Merge pull request #14 from smashingtags/feature/overhaul

Feature/overhaul

Author: smashingtags

.dockerignore

@@ -1,13 +1,45 @@
-node_modules
-npm-debug.log
-.git
-.gitignore
+# Dependencies
+node_modules/
+npm-debug.log*
+
+# Build outputs
+dist/
+build/
+
+# Development files
 .env
-.env.*
-*.md
-.vscode
-dist
-build
-coverage
+.env.local
+.env.development
+.env.test
+*.log
+
+# IDE files
+.vscode/
+.idea/
+*.swp
+*.swo
+
+# OS files
 .DS_Store
-.vs/
+Thumbs.db
+
+# Git
+.git/
+.gitignore
+
+# Documentation (not needed in container)
+*.md
+docs/
+
+# Test files
+test/
+tests/
+*.test.js
+*.spec.js
+
+# Backend files not needed in frontend container
+# server/ - removed to allow backend builds
+
+# Temporary files
+tmp/
+temp/

.dockerignore.backend

@@ -0,0 +1,54 @@
+# Backend-specific .dockerignore
+
+# Dependencies
+node_modules/
+npm-debug.log*
+
+# Build outputs
+dist/
+build/
+
+# Development files
+.env
+.env.local
+.env.development
+.env.test
+*.log
+
+# IDE files
+.vscode/
+.idea/
+*.swp
+*.swo
+
+# OS files
+.DS_Store
+Thumbs.db
+
+# Git
+.git/
+.gitignore
+
+# Documentation
+*.md
+docs/
+
+# Test files
+test/
+tests/
+*.test.js
+*.spec.js
+
+# Frontend files not needed in backend container
+src/
+public/
+index.html
+vite.config.ts
+tsconfig*.json
+tailwind.config.js
+postcss.config.js
+eslint.config.js
+
+# Temporary files
+tmp/
+temp/

.dockerignore.frontend

@@ -0,0 +1,47 @@
+# Frontend-specific .dockerignore
+
+# Dependencies
+node_modules/
+npm-debug.log*
+
+# Build outputs
+dist/
+build/
+
+# Development files
+.env
+.env.local
+.env.development
+.env.test
+*.log
+
+# IDE files
+.vscode/
+.idea/
+*.swp
+*.swo
+
+# OS files
+.DS_Store
+Thumbs.db
+
+# Git
+.git/
+.gitignore
+
+# Documentation
+*.md
+docs/
+
+# Test files
+test/
+tests/
+*.test.js
+*.spec.js
+
+# Backend files not needed in frontend container
+server/
+
+# Temporary files
+tmp/
+temp/

.env.docker

@@ -0,0 +1,10 @@
+# Docker Environment Configuration
+# Copy this to .env for Docker Compose deployment
+
+# Authentication
+JWT_SECRET=homelabarr-super-secret-jwt-key-change-this-in-production
+DEFAULT_ADMIN_PASSWORD=admin
+
+# Optional: Override default ports
+# FRONTEND_PORT=8087
+# BACKEND_PORT=3009

.env.production

@@ -0,0 +1,24 @@
+# Production Environment Configuration
+NODE_ENV=production
+
+# Backend Configuration
+PORT=3001
+CORS_ORIGIN=http://localhost:8087
+
+# Docker Configuration
+DOCKER_SOCKET=/var/run/docker.sock
+
+# Security Configuration
+AUTH_ENABLED=true
+JWT_SECRET=your-super-secret-jwt-key-change-this-in-production
+JWT_EXPIRES_IN=24h
+DEFAULT_ADMIN_PASSWORD=admin
+
+# Logging Configuration
+LOG_LEVEL=info
+
+# Data Storage
+DATA_PATH=/app/data
+
+# Network Configuration
+DEFAULT_NETWORK=homelabarr

.github/workflows/docker-publish.yml

@@ -7,12 +7,14 @@ on:
     branches:
       - "main"
       - "feature/standard-deployment"
+      - "feature/overhaul"
     # Trigger builds for semver tags and for a "dev" tag.
     tags: [ 'v*.*.*', 'dev' ]
   pull_request:
     branches:
       - "main"
       - "feature/standard-deployment"
+      - "feature/overhaul"
 
 env:
   # Use docker.io for Docker Hub if empty

AUTHENTICATION.md

@@ -0,0 +1,177 @@
+# HomelabARR Authentication System
+
+## Overview
+
+HomelabARR includes a comprehensive authentication system to secure your container management interface. The system uses JWT tokens for stateless authentication and bcrypt for secure password hashing.
+
+## Features
+
+### 🔐 Security Features
+- **JWT-based authentication** - Stateless, secure token-based auth
+- **Bcrypt password hashing** - Industry-standard password security
+- **Role-based access control** - Admin and user roles
+- **Automatic token validation** - Expired tokens are handled gracefully
+- **Secure session management** - Automatic logout on token expiration
+
+### 👤 User Management
+- **Default admin account** - Created automatically on first run
+- **Password management** - Users can change their own passwords
+- **User profiles** - Username, email, role, last login tracking
+- **Admin controls** - Admins can manage other users (future feature)
+
+### 🛡️ Access Control
+- **Protected endpoints** - All container operations require authentication
+- **Optional authentication** - Can be disabled for development
+- **Role-based permissions** - Different access levels for admin vs user
+- **CORS protection** - Restricted origins in production
+
+## Default Credentials
+
+**⚠️ IMPORTANT: Change these immediately after first login!**
+
+- **Username:** `admin`
+- **Password:** `admin`
+
+## Configuration
+
+### Environment Variables
+
+```bash
+# Enable/disable authentication
+AUTH_ENABLED=true
+
+# JWT configuration
+JWT_SECRET=your-super-secret-key-change-this
+JWT_EXPIRES_IN=24h
+
+# Default admin password (only used on first setup)
+DEFAULT_ADMIN_PASSWORD=admin
+```
+
+### Docker Compose
+
+```yaml
+environment:
+  - AUTH_ENABLED=true
+  - JWT_SECRET=${JWT_SECRET:-homelabarr-change-this-secret}
+  - JWT_EXPIRES_IN=24h
+  - DEFAULT_ADMIN_PASSWORD=${DEFAULT_ADMIN_PASSWORD:-admin}
+```
+
+## API Endpoints
+
+### Authentication Routes
+
+- `POST /api/auth/login` - User login
+- `GET /api/auth/me` - Get current user info
+- `POST /api/auth/change-password` - Change user password
+- `POST /api/auth/register` - Create new user (admin only)
+- `GET /api/auth/users` - List all users (admin only)
+
+### Protected Routes
+
+All container management endpoints require authentication when `AUTH_ENABLED=true`:
+
+- `/api/containers/*` - Container operations
+- `/api/deploy` - Application deployment
+- `/api/ports/*` - Port management
+
+## Frontend Components
+
+### Authentication UI
+- **LoginModal** - Secure login form with validation
+- **UserMenu** - User profile dropdown with logout
+- **UserSettings** - Password change and user management
+- **AuthStatus** - Authentication status indicator
+
+### Security Features
+- **Automatic token refresh** - Handles expired tokens gracefully
+- **Secure storage** - Tokens stored in localStorage with validation
+- **Error handling** - Clear feedback for authentication errors
+- **Loading states** - Visual feedback during auth operations
+
+## Security Best Practices
+
+### Production Deployment
+1. **Change default credentials** immediately
+2. **Use strong JWT secret** (32+ random characters)
+3. **Set secure CORS origins** (no wildcards)
+4. **Use HTTPS** in production
+5. **Regular password updates** for all users
+
+### Password Requirements
+- Minimum 6 characters (configurable)
+- Bcrypt hashing with salt rounds: 12
+- No password reuse validation (future feature)
+
+### Token Security
+- JWT tokens expire after 24 hours (configurable)
+- Tokens include user ID, username, and role
+- Automatic cleanup of expired tokens
+- No refresh token implementation (stateless design)
+
+## Troubleshooting
+
+### Common Issues
+
+1. **"Authentication required" errors**
+   - Check if `AUTH_ENABLED=true` in environment
+   - Verify JWT_SECRET is set
+   - Ensure user is logged in
+
+2. **"Invalid token" errors**
+   - Token may have expired (24h default)
+   - JWT_SECRET may have changed
+   - Clear browser storage and re-login
+
+3. **Default admin not created**
+   - Check server logs for errors
+   - Verify write permissions to `server/config/`
+   - Ensure no existing users.json file
+
+### Debug Commands
+
+```bash
+# Check authentication status
+curl http://localhost:3001/health
+
+# Test login
+curl -X POST http://localhost:3001/auth/login \
+  -H "Content-Type: application/json" \
+  -d '{"username":"admin","password":"admin"}'
+
+# Check user info (with token)
+curl http://localhost:3001/auth/me \
+  -H "Authorization: Bearer YOUR_TOKEN_HERE"
+```
+
+## Future Enhancements
+
+- **Multi-factor authentication** (2FA/TOTP)
+- **OAuth integration** (Google, GitHub, etc.)
+- **Advanced user management** (admin UI)
+- **Audit logging** (user actions tracking)
+- **Password policies** (complexity requirements)
+- **Session management** (active sessions, force logout)
+- **API key authentication** (for automation)
+
+## Development
+
+### Disabling Authentication
+
+For development, you can disable authentication:
+
+```bash
+AUTH_ENABLED=false
+```
+
+This allows unrestricted access to all endpoints.
+
+### Testing Authentication
+
+The system includes comprehensive error handling and validation. Test with:
+
+- Invalid credentials
+- Expired tokens
+- Missing tokens
+- Role-based access restrictions