2025-11-14 13:34:19 +00:00
|
|
|
# 🔒 NoteDiscovery Authentication Guide
|
|
|
|
|
|
2026-01-12 11:22:24 +00:00
|
|
|
## ⚠️ Default Password Warning
|
2025-11-14 17:08:51 +00:00
|
|
|
|
2026-01-12 11:22:24 +00:00
|
|
|
> **Default password is `admin`** — CHANGE THIS before exposing to any network!
|
2025-11-14 17:08:51 +00:00
|
|
|
|
|
|
|
|
---
|
|
|
|
|
|
2025-11-14 13:34:19 +00:00
|
|
|
## Overview
|
|
|
|
|
|
2026-01-12 11:22:24 +00:00
|
|
|
NoteDiscovery includes simple password protection for single-user deployments. When enabled, users must log in before accessing notes.
|
2025-11-14 13:34:19 +00:00
|
|
|
|
2026-01-12 11:22:24 +00:00
|
|
|
- ✅ Single user / self-hosted use
|
|
|
|
|
- ✅ Passwords hashed with bcrypt
|
|
|
|
|
- ✅ Session-based (7 days default, configurable)
|
2025-11-14 17:08:51 +00:00
|
|
|
|
|
|
|
|
---
|
|
|
|
|
|
2026-01-12 11:22:24 +00:00
|
|
|
## Quick Test (Local Only)
|
2025-11-14 17:08:51 +00:00
|
|
|
|
2026-01-12 11:22:24 +00:00
|
|
|
For local testing, authentication is **disabled by default**. To test with auth:
|
2025-11-14 17:08:51 +00:00
|
|
|
|
2026-01-12 11:22:24 +00:00
|
|
|
1. Set `authentication.enabled: true` in `config.yaml`
|
|
|
|
|
2. Restart the app
|
2025-11-14 17:08:51 +00:00
|
|
|
3. Log in with password: `admin`
|
|
|
|
|
|
2026-01-12 11:22:24 +00:00
|
|
|
⚠️ **Don't use the default password on any network!**
|
2025-11-14 17:08:51 +00:00
|
|
|
|
|
|
|
|
---
|
|
|
|
|
|
2026-01-12 11:22:24 +00:00
|
|
|
## Production Setup
|
2025-11-14 17:08:51 +00:00
|
|
|
|
|
|
|
|
For any deployment exposed to a network, follow these steps:
|
2025-11-14 13:34:19 +00:00
|
|
|
|
2026-01-12 11:22:24 +00:00
|
|
|
### Step 1: Generate a Secret Key
|
2026-01-08 15:29:14 +00:00
|
|
|
|
2026-01-12 11:22:24 +00:00
|
|
|
The secret key encrypts session cookies. Generate a random one:
|
2026-01-08 15:29:14 +00:00
|
|
|
|
2026-01-12 11:22:24 +00:00
|
|
|
```bash
|
|
|
|
|
# Docker
|
|
|
|
|
docker exec -it notediscovery python -c "import secrets; print(secrets.token_hex(32))"
|
2026-01-08 15:29:14 +00:00
|
|
|
|
2026-01-12 11:22:24 +00:00
|
|
|
# Local
|
|
|
|
|
python -c "import secrets; print(secrets.token_hex(32))"
|
|
|
|
|
```
|
2026-01-08 15:29:14 +00:00
|
|
|
|
2026-01-12 11:22:24 +00:00
|
|
|
**Save this key** — you'll need it in Step 2.
|
2026-01-08 15:29:14 +00:00
|
|
|
|
|
|
|
|
---
|
2025-11-14 13:34:19 +00:00
|
|
|
|
2026-01-12 11:22:24 +00:00
|
|
|
### Step 2: Configure Authentication
|
2026-01-08 15:29:14 +00:00
|
|
|
|
2026-03-13 10:50:47 +00:00
|
|
|
Your password is automatically hashed at startup using bcrypt.
|
2026-01-08 15:29:14 +00:00
|
|
|
|
2026-01-12 11:22:24 +00:00
|
|
|
**Via Environment Variables (Docker):**
|
|
|
|
|
```bash
|
|
|
|
|
docker run -d \
|
|
|
|
|
-e AUTHENTICATION_ENABLED=true \
|
|
|
|
|
-e AUTHENTICATION_PASSWORD=your_secure_password \
|
|
|
|
|
-e AUTHENTICATION_SECRET_KEY=your_generated_secret_key \
|
|
|
|
|
...
|
2026-01-08 15:29:14 +00:00
|
|
|
```
|
|
|
|
|
|
|
|
|
|
**Via config.yaml:**
|
|
|
|
|
```yaml
|
|
|
|
|
authentication:
|
|
|
|
|
enabled: true
|
|
|
|
|
password: "your_secure_password"
|
2026-01-12 11:22:24 +00:00
|
|
|
secret_key: "your_generated_secret_key"
|
2026-01-08 15:29:14 +00:00
|
|
|
```
|
|
|
|
|
|
|
|
|
|
---
|
|
|
|
|
|
2026-01-12 11:22:24 +00:00
|
|
|
### Step 3: Restart & Test
|
2025-11-14 13:34:19 +00:00
|
|
|
|
|
|
|
|
```bash
|
2026-01-12 11:22:24 +00:00
|
|
|
# Docker Compose
|
2025-11-14 13:34:19 +00:00
|
|
|
docker-compose restart
|
|
|
|
|
|
2026-01-12 11:22:24 +00:00
|
|
|
# Docker run
|
2025-11-14 13:34:19 +00:00
|
|
|
docker restart notediscovery
|
2026-01-12 11:22:24 +00:00
|
|
|
|
|
|
|
|
# Local
|
|
|
|
|
python run.py
|
2025-11-14 13:34:19 +00:00
|
|
|
```
|
|
|
|
|
|
2026-01-12 11:22:24 +00:00
|
|
|
Navigate to `http://localhost:8000` — you'll be redirected to the login page.
|
2025-11-14 13:34:19 +00:00
|
|
|
|
2026-01-12 11:22:24 +00:00
|
|
|
---
|
|
|
|
|
|
|
|
|
|
## Configuration Priority
|
|
|
|
|
|
2026-03-13 10:50:47 +00:00
|
|
|
Environment variables override config.yaml:
|
2025-11-14 13:34:19 +00:00
|
|
|
|
2026-03-13 10:50:47 +00:00
|
|
|
| Priority | Source |
|
|
|
|
|
|----------|--------|
|
|
|
|
|
| 1st | `AUTHENTICATION_PASSWORD` env var |
|
|
|
|
|
| 2nd | `password` in config.yaml |
|
2026-01-12 11:22:24 +00:00
|
|
|
|
2026-03-13 10:50:47 +00:00
|
|
|
**Example:** If you set `AUTHENTICATION_PASSWORD` as an env var, it overrides config.yaml.
|
2025-11-14 13:34:19 +00:00
|
|
|
|
|
|
|
|
---
|
|
|
|
|
|
2026-01-12 11:22:24 +00:00
|
|
|
## Security Considerations
|
2025-11-14 13:34:19 +00:00
|
|
|
|
|
|
|
|
### ✅ What This Protects
|
|
|
|
|
|
|
|
|
|
- Unauthorized access to your notes
|
|
|
|
|
- All API endpoints
|
2026-01-12 11:22:24 +00:00
|
|
|
- Viewing, creating, editing, deleting notes
|
2025-11-14 13:34:19 +00:00
|
|
|
|
|
|
|
|
### ⚠️ What This Doesn't Protect
|
|
|
|
|
|
2026-01-12 11:22:24 +00:00
|
|
|
This is a **simple single-user** system. NOT suitable for:
|
2025-11-14 13:34:19 +00:00
|
|
|
|
|
|
|
|
- ❌ Multi-user environments
|
2026-01-12 11:22:24 +00:00
|
|
|
- ❌ Public internet without HTTPS
|
2025-11-14 13:34:19 +00:00
|
|
|
- ❌ Compliance requirements (HIPAA, GDPR, etc.)
|
|
|
|
|
|
|
|
|
|
### 🛡️ Best Practices
|
|
|
|
|
|
2026-01-12 11:22:24 +00:00
|
|
|
1. **Use HTTPS** — Run behind a reverse proxy (Traefik, nginx, Caddy)
|
|
|
|
|
2. **Strong password** — At least 12 characters, mixed case, numbers, symbols
|
|
|
|
|
3. **Unique secret key** — Never reuse across applications
|
|
|
|
|
4. **Keep config secure** — Don't commit credentials to version control
|
2025-11-14 13:34:19 +00:00
|
|
|
|
|
|
|
|
---
|
|
|
|
|
|
2026-03-13 10:50:47 +00:00
|
|
|
## API Key Authentication
|
|
|
|
|
|
|
|
|
|
For external integrations (MCP servers, scripts, automation), use an API key instead of session cookies.
|
|
|
|
|
|
|
|
|
|
### Setup
|
|
|
|
|
|
|
|
|
|
```bash
|
|
|
|
|
# Generate a secure key
|
|
|
|
|
python -c "import secrets; print(secrets.token_hex(32))"
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
**Via Environment Variable:**
|
|
|
|
|
```bash
|
|
|
|
|
docker run -e AUTHENTICATION_API_KEY=your_api_key ...
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
**Via config.yaml:**
|
|
|
|
|
```yaml
|
|
|
|
|
authentication:
|
|
|
|
|
api_key: "your_64_character_hex_key"
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Usage
|
|
|
|
|
|
|
|
|
|
```bash
|
|
|
|
|
# Option 1: Bearer token
|
|
|
|
|
curl -H "Authorization: Bearer YOUR_API_KEY" http://localhost:8000/api/notes
|
|
|
|
|
|
|
|
|
|
# Option 2: X-API-Key header
|
|
|
|
|
curl -H "X-API-Key: YOUR_API_KEY" http://localhost:8000/api/notes
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
Both session auth (web UI) and API key auth work simultaneously when enabled.
|
|
|
|
|
|
|
|
|
|
---
|
|
|
|
|
|
2026-01-12 11:22:24 +00:00
|
|
|
## Disabling Authentication
|
2025-11-14 13:34:19 +00:00
|
|
|
|
|
|
|
|
```yaml
|
2025-11-25 15:41:08 +00:00
|
|
|
authentication:
|
2025-11-14 13:34:19 +00:00
|
|
|
enabled: false
|
|
|
|
|
```
|
|
|
|
|
|
2026-01-12 11:22:24 +00:00
|
|
|
Restart the app to apply.
|