NoteDiscovery/documentation/AUTHENTICATION.md

166 lines
3.5 KiB
Markdown
Raw Normal View History

2025-11-14 13:34:19 +00:00
# 🔒 NoteDiscovery Authentication Guide
2026-01-12 11:22:24 +00:00
## ⚠️ Default Password Warning
2025-11-14 17:08:51 +00:00
2026-01-12 11:22:24 +00:00
> **Default password is `admin`** — CHANGE THIS before exposing to any network!
2025-11-14 17:08:51 +00:00
---
2025-11-14 13:34:19 +00:00
## Overview
2026-01-12 11:22:24 +00:00
NoteDiscovery includes simple password protection for single-user deployments. When enabled, users must log in before accessing notes.
2025-11-14 13:34:19 +00:00
2026-01-12 11:22:24 +00:00
- ✅ Single user / self-hosted use
- ✅ Passwords hashed with bcrypt
- ✅ Session-based (7 days default, configurable)
2025-11-14 17:08:51 +00:00
---
2026-01-12 11:22:24 +00:00
## Quick Test (Local Only)
2025-11-14 17:08:51 +00:00
2026-01-12 11:22:24 +00:00
For local testing, authentication is **disabled by default**. To test with auth:
2025-11-14 17:08:51 +00:00
2026-01-12 11:22:24 +00:00
1. Set `authentication.enabled: true` in `config.yaml`
2. Restart the app
2025-11-14 17:08:51 +00:00
3. Log in with password: `admin`
2026-01-12 11:22:24 +00:00
⚠️ **Don't use the default password on any network!**
2025-11-14 17:08:51 +00:00
---
2026-01-12 11:22:24 +00:00
## Production Setup
2025-11-14 17:08:51 +00:00
For any deployment exposed to a network, follow these steps:
2025-11-14 13:34:19 +00:00
2026-01-12 11:22:24 +00:00
### Step 1: Generate a Secret Key
2026-01-08 15:29:14 +00:00
2026-01-12 11:22:24 +00:00
The secret key encrypts session cookies. Generate a random one:
2026-01-08 15:29:14 +00:00
2026-01-12 11:22:24 +00:00
```bash
# Docker
docker exec -it notediscovery python -c "import secrets; print(secrets.token_hex(32))"
2026-01-08 15:29:14 +00:00
2026-01-12 11:22:24 +00:00
# Local
python -c "import secrets; print(secrets.token_hex(32))"
```
2026-01-08 15:29:14 +00:00
2026-01-12 11:22:24 +00:00
**Save this key** — you'll need it in Step 2.
2026-01-08 15:29:14 +00:00
---
2025-11-14 13:34:19 +00:00
2026-01-12 11:22:24 +00:00
### Step 2: Configure Authentication
2026-01-08 15:29:14 +00:00
2026-01-12 11:22:24 +00:00
Choose **one** of these options:
2026-01-08 15:29:14 +00:00
2026-01-12 11:22:24 +00:00
#### Option A: Plain Text Password (Recommended)
The easiest approach. Your password is automatically hashed at startup.
2026-01-08 15:29:14 +00:00
2026-01-12 11:22:24 +00:00
**Via Environment Variables (Docker):**
```bash
docker run -d \
-e AUTHENTICATION_ENABLED=true \
-e AUTHENTICATION_PASSWORD=your_secure_password \
-e AUTHENTICATION_SECRET_KEY=your_generated_secret_key \
...
2026-01-08 15:29:14 +00:00
```
**Via config.yaml:**
```yaml
authentication:
enabled: true
password: "your_secure_password"
2026-01-12 11:22:24 +00:00
secret_key: "your_generated_secret_key"
2026-01-08 15:29:14 +00:00
```
---
2026-01-12 11:22:24 +00:00
#### Option B: Pre-Hashed Password (Advanced)
2025-11-14 13:34:19 +00:00
2026-01-12 11:22:24 +00:00
For users who prefer to hash passwords themselves.
2025-11-14 13:34:19 +00:00
2026-01-12 11:22:24 +00:00
**Generate a hash:**
2025-11-14 13:34:19 +00:00
```bash
2026-01-12 11:22:24 +00:00
# Docker
2025-11-14 19:33:36 +00:00
docker exec -it notediscovery python generate_password.py
2025-11-14 13:34:19 +00:00
2026-01-12 11:22:24 +00:00
# Local
2025-11-14 13:34:19 +00:00
python generate_password.py
```
2026-01-12 11:22:24 +00:00
**Then configure:**
2025-11-14 13:34:19 +00:00
```yaml
authentication:
2025-11-14 13:34:19 +00:00
enabled: true
2026-01-12 11:22:24 +00:00
password_hash: "$2b$12$..." # paste your hash here
secret_key: "your_generated_secret_key"
2025-11-14 13:34:19 +00:00
```
2026-01-08 15:29:14 +00:00
---
2026-01-12 11:22:24 +00:00
### Step 3: Restart & Test
2025-11-14 13:34:19 +00:00
```bash
2026-01-12 11:22:24 +00:00
# Docker Compose
2025-11-14 13:34:19 +00:00
docker-compose restart
2026-01-12 11:22:24 +00:00
# Docker run
2025-11-14 13:34:19 +00:00
docker restart notediscovery
2026-01-12 11:22:24 +00:00
# Local
python run.py
2025-11-14 13:34:19 +00:00
```
2026-01-12 11:22:24 +00:00
Navigate to `http://localhost:8000` — you'll be redirected to the login page.
2025-11-14 13:34:19 +00:00
2026-01-12 11:22:24 +00:00
---
## Configuration Priority
If multiple sources are configured, this priority applies (first wins):
2025-11-14 13:34:19 +00:00
2026-01-12 11:22:24 +00:00
| Priority | Source | Type |
|----------|--------|------|
| 1st | `AUTHENTICATION_PASSWORD` env var | Plain text |
| 2nd | `AUTHENTICATION_PASSWORD_HASH` env var | Pre-hashed |
| 3rd | `password` in config.yaml | Plain text |
| 4th | `password_hash` in config.yaml | Pre-hashed |
**Example:** If you set `AUTHENTICATION_PASSWORD` as an env var, it overrides anything in config.yaml.
2025-11-14 13:34:19 +00:00
---
2026-01-12 11:22:24 +00:00
## Security Considerations
2025-11-14 13:34:19 +00:00
### ✅ What This Protects
- Unauthorized access to your notes
- All API endpoints
2026-01-12 11:22:24 +00:00
- Viewing, creating, editing, deleting notes
2025-11-14 13:34:19 +00:00
### ⚠️ What This Doesn't Protect
2026-01-12 11:22:24 +00:00
This is a **simple single-user** system. NOT suitable for:
2025-11-14 13:34:19 +00:00
- ❌ Multi-user environments
2026-01-12 11:22:24 +00:00
- ❌ Public internet without HTTPS
2025-11-14 13:34:19 +00:00
- ❌ Compliance requirements (HIPAA, GDPR, etc.)
### 🛡️ Best Practices
2026-01-12 11:22:24 +00:00
1. **Use HTTPS** — Run behind a reverse proxy (Traefik, nginx, Caddy)
2. **Strong password** — At least 12 characters, mixed case, numbers, symbols
3. **Unique secret key** — Never reuse across applications
4. **Keep config secure** — Don't commit credentials to version control
2025-11-14 13:34:19 +00:00
---
2026-01-12 11:22:24 +00:00
## Disabling Authentication
2025-11-14 13:34:19 +00:00
```yaml
authentication:
2025-11-14 13:34:19 +00:00
enabled: false
```
2026-01-12 11:22:24 +00:00
Restart the app to apply.