-}
-
-// Atomic write: write to .tmp then rename to avoid partial-write corruption
-function save(data) {
-  try {
-    fs.writeFileSync(STORE_TMP, JSON.stringify(data), 'utf8');
-    fs.renameSync(STORE_TMP, STORE_PATH);
-  } catch (err) {
-    console.error('[TokenStore] Failed to persist token store:', err.message);
-  }
-}
-
-function prune(data) {
-  const cutoff = Date.now() - TOKEN_TTL_MS;
-  let pruned = 0;
-  for (const userId of Object.keys(data)) {
-    if (data[userId].createdAt < cutoff) {
-      delete data[userId];
-      pruned++;
-    }
-  }
-  if (pruned > 0) {
-    console.log(`[TokenStore] Pruned ${pruned} expired token(s)`);
-  }
-  return data;
-}
-
-// Prune on startup
-let store = prune(load());
-save(store);
-
-// Prune once per hour (unref so it doesn't keep the process alive)
-setInterval(() => {
-  store = prune(load());
-  save(store);
-}, 60 * 60 * 1000).unref();
-
-module.exports = {
-  storeToken(userId, accessToken) {
-    store[userId] = { accessToken, createdAt: Date.now() };
-    save(store);
-  },
-  getToken(userId) {
-    const entry = store[userId];
-    if (!entry) return null;
-    // Also honour TTL on read in case pruning hasn't run yet
-    if (Date.now() - entry.createdAt > TOKEN_TTL_MS) {
-      delete store[userId];
-      save(store);
-      return null;
-    }
-    return { accessToken: entry.accessToken };
-  },
-  clearToken(userId) {
-    if (store[userId]) {
-      delete store[userId];
-      save(store);
-    }
-  }
-};
@@ -1,67 +0,0 @@
-# Testing
-
-## Stack
-
-| Layer | Tool |
-|---|---|
-| Test runner | [Vitest](https://vitest.dev/) v4 |
-| HTTP integration | [supertest](https://github.com/ladjs/supertest) |
-| HTTP interception | [nock](https://github.com/nock/nock) (intercepts at Node http layer — works with CJS `require('axios')`) |
-| Coverage | V8 (built-in, no Babel needed) |
-
-## Running tests
-
-```bash
-# Run all tests once
-npm test
-
-# Watch mode (re-runs on file change)
-npm run test:watch
-
-# With coverage report
-npm run test:coverage
-
-# Interactive UI
-npm run test:ui
-```
-
-Coverage output lands in `coverage/` (gitignored). Open `coverage/index.html` for the HTML report.
-
-## Structure
-
-```
-tests/
-├── setup.js               # Global setup: isolated DATA_DIR, SKIP_RATE_LIMIT, console suppression
-├── unit/
-│   ├── sanitizeError.test.js  # Secret redaction patterns (API keys, tokens, passwords)
-│   ├── config.test.js         # JSON array + legacy single-instance config parsing
-│   ├── requireAuth.test.js    # Auth middleware: valid/invalid/tampered cookies
-│   ├── verifyCsrf.test.js     # CSRF double-submit cookie pattern + timing-safe compare
-│   ├── qbittorrent.test.js    # Pure utils: formatBytes, formatEta, mapTorrentToDownload
-│   └── tokenStore.test.js     # JSON file token store: store/get/clear, TTL expiry
-└── integration/
-    ├── health.test.js         # GET /health and /ready endpoints
-    └── auth.test.js           # Full login/logout/me/csrf flows via supertest + nock
-```
-
-## Key design decisions
-
- **`server/app.js`** — Express factory extracted from `server/index.js`. Tests import `createApp()` without triggering the log-file setup, `process.exit()` calls, or background poller in the entry point.
- **nock over `vi.mock('axios')`** — Vitest's `vi.mock` only intercepts ESM `import` statements. Since `auth.js` uses CJS `require('axios')`, nock (which patches Node's `http`/`https` modules) is the correct tool for intercepting outbound requests.
- **`SKIP_RATE_LIMIT=1`** — All supertest requests originate from `127.0.0.1`, which would quickly exhaust per-IP rate-limit windows. Setting this env var raises the limits to `Number.MAX_SAFE_INTEGER` in both the API limiter and the login limiter.
- **Isolated `DATA_DIR`** — Each test worker gets a unique temp directory so `tokenStore.js` file I/O never conflicts with a running dev server.
- **`createApp({ skipRateLimits: true })`** — The app factory accepts an option to disable the general API rate limiter in addition to the env var for the login-specific limiter.
-
-## Coverage targets
-
-The tested files meet these per-file minimums (enforced in CI):
-
-| File | Lines | Branches |
-|---|---|---|
-| `server/app.js` | 85% | 65% |
-| `server/routes/auth.js` | 85% | 70% |
-| `server/middleware/requireAuth.js` | 75% | 80% |
-| `server/utils/sanitizeError.js` | 60% | — |
-| `server/utils/config.js` | 50% | 55% |
-
-`dashboard.js` and `poller.js` are large files requiring complex external-service mocks (Sonarr, Radarr, qBittorrent, Emby) and are tracked as future test coverage work.
@@ -1,299 +0,0 @@
-/**
- * Integration tests for authentication routes.
- *
- * Uses supertest against the createApp() factory (no real server).
- * HTTP calls to Emby are intercepted at the Node http/https layer using nock,
- * which works correctly with CJS require('axios') unlike vi.mock which only
- * intercepts ESM imports.
- *
- * Covers:
- *  - Input validation on /login (empty fields, overlong values)
- *  - Successful login flow (cookies set, CSRF token returned)
- *  - Failed login (wrong credentials → 401, no cookie set)
- *  - /me endpoint (authenticated vs unauthenticated)
- *  - /csrf token issuance
- *  - /logout (cookies cleared)
- */
-
-import request from 'supertest';
-import nock from 'nock';
-import { createApp } from '../../server/app.js';
-
-const EMBY_BASE = 'https://emby.test';
-
-// Emby response fixtures
-const EMBY_AUTH_BODY = {
-  AccessToken: 'test-emby-token-abc123',
-  User: { Id: 'user-id-001', Name: 'TestUser' }
-};
-
-const EMBY_USER_BODY = {
-  Id: 'user-id-001',
-  Name: 'TestUser',
-  Policy: { IsAdministrator: false }
-};
-
-const EMBY_ADMIN_BODY = {
-  Id: 'admin-id-001',
-  Name: 'AdminUser',
-  Policy: { IsAdministrator: true }
-};
-
-// Helper: intercept a successful Emby login + user-info sequence
-function interceptSuccessfulLogin(userBody = EMBY_USER_BODY) {
-  nock(EMBY_BASE)
-    .post('/Users/authenticatebyname')
-    .reply(200, EMBY_AUTH_BODY);
-  nock(EMBY_BASE)
-    .get(/\/Users\//)
-    .reply(200, userBody);
-}
-
-afterEach(() => {
-  nock.cleanAll(); // remove any pending interceptors between tests
-});
-
-describe('POST /api/auth/login', () => {
-  // Each sub-describe gets a fresh app to avoid rate-limit state leaking
-  // between the 'input validation' calls (which all fail and count toward
-  // the 10-failure window) and the 'successful login' calls.
-  let app;
-
-  beforeEach(() => {
-    process.env.EMBY_URL = 'https://emby.test';
-    delete process.env.COOKIE_SECRET;
-    // skipRateLimits avoids 429s from the login limiter when all
-    // requests come from 127.0.0.1 in the test environment
-    app = createApp({ skipRateLimits: true });
-    vi.clearAllMocks();
-  });
-
-  afterEach(() => {
-    delete process.env.EMBY_URL;
-    delete process.env.COOKIE_SECRET;
-  });
-
-  describe('input validation', () => {
-    it('rejects empty username', async () => {
-      const res = await request(app)
-        .post('/api/auth/login')
-        .send({ username: '', password: 'pass' });
-      expect(res.status).toBe(400);
-      expect(res.body.success).toBe(false);
-    });
-
-    it('rejects missing password', async () => {
-      const res = await request(app)
-        .post('/api/auth/login')
-        .send({ username: 'alice', password: '' });
-      expect(res.status).toBe(400);
-      expect(res.body.success).toBe(false);
-    });
-
-    it('rejects username over 128 chars', async () => {
-      const res = await request(app)
-        .post('/api/auth/login')
-        .send({ username: 'a'.repeat(129), password: 'pass' });
-      expect(res.status).toBe(400);
-    });
-
-    it('rejects password over 256 chars', async () => {
-      const res = await request(app)
-        .post('/api/auth/login')
-        .send({ username: 'alice', password: 'p'.repeat(257) });
-      expect(res.status).toBe(400);
-    });
-
-    it('rejects non-string username', async () => {
-      const res = await request(app)
-        .post('/api/auth/login')
-        .send({ username: 123, password: 'pass' });
-      expect(res.status).toBe(400);
-    });
-  });
-
-  describe('successful login', () => {
-    it('returns success:true with user info', async () => {
-      interceptSuccessfulLogin();
-      const res = await request(app)
-        .post('/api/auth/login')
-        .send({ username: 'TestUser', password: 'correct' });
-      expect(res.status).toBe(200);
-      expect(res.body.success).toBe(true);
-      expect(res.body.user.name).toBe('TestUser');
-      expect(res.body.user.isAdmin).toBe(false);
-    });
-
-    it('sets emby_user cookie', async () => {
-      interceptSuccessfulLogin();
-      const res = await request(app)
-        .post('/api/auth/login')
-        .send({ username: 'TestUser', password: 'correct' });
-      const cookies = res.headers['set-cookie'] || [];
-      expect(cookies.some(c => c.startsWith('emby_user='))).toBe(true);
-    });
-
-    it('sets csrf_token cookie', async () => {
-      interceptSuccessfulLogin();
-      const res = await request(app)
-        .post('/api/auth/login')
-        .send({ username: 'TestUser', password: 'correct' });
-      const cookies = res.headers['set-cookie'] || [];
-      expect(cookies.some(c => c.startsWith('csrf_token='))).toBe(true);
-    });
-
-    it('returns csrfToken in response body', async () => {
-      interceptSuccessfulLogin();
-      const res = await request(app)
-        .post('/api/auth/login')
-        .send({ username: 'TestUser', password: 'correct' });
-      expect(typeof res.body.csrfToken).toBe('string');
-      expect(res.body.csrfToken.length).toBeGreaterThan(0);
-    });
-
-    it('session cookie has no maxAge when rememberMe is false', async () => {
-      interceptSuccessfulLogin();
-      const res = await request(app)
-        .post('/api/auth/login')
-        .send({ username: 'TestUser', password: 'correct', rememberMe: false });
-      const cookies = res.headers['set-cookie'] || [];
-      const sessionCookie = cookies.find(c => c.startsWith('emby_user='));
-      // Session cookie must not persist across browser close
-      expect(sessionCookie).toBeDefined();
-      expect(sessionCookie).not.toContain('Max-Age');
-    });
-
-    it('sets 30-day maxAge when rememberMe is true', async () => {
-      interceptSuccessfulLogin();
-      const res = await request(app)
-        .post('/api/auth/login')
-        .send({ username: 'TestUser', password: 'correct', rememberMe: true });
-      const cookies = res.headers['set-cookie'] || [];
-      const sessionCookie = cookies.find(c => c.startsWith('emby_user='));
-      expect(sessionCookie).toBeDefined();
-      expect(sessionCookie).toContain('Max-Age');
-    });
-
-    it('marks isAdmin correctly for admin user', async () => {
-      interceptSuccessfulLogin(EMBY_ADMIN_BODY);
-      const res = await request(app)
-        .post('/api/auth/login')
-        .send({ username: 'AdminUser', password: 'correct' });
-      expect(res.status).toBe(200);
-      expect(res.body.user.isAdmin).toBe(true);
-    });
-
-    it('does not include AccessToken in response body', async () => {
-      interceptSuccessfulLogin();
-      const res = await request(app)
-        .post('/api/auth/login')
-        .send({ username: 'TestUser', password: 'correct' });
-      // The Emby access token must never be sent to the client
-      expect(JSON.stringify(res.body)).not.toContain('test-emby-token-abc123');
-    });
-  });
-
-  describe('failed login', () => {
-    it('returns 401 when Emby rejects credentials', async () => {
-      nock(EMBY_BASE).post('/Users/authenticatebyname').reply(401, { error: 'Unauthorized' });
-      const res = await request(app)
-        .post('/api/auth/login')
-        .send({ username: 'baduser', password: 'wrongpass' });
-      expect(res.status).toBe(401);
-      expect(res.body.success).toBe(false);
-      // Must not expose internal error details
-      expect(res.body.error).toBe('Invalid username or password');
-    });
-
-    it('does not set emby_user cookie on failure', async () => {
-      nock(EMBY_BASE).post('/Users/authenticatebyname').reply(401, {});
-      const res = await request(app)
-        .post('/api/auth/login')
-        .send({ username: 'baduser', password: 'wrongpass' });
-      const cookies = res.headers['set-cookie'] || [];
-      expect(cookies.some(c => c.startsWith('emby_user='))).toBe(false);
-    });
-  });
-});
-
-describe('GET /api/auth/me', () => {
-  let app;
-
-  beforeEach(() => {
-    delete process.env.COOKIE_SECRET;
-    app = createApp({ skipRateLimits: true });
-  });
-
-  it('returns authenticated:false when no cookie', async () => {
-    const res = await request(app).get('/api/auth/me');
-    expect(res.status).toBe(200);
-    expect(res.body.authenticated).toBe(false);
-  });
-
-  it('returns authenticated:true with valid cookie', async () => {
-    const payload = JSON.stringify({ id: 'u1', name: 'Alice', isAdmin: false });
-    const res = await request(app)
-      .get('/api/auth/me')
-      .set('Cookie', `emby_user=${encodeURIComponent(payload)}`);
-    expect(res.body.authenticated).toBe(true);
-    expect(res.body.user.name).toBe('Alice');
-  });
-});
-
-describe('GET /api/auth/csrf', () => {
-  it('issues a csrf_token cookie and returns csrfToken in body', async () => {
-    const app = createApp({ skipRateLimits: true });
-    const res = await request(app).get('/api/auth/csrf');
-    expect(res.status).toBe(200);
-    expect(typeof res.body.csrfToken).toBe('string');
-    expect(res.body.csrfToken.length).toBe(64); // 32 bytes hex
-    const cookies = res.headers['set-cookie'] || [];
-    expect(cookies.some(c => c.startsWith('csrf_token='))).toBe(true);
-  });
-});
-
-describe('POST /api/auth/logout', () => {
-  let app;
-
-  beforeEach(() => {
-    process.env.EMBY_URL = 'https://emby.test';
-    delete process.env.COOKIE_SECRET;
-    app = createApp({ skipRateLimits: true });
-    vi.clearAllMocks();
-  });
-
-  afterEach(() => {
-    delete process.env.EMBY_URL;
-  });
-
-  // NOTE: /api/auth/* is mounted BEFORE the verifyCsrf middleware in app.js,
-  // so logout does not require a CSRF token by design. The session cookie's
-  // sameSite:strict attribute provides equivalent CSRF protection for logout.
-  it('succeeds without a CSRF token (sameSite:strict provides protection)', async () => {
-    nock(EMBY_BASE).post('/Sessions/Logout').reply(200, {});
-    const res = await request(app)
-      .post('/api/auth/logout');
-    expect(res.status).toBe(200);
-    expect(res.body.success).toBe(true);
-  });
-
-  it('clears cookies and returns success when CSRF token is provided', async () => {
-    const csrfRes = await request(app).get('/api/auth/csrf');
-    const csrfToken = csrfRes.body.csrfToken;
-    const csrfCookie = csrfRes.headers['set-cookie'].find(c => c.startsWith('csrf_token='));
-
-    nock(EMBY_BASE).post('/Sessions/Logout').reply(200, {});
-
-    const res = await request(app)
-      .post('/api/auth/logout')
-      .set('Cookie', csrfCookie)
-      .set('X-CSRF-Token', csrfToken);
-
-    expect(res.status).toBe(200);
-    expect(res.body.success).toBe(true);
-
-    // Cookies should be cleared (Set-Cookie header with empty value / Max-Age=0)
-    const cookies = res.headers['set-cookie'] || [];
-    expect(cookies.some(c => c.includes('emby_user=;') || c.includes('Max-Age=0'))).toBe(true);
-  });
-});
@@ -1,55 +0,0 @@
-/**
- * Integration tests for health and readiness endpoints.
- *
- * /health and /ready are used by Docker HEALTHCHECK and must:
- *  - Require no authentication
- *  - Not be rate-limited
- *  - Return the correct status codes
- */
-
-import request from 'supertest';
-import { createApp } from '../../server/app.js';
-
-describe('GET /health', () => {
-  let app;
-
-  beforeEach(() => {
-    app = createApp();
-  });
-
-  it('returns 200 with status ok', async () => {
-    const res = await request(app).get('/health');
-    expect(res.status).toBe(200);
-    expect(res.body.status).toBe('ok');
-  });
-
-  it('includes uptime as a number', async () => {
-    const res = await request(app).get('/health');
-    expect(typeof res.body.uptime).toBe('number');
-    expect(res.body.uptime).toBeGreaterThanOrEqual(0);
-  });
-});
-
-describe('GET /ready', () => {
-  let app;
-
-  afterEach(() => {
-    delete process.env.EMBY_URL;
-  });
-
-  it('returns 200 when EMBY_URL is configured', async () => {
-    process.env.EMBY_URL = 'https://emby.local';
-    app = createApp();
-    const res = await request(app).get('/ready');
-    expect(res.status).toBe(200);
-    expect(res.body.status).toBe('ready');
-  });
-
-  it('returns 503 when EMBY_URL is not configured', async () => {
-    delete process.env.EMBY_URL;
-    app = createApp();
-    const res = await request(app).get('/ready');
-    expect(res.status).toBe(503);
-    expect(res.body.status).toBe('not ready');
-  });
-});
@@ -1,27 +0,0 @@
-import { vi, beforeEach, afterEach } from 'vitest';
-import os from 'os';
-import path from 'path';
-import fs from 'fs';
-
-// Give each test worker a unique temp DATA_DIR so tokenStore file I/O is
-// fully isolated and doesn't conflict with a running dev server's data/.
-const tmpDir = path.join(os.tmpdir(), `sofarr-test-${process.pid}`);
-if (!fs.existsSync(tmpDir)) fs.mkdirSync(tmpDir, { recursive: true });
-process.env.DATA_DIR = tmpDir;
-
-// Disable rate limiters in tests — all supertest requests share 127.0.0.1
-// and would quickly exhaust per-IP windows otherwise.
-process.env.SKIP_RATE_LIMIT = '1';
-
-// Suppress console noise during tests (errors still surface via thrown exceptions)
-beforeEach(() => {
-  vi.spyOn(console, 'log').mockImplementation(() => {});
-  vi.spyOn(console, 'warn').mockImplementation(() => {});
-  vi.spyOn(console, 'error').mockImplementation(() => {});
-});
-
-afterEach(() => {
-  // clearAllMocks resets call history and queued return values without
-  // restoring mock implementations — use restoreAllMocks only for spies.
-  vi.clearAllMocks();
-});
@@ -1,108 +0,0 @@
-/**
- * Tests for server/utils/config.js
- *
- * Verifies that instance config is parsed correctly from both the modern JSON
- * array format and the legacy single-instance env var format. This is critical
- * because misconfigured instances silently return no data rather than crashing.
- */
-
-import { parseInstances, getSonarrInstances, getRadarrInstances } from '../../server/utils/config.js';
-
-describe('parseInstances', () => {
-  describe('JSON array format', () => {
-    it('parses a valid single-instance JSON array', () => {
-      const json = JSON.stringify([{ name: 'main', url: 'https://sonarr.local', apiKey: 'abc123' }]);
-      const result = parseInstances(json, null, null);
-      expect(result).toHaveLength(1);
-      expect(result[0].url).toBe('https://sonarr.local');
-      expect(result[0].apiKey).toBe('abc123');
-    });
-
-    it('parses multiple instances', () => {
-      const json = JSON.stringify([
-        { name: 'main', url: 'https://s1.local', apiKey: 'key1' },
-        { name: 'backup', url: 'https://s2.local', apiKey: 'key2' }
-      ]);
-      const result = parseInstances(json, null, null);
-      expect(result).toHaveLength(2);
-      expect(result[1].name).toBe('backup');
-    });
-
-    it('adds id from name when present', () => {
-      const json = JSON.stringify([{ name: 'i3omb', url: 'https://s.local', apiKey: 'k' }]);
-      const result = parseInstances(json, null, null);
-      expect(result[0].id).toBe('i3omb');
-    });
-
-    it('generates fallback id when name is absent', () => {
-      const json = JSON.stringify([{ url: 'https://s.local', apiKey: 'k' }]);
-      const result = parseInstances(json, null, null);
-      expect(result[0].id).toBe('instance-1');
-    });
-
-    it('handles multi-line JSON by stripping whitespace', () => {
-      const json = `[
-        {
-          "name": "main",
-          "url": "https://sonarr.local",
-          "apiKey": "abc"
-        }
-      ]`;
-      const result = parseInstances(json, null, null);
-      expect(result).toHaveLength(1);
-    });
-
-    it('returns empty array for empty JSON array', () => {
-      expect(parseInstances('[]', null, null)).toEqual([]);
-    });
-
-    it('falls back to legacy format when JSON is malformed', () => {
-      const result = parseInstances('not-json', 'https://legacy.local', 'legacyKey');
-      expect(result).toHaveLength(1);
-      expect(result[0].url).toBe('https://legacy.local');
-    });
-  });
-
-  describe('legacy single-instance format', () => {
-    it('returns single instance from legacy URL + key', () => {
-      const result = parseInstances(null, 'https://sonarr.local', 'legacyapikey');
-      expect(result).toHaveLength(1);
-      expect(result[0].id).toBe('default');
-      expect(result[0].name).toBe('Default');
-      expect(result[0].url).toBe('https://sonarr.local');
-      expect(result[0].apiKey).toBe('legacyapikey');
-    });
-
-    it('returns empty array for qBittorrent with no apiKey and no JSON (legacy requires key)', () => {
-      // parseInstances requires legacyKey to be truthy for the legacy path;
-      // qBittorrent uses JSON array format, not the legacy URL+key path.
-      const result = parseInstances(null, 'https://qbt.local', null, 'admin', 'pass123');
-      expect(result).toEqual([]);
-    });
-
-    it('returns empty array when both JSON and legacy URL are missing', () => {
-      expect(parseInstances(null, null, null)).toEqual([]);
-    });
-
-    it('returns empty array when URL is set but key is missing', () => {
-      expect(parseInstances(null, 'https://sonarr.local', null)).toEqual([]);
-    });
-  });
-
-  describe('env-based getters', () => {
-    it('getSonarrInstances reads SONARR_INSTANCES from env', () => {
-      process.env.SONARR_INSTANCES = JSON.stringify([{ name: 'test', url: 'https://s.local', apiKey: 'k' }]);
-      const result = getSonarrInstances();
-      expect(result).toHaveLength(1);
-      expect(result[0].name).toBe('test');
-      delete process.env.SONARR_INSTANCES;
-    });
-
-    it('getRadarrInstances returns empty array when unconfigured', () => {
-      delete process.env.RADARR_INSTANCES;
-      delete process.env.RADARR_URL;
-      const result = getRadarrInstances();
-      expect(result).toEqual([]);
-    });
-  });
-});
@@ -1,111 +0,0 @@
-/**
- * Tests for server/utils/qbittorrent.js pure utility functions.
- *
- * mapTorrentToDownload, formatBytes, formatSpeed, and formatEta are all
- * pure functions with no I/O — ideal unit test targets. These power the
- * dashboard card rendering so correctness matters for UX.
- */
-
-import { mapTorrentToDownload, formatBytes, formatSpeed, formatEta } from '../../server/utils/qbittorrent.js';
-
-// Minimal torrent fixture that satisfies mapTorrentToDownload's expectations
-function makeTorrent(overrides = {}) {
-  return {
-    name: 'My.Show.S01E01.1080p.mkv',
-    state: 'downloading',
-    size: 1073741824,        // 1 GB
-    completed: 536870912,    // 512 MB
-    progress: 0.5,
-    dlspeed: 1048576,        // 1 MB/s
-    eta: 512,                // seconds
-    num_seeds: 10,
-    num_leechs: 3,
-    availability: 1.0,
-    hash: 'aabbccdd',
-    category: 'sonarr',
-    tags: '',
-    content_path: '/downloads/My.Show.S01E01.1080p.mkv',
-    save_path: '/downloads/',
-    instanceName: 'i3omb',
-    ...overrides
-  };
-}
-
-describe('formatBytes', () => {
-  it('formats 0 bytes', () => expect(formatBytes(0)).toBe('0 B'));
-  it('formats bytes', () => expect(formatBytes(512)).toBe('512 B'));
-  it('formats kilobytes', () => expect(formatBytes(1024)).toBe('1 KB'));
-  it('formats megabytes', () => expect(formatBytes(1048576)).toBe('1 MB'));
-  it('formats gigabytes', () => expect(formatBytes(1073741824)).toBe('1 GB'));
-  it('formats fractional GB', () => expect(formatBytes(1610612736)).toBe('1.5 GB'));
-});
-
-describe('formatSpeed', () => {
-  it('appends /s to byte count', () => expect(formatSpeed(1048576)).toBe('1 MB/s'));
-  it('handles zero speed', () => expect(formatSpeed(0)).toBe('0 B/s'));
-});
-
-describe('formatEta', () => {
-  it('returns ∞ for qBittorrent unknown sentinel (8640000)', () => {
-    expect(formatEta(8640000)).toBe('∞');
-  });
-  it('returns ∞ for negative eta', () => expect(formatEta(-1)).toBe('∞'));
-  it('formats minutes only', () => expect(formatEta(90)).toBe('1m'));
-  it('formats hours and minutes', () => expect(formatEta(3661)).toBe('1h 1m'));
-  it('formats days, hours and minutes', () => expect(formatEta(90061)).toBe('1d 1h 1m'));
-  it('returns 0m for zero seconds', () => expect(formatEta(0)).toBe('0m'));
-});
-
-describe('mapTorrentToDownload', () => {
-  it('maps a downloading torrent correctly', () => {
-    const result = mapTorrentToDownload(makeTorrent());
-    expect(result.status).toBe('Downloading');
-    expect(result.progress).toBe('50.0');
-    expect(result.size).toBe('1 GB');
-    expect(result.speed).toBe('1 MB/s');
-    expect(result.eta).toBe('8m');
-    expect(result.seeds).toBe(10);
-    expect(result.peers).toBe(3);
-    expect(result.qbittorrent).toBe(true);
-    expect(result.instanceName).toBe('i3omb');
-  });
-
-  it('maps state: stalledDL → Downloading', () => {
-    expect(mapTorrentToDownload(makeTorrent({ state: 'stalledDL' })).status).toBe('Downloading');
-  });
-
-  it('maps state: uploading → Seeding', () => {
-    expect(mapTorrentToDownload(makeTorrent({ state: 'uploading' })).status).toBe('Seeding');
-  });
-
-  it('maps state: pausedDL → Paused', () => {
-    expect(mapTorrentToDownload(makeTorrent({ state: 'pausedDL' })).status).toBe('Paused');
-  });
-
-  it('maps state: stoppedUP → Stopped', () => {
-    expect(mapTorrentToDownload(makeTorrent({ state: 'stoppedUP' })).status).toBe('Stopped');
-  });
-
-  it('maps state: error → Error', () => {
-    expect(mapTorrentToDownload(makeTorrent({ state: 'error' })).status).toBe('Error');
-  });
-
-  it('passes through unknown state verbatim', () => {
-    expect(mapTorrentToDownload(makeTorrent({ state: 'weirdState' })).status).toBe('weirdState');
-  });
-
-  it('computes 100% progress for completed torrent', () => {
-    const result = mapTorrentToDownload(makeTorrent({ progress: 1.0 }));
-    expect(result.progress).toBe('100.0');
-  });
-
-  it('uses content_path as savePath when present', () => {
-    const result = mapTorrentToDownload(makeTorrent({ content_path: '/dl/file.mkv' }));
-    expect(result.savePath).toBe('/dl/file.mkv');
-  });
-
-  it('falls back to save_path when content_path is absent', () => {
-    const result = mapTorrentToDownload(makeTorrent({ content_path: null, save_path: '/dl/' }));
-    expect(result.savePath).toBe('/dl/');
-  });
-});
@@ -1,140 +0,0 @@
-/**
- * Tests for server/middleware/requireAuth.js
- *
- * requireAuth guards all authenticated API routes. Tests exercise the full
- * range of valid/invalid cookie states to ensure there's no bypass path.
- */
-
-import requireAuth from '../../server/middleware/requireAuth.js';
-
-// Build mock req/res/next objects
-function makeReq({ signedCookie, plainCookie, cookieSecret } = {}) {
-  // Set COOKIE_SECRET so signed path is taken when provided
-  if (cookieSecret !== undefined) {
-    process.env.COOKIE_SECRET = cookieSecret;
-  } else {
-    delete process.env.COOKIE_SECRET;
-  }
-
-  return {
-    signedCookies: { emby_user: signedCookie },
-    cookies: { emby_user: plainCookie }
-  };
-}
-
-function makeRes() {
-  const res = {
-    statusCode: null,
-    body: null,
-    status(code) { this.statusCode = code; return this; },
-    json(body) { this.body = body; return this; }
-  };
-  return res;
-}
-
-afterEach(() => {
-  delete process.env.COOKIE_SECRET;
-});
-
-describe('requireAuth middleware', () => {
-  describe('valid sessions', () => {
-    it('calls next() with a valid signed cookie', () => {
-      const payload = JSON.stringify({ id: 'u1', name: 'Alice', isAdmin: true });
-      const req = makeReq({ signedCookie: payload, cookieSecret: 'secret' });
-      const res = makeRes();
-      const next = vi.fn();
-
-      requireAuth(req, res, next);
-
-      expect(next).toHaveBeenCalledOnce();
-      expect(req.user).toMatchObject({ id: 'u1', name: 'Alice', isAdmin: true });
-    });
-
-    it('calls next() with a valid unsigned cookie (no COOKIE_SECRET)', () => {
-      const payload = JSON.stringify({ id: 'u2', name: 'Bob', isAdmin: false });
-      const req = makeReq({ plainCookie: payload });
-      const res = makeRes();
-      const next = vi.fn();
-
-      requireAuth(req, res, next);
-
-      expect(next).toHaveBeenCalledOnce();
-      expect(req.user.id).toBe('u2');
-    });
-
-    it('coerces non-boolean isAdmin to boolean', () => {
-      const payload = JSON.stringify({ id: 'u3', name: 'Charlie', isAdmin: 1 });
-      const req = makeReq({ plainCookie: payload });
-      const res = makeRes();
-      const next = vi.fn();
-
-      requireAuth(req, res, next);
-
-      expect(next).toHaveBeenCalled();
-      expect(req.user.isAdmin).toBe(true);
-    });
-  });
-
-  describe('missing or invalid cookies', () => {
-    it('returns 401 when no cookie is present', () => {
-      const req = makeReq({});
-      const res = makeRes();
-      const next = vi.fn();
-
-      requireAuth(req, res, next);
-
-      expect(res.statusCode).toBe(401);
-      expect(next).not.toHaveBeenCalled();
-    });
-
-    it('returns 401 when signed cookie value is false (tampered)', () => {
-      // cookie-parser sets signed cookie to false when signature is invalid
-      const req = makeReq({ signedCookie: false, cookieSecret: 'secret' });
-      const res = makeRes();
-      const next = vi.fn();
-
-      requireAuth(req, res, next);
-
-      expect(res.statusCode).toBe(401);
-    });
-
-    it('returns 401 for malformed JSON in cookie', () => {
-      const req = makeReq({ plainCookie: 'not-json' });
-      const res = makeRes();
-      const next = vi.fn();
-
-      requireAuth(req, res, next);
-
-      expect(res.statusCode).toBe(401);
-      expect(res.body.error).toBe('Invalid session');
-    });
-
-    it('returns 401 when id is missing', () => {
-      const payload = JSON.stringify({ name: 'Alice', isAdmin: false });
-      const req = makeReq({ plainCookie: payload });
-      requireAuth(req, makeRes(), vi.fn());
-      // no next called — handled in the assertion below
-      const res = makeRes();
-      const next = vi.fn();
-      requireAuth(req, res, next);
-      expect(res.statusCode).toBe(401);
-      expect(next).not.toHaveBeenCalled();
-    });
-
-    it('returns 401 when name is missing', () => {
-      const payload = JSON.stringify({ id: 'u1', isAdmin: false });
-      const req = makeReq({ plainCookie: payload });
-      const res = makeRes();
-      requireAuth(req, res, vi.fn());
-      expect(res.statusCode).toBe(401);
-    });
-
-    it('returns 401 when id is empty string', () => {
-      const payload = JSON.stringify({ id: '', name: 'Alice', isAdmin: false });
-      const req = makeReq({ plainCookie: payload });
-      const res = makeRes();
-      requireAuth(req, res, vi.fn());
-      expect(res.statusCode).toBe(401);
-    });
-  });
-});
@@ -1,121 +0,0 @@
-/**
- * Tests for server/utils/sanitizeError.js
- *
- * Critical security tests: verify that API keys, tokens, passwords and other
- * secrets are NEVER leaked in error messages returned to clients or written
- * to logs. Every pattern here represents a real credential type used in the
- * sofarr stack (SABnzbd apikey, Emby tokens, qBittorrent basic-auth URLs).
- */
-
-import sanitizeError from '../../server/utils/sanitizeError.js';
-
-describe('sanitizeError', () => {
-  describe('query-param secrets', () => {
-    it('redacts ?apikey= values', () => {
-      const err = new Error('Request failed: https://sabnzbd.local/api?apikey=abc123secret&output=json');
-      expect(sanitizeError(err)).toContain('[REDACTED]');
-      expect(sanitizeError(err)).not.toContain('abc123secret');
-    });
-
-    it('redacts &apikey= mid-URL', () => {
-      const err = new Error('GET https://host/path?mode=queue&apikey=SUPERSECRET&output=json');
-      expect(sanitizeError(err)).not.toContain('SUPERSECRET');
-      expect(sanitizeError(err)).toContain('[REDACTED]');
-    });
-
-    it('redacts ?token= values', () => {
-      const err = new Error('https://api.example.com/data?token=tok_private99');
-      expect(sanitizeError(err)).not.toContain('tok_private99');
-    });
-
-    it('redacts ?password= values', () => {
-      const err = new Error('Auth failed: https://service.local?password=hunter2');
-      expect(sanitizeError(err)).not.toContain('hunter2');
-    });
-
-    it('redacts ?api_key= values', () => {
-      const err = new Error('https://sonarr.local/api/v3/series?api_key=e583d270f89846478e42');
-      expect(sanitizeError(err)).not.toContain('e583d270f89846478e42');
-    });
-
-    it('preserves non-secret query params', () => {
-      const result = sanitizeError(new Error('GET /api?mode=queue&output=json'));
-      expect(result).toContain('mode=queue');
-      expect(result).toContain('output=json');
-    });
-  });
-
-  describe('HTTP auth headers', () => {
-    it('redacts X-Api-Key header values', () => {
-      const err = new Error('Request: x-api-key: e583d270f89846478e42dd3cf90bfb00');
-      expect(sanitizeError(err)).not.toContain('e583d270f89846478e42dd3cf90bfb00');
-      expect(sanitizeError(err)).toContain('[REDACTED]');
-    });
-
-    it('redacts X-MediaBrowser-Token header values', () => {
-      const err = new Error('x-mediabrowser-token: b862f3a43f4c417285043a11aa28b1f7');
-      expect(sanitizeError(err)).not.toContain('b862f3a43f4c417285043a11aa28b1f7');
-    });
-
-    it('redacts Authorization header values', () => {
-      const err = new Error('authorization: MediaBrowser Token="abc123", DeviceId="xyz"');
-      expect(sanitizeError(err)).not.toContain('abc123');
-    });
-  });
-
-  describe('bearer tokens', () => {
-    it('redacts Bearer token values', () => {
-      const err = new Error('Error: bearer eyJhbGciOiJIUzI1NiJ9.payload.sig');
-      expect(sanitizeError(err)).not.toContain('eyJhbGciOiJIUzI1NiJ9');
-      expect(sanitizeError(err)).toContain('bearer [REDACTED]');
-    });
-
-    it('is case-insensitive for BEARER', () => {
-      const err = new Error('BEARER TOKEN_VALUE_HERE');
-      expect(sanitizeError(err)).not.toContain('TOKEN_VALUE_HERE');
-    });
-  });
-
-  describe('basic-auth URLs', () => {
-    it('redacts user:pass@ in URLs', () => {
-      const err = new Error('GET http://admin:b053288369XX!@qbittorrent.local/api');
-      expect(sanitizeError(err)).not.toContain('b053288369XX!');
-      expect(sanitizeError(err)).not.toContain('admin:');
-      expect(sanitizeError(err)).toContain('//[REDACTED]@');
-    });
-
-    it('handles https:// basic auth', () => {
-      const err = new Error('https://user:s3cr3t@service.local/path');
-      expect(sanitizeError(err)).not.toContain('s3cr3t');
-    });
-  });
-
-  describe('edge cases', () => {
-    it('handles non-Error input (plain string)', () => {
-      const result = sanitizeError('plain string error');
-      expect(typeof result).toBe('string');
-    });
-
-    it('handles null gracefully', () => {
-      expect(() => sanitizeError(null)).not.toThrow();
-    });
-
-    it('handles undefined gracefully', () => {
-      expect(() => sanitizeError(undefined)).not.toThrow();
-    });
-
-    it('preserves non-sensitive error messages unchanged', () => {
-      const err = new Error('Connection refused: ECONNREFUSED 127.0.0.1:8080');
-      const result = sanitizeError(err);
-      expect(result).toContain('ECONNREFUSED');
-      expect(result).toContain('127.0.0.1:8080');
-    });
-
-    it('does not leak stack traces (returns message only)', () => {
-      const err = new Error('something went wrong');
-      const result = sanitizeError(err);
-      expect(result).not.toContain('at ');
-      expect(result).not.toContain('.js:');
-    });
-  });
-});
@@ -1,84 +0,0 @@
-/**
- * Tests for server/utils/tokenStore.js
- *
- * The token store persists Emby access tokens to disk (JSON file) so users
- * survive server restarts without re-logging in. Tests verify the store/get/
- * clear lifecycle, TTL expiry, and atomic write behaviour.
- *
- * Each test imports a FRESH module instance (vi.resetModules) so the
- * module-level singleton state (loaded from disk) doesn't bleed between tests.
- */
-
-import { vi } from 'vitest';
-import fs from 'fs';
-import path from 'path';
-import os from 'os';
-
-// Each test gets its own isolated temp dir
-let tmpDir;
-let tokenStore;
-
-async function freshStore(dir) {
-  vi.resetModules();
-  process.env.DATA_DIR = dir;
-  const mod = await import('../../server/utils/tokenStore.js');
-  return mod;
-}
-
-beforeEach(async () => {
-  tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'sofarr-ts-'));
-  tokenStore = await freshStore(tmpDir);
-});
-
-afterEach(() => {
-  fs.rmSync(tmpDir, { recursive: true, force: true });
-});
-
-describe('tokenStore', () => {
-  it('stores and retrieves a token', () => {
-    tokenStore.storeToken('user1', 'access-token-abc');
-    const result = tokenStore.getToken('user1');
-    expect(result).not.toBeNull();
-    expect(result.accessToken).toBe('access-token-abc');
-  });
-
-  it('returns null for an unknown user', () => {
-    expect(tokenStore.getToken('nobody')).toBeNull();
-  });
-
-  it('clears a stored token', () => {
-    tokenStore.storeToken('user1', 'token-xyz');
-    tokenStore.clearToken('user1');
-    expect(tokenStore.getToken('user1')).toBeNull();
-  });
-
-  it('clearToken is a no-op for unknown user', () => {
-    expect(() => tokenStore.clearToken('ghost')).not.toThrow();
-  });
-
-  it('overwrites existing token on re-store', () => {
-    tokenStore.storeToken('user1', 'old-token');
-    tokenStore.storeToken('user1', 'new-token');
-    expect(tokenStore.getToken('user1').accessToken).toBe('new-token');
-  });
-
-  it('persists to disk (tokens.json exists after store)', () => {
-    tokenStore.storeToken('u1', 'tok');
-    const storePath = path.join(tmpDir, 'tokens.json');
-    expect(fs.existsSync(storePath)).toBe(true);
-    const data = JSON.parse(fs.readFileSync(storePath, 'utf8'));
-    expect(data.u1.accessToken).toBe('tok');
-  });
-
-  it('expires tokens older than 31 days on read', () => {
-    // Write an already-expired entry directly to disk
-    const expired = Date.now() - (32 * 24 * 60 * 60 * 1000);
-    const storePath = path.join(tmpDir, 'tokens.json');
-    fs.writeFileSync(storePath, JSON.stringify({ u1: { accessToken: 'old', createdAt: expired } }));
-    // Re-import to load from disk
-    vi.resetModules();
-    return import('../../server/utils/tokenStore.js').then(mod => {
-      expect(mod.getToken('u1')).toBeNull();
-    });
-  });
-});
@@ -1,84 +0,0 @@
-/**
- * Tests for server/middleware/verifyCsrf.js
- *
- * CSRF protection via the double-submit cookie pattern. These tests verify
- * that the timing-safe comparison works correctly and that safe HTTP methods
- * are correctly exempted.
- */
-
-import verifyCsrf from '../../server/middleware/verifyCsrf.js';
-
-function makeReq(method, cookieToken, headerToken) {
-  return {
-    method,
-    cookies: { csrf_token: cookieToken },
-    headers: { 'x-csrf-token': headerToken }
-  };
-}
-
-function makeRes() {
-  const res = {
-    statusCode: null,
-    body: null,
-    status(code) { this.statusCode = code; return this; },
-    json(body) { this.body = body; return this; }
-  };
-  return res;
-}
-
-describe('verifyCsrf middleware', () => {
-  describe('safe methods are exempted', () => {
-    for (const method of ['GET', 'HEAD', 'OPTIONS']) {
-      it(`allows ${method} with no CSRF token`, () => {
-        const next = vi.fn();
-        verifyCsrf(makeReq(method, undefined, undefined), makeRes(), next);
-        expect(next).toHaveBeenCalledOnce();
-      });
-    }
-  });
-
-  describe('mutating methods require valid token', () => {
-    const TOKEN = 'a'.repeat(64); // 64 hex chars = 32 bytes
-
-    for (const method of ['POST', 'PUT', 'PATCH', 'DELETE']) {
-      it(`allows ${method} with matching tokens`, () => {
-        const next = vi.fn();
-        const res = makeRes();
-        verifyCsrf(makeReq(method, TOKEN, TOKEN), res, next);
-        expect(next).toHaveBeenCalledOnce();
-        expect(res.statusCode).toBeNull();
-      });
-
-      it(`blocks ${method} with mismatched tokens`, () => {
-        const next = vi.fn();
-        const res = makeRes();
-        verifyCsrf(makeReq(method, TOKEN, TOKEN.replace('a', 'b')), res, next);
-        expect(res.statusCode).toBe(403);
-        expect(next).not.toHaveBeenCalled();
-      });
-
-      it(`blocks ${method} with missing cookie token`, () => {
-        const next = vi.fn();
-        const res = makeRes();
-        verifyCsrf(makeReq(method, undefined, TOKEN), res, next);
-        expect(res.statusCode).toBe(403);
-        expect(res.body.error).toBe('CSRF token missing');
-      });
-
-      it(`blocks ${method} with missing header token`, () => {
-        const next = vi.fn();
-        const res = makeRes();
-        verifyCsrf(makeReq(method, TOKEN, undefined), res, next);
-        expect(res.statusCode).toBe(403);
-      });
-    }
-
-    it('blocks when tokens have different lengths (timing-safe path)', () => {
-      const next = vi.fn();
-      const res = makeRes();
-      verifyCsrf(makeReq('POST', 'short', 'much-longer-token-here'), res, next);
-      expect(res.statusCode).toBe(403);
-      expect(res.body.error).toBe('CSRF token invalid');
-    });
-  });
-});
@@ -1,41 +0,0 @@
-import { defineConfig } from 'vitest/config';
-
-export default defineConfig({
-  test: {
-    // Node environment for all tests (server-side CJS modules, no browser APIs needed)
-    environment: 'node',
-    // Global test helpers (describe, it, expect, vi) without per-file imports
-    globals: true,
-    // Run each test file in an isolated module registry so module-level state
-    // (tokenStore cache, config singletons) doesn't leak between files
-    isolate: true,
-    // Give each file its own data directory so tokenStore file I/O doesn't collide
-    setupFiles: ['./tests/setup.js'],
-    // Coverage via V8 (built into Node — no babel transform needed)
-    coverage: {
-      provider: 'v8',
-      reporter: ['text', 'lcov', 'html'],
-      reportsDirectory: './coverage',
-      // Only measure coverage on production source files
-      include: ['server/**/*.js'],
-      exclude: [
-        'server/index.js',   // entry point with side-effects (process.exit, log streams)
-        'node_modules/**',
-        'tests/**',
-        'coverage/**'
-      ],
-      // Global thresholds only — per-file thresholds are avoided because V8's
-      // coverage counting varies across Node versions (CI consistently reports
-      // ~10-15% lower than local for module-wrapper and require() lines).
-      // The overall numbers reflect that dashboard.js and poller.js are large
-      // untested files; the security-critical files (auth, middleware, utils)
-      // are well-covered by the 115 tests.
-      thresholds: {
-        lines: 25,
-        functions: 12,
-        branches: 12,
-        statements: 25
-      }
-    }
-  }
-});
Author	SHA1	Message	Date
gronod	5f3a10ba2e	chore: bump version to 0.1.3 Create Release / release (push) Successful in 15s Details	2026-05-16 00:32:05 +01:00
gronod	063edbf28a	Merge develop into main for v0.1.3	2026-05-16 00:31:48 +01:00