From 45963978be4a6174157ff3aed7eab8e62f4c5b0c Mon Sep 17 00:00:00 2001 From: Gamosoft Date: Thu, 8 Jan 2026 16:29:14 +0100 Subject: [PATCH 1/6] use plain text password --- backend/main.py | 28 +++++++++++- config.yaml | 11 ++++- documentation/AUTHENTICATION.md | 61 +++++++++++++++++++++++--- documentation/ENVIRONMENT_VARIABLES.md | 15 ++++++- 4 files changed, 103 insertions(+), 12 deletions(-) diff --git a/backend/main.py b/backend/main.py index 2d057e7..aaa547e 100644 --- a/backend/main.py +++ b/backend/main.py @@ -67,10 +67,34 @@ if 'AUTHENTICATION_ENABLED' in os.environ: else: print(f"๐Ÿ” Authentication {'ENABLED' if config.get('authentication', {}).get('enabled', False) else 'DISABLED'} (from config.yaml)") -# Allow password hash to be set via environment variable (useful for demos) -if 'AUTHENTICATION_PASSWORD_HASH' in os.environ: +# Password configuration priority: +# 1. AUTHENTICATION_PASSWORD env var (plain text, hashed at startup) +# 2. AUTHENTICATION_PASSWORD_HASH env var (pre-hashed) +# 3. authentication.password in config.yaml (plain text, hashed at startup) +# 4. authentication.password_hash in config.yaml (pre-hashed) +# Default password is "admin" if nothing is configured +if 'AUTHENTICATION_PASSWORD' in os.environ: + # Plain text password from env var - hash it + plain_password = os.getenv('AUTHENTICATION_PASSWORD') + config['authentication']['password_hash'] = bcrypt.hashpw( + plain_password.encode('utf-8'), + bcrypt.gensalt() + ).decode('utf-8') + print("๐Ÿ”‘ Password loaded from AUTHENTICATION_PASSWORD env var (hashed at startup)") +elif 'AUTHENTICATION_PASSWORD_HASH' in os.environ: + # Pre-hashed password from env var config['authentication']['password_hash'] = os.getenv('AUTHENTICATION_PASSWORD_HASH') print("๐Ÿ”‘ Password hash loaded from AUTHENTICATION_PASSWORD_HASH env var") +elif config.get('authentication', {}).get('password'): + # Plain text password from config.yaml - hash it + plain_password = config['authentication']['password'] + config['authentication']['password_hash'] = bcrypt.hashpw( + plain_password.encode('utf-8'), + bcrypt.gensalt() + ).decode('utf-8') + # Clear the plain text password from config for security + del config['authentication']['password'] + print("๐Ÿ”‘ Password loaded from config.yaml (hashed at startup)") # Allow secret key to be set via environment variable (for session security) if 'AUTHENTICATION_SECRET_KEY' in os.environ: diff --git a/config.yaml b/config.yaml index 9dbd2f5..5a3653a 100644 --- a/config.yaml +++ b/config.yaml @@ -35,9 +35,16 @@ authentication: # Generate with: python -c "import secrets; print(secrets.token_hex(32))" secret_key: "change_this_to_a_random_secret_key_in_production" - # Password hash - Generate with: python generate_password.py + # Password configuration - choose ONE of the following options: + # + # Option 1: Plain text password (recommended for ease of use) + # The password is hashed automatically at startup # โš ๏ธ Default password is "admin" - CHANGE THIS for production! - password_hash: "$2b$12$t/6PGExFzdpU2PUta0iVY.eDQwvu63kH.c/d4bEnnHaQ5CspH1yrG" # Default: "admin" + password: "admin" + + # Option 2: Pre-hashed password (for advanced users) + # Generate with: python generate_password.py + # password_hash: "$2b$12$..." # Session expiry in seconds (default: 7 days) session_max_age: 604800 diff --git a/documentation/AUTHENTICATION.md b/documentation/AUTHENTICATION.md index 0f7adb1..ed53822 100644 --- a/documentation/AUTHENTICATION.md +++ b/documentation/AUTHENTICATION.md @@ -49,9 +49,54 @@ For **local testing only**, you can use the default configuration: For any deployment exposed to a network, follow these steps: -### Step 1: Generate a Password Hash +--- -Choose your environment: +## Password Configuration Options + +NoteDiscovery supports two ways to set passwords: + +| Method | Best For | Security | +|--------|----------|----------| +| **Plain text password** | Docker, PikaPods, easy deployment | Password is hashed at startup | +| **Pre-hashed password** | Advanced users, extra security | You control the hashing | + +Both methods are secure - the plain text option simply hashes the password when the app starts. + +--- + +### Option A: Plain Text Password (Recommended for Docker/PikaPods) + +The easiest approach - just set your password directly: + +**Via Environment Variable:** +```bash +# Docker run +docker run -e AUTHENTICATION_ENABLED=true \ + -e AUTHENTICATION_PASSWORD=your_secure_password \ + ... + +# Docker Compose (.env file) +AUTHENTICATION_ENABLED=true +AUTHENTICATION_PASSWORD=your_secure_password +``` + +**Via config.yaml:** +```yaml +authentication: + enabled: true + password: "your_secure_password" + secret_key: "your_generated_secret_key_here" +``` + +The password is automatically hashed with bcrypt when the app starts. + +--- + +### Option B: Pre-Hashed Password (Advanced) + +For users who prefer to hash passwords themselves: + +#### Step 1: Generate a Password Hash **Docker Users:** @@ -81,7 +126,7 @@ The script will: **Copy the hash** - you'll need it for Step 3. -### Step 2: Generate a Secret Key +#### Step 2: Generate a Secret Key Generate a random secret key for session encryption: @@ -100,7 +145,7 @@ python -c "import secrets; print(secrets.token_hex(32))" **Copy the key** - you'll need it for Step 3. -### Step 3: Update `config.yaml` +#### Step 3: Update `config.yaml` Edit your `config.yaml` and update the authentication section: @@ -119,7 +164,9 @@ authentication: session_max_age: 604800 ``` -### Step 4: Restart the Application +--- + +### Restart the Application ```bash # If running locally @@ -132,11 +179,11 @@ docker-compose restart docker restart notediscovery ``` -### Step 5: Test Login +### Test Login Navigate to `http://localhost:8000` and you'll be redirected to the login page. -Enter the password you chose in Step 2. +Enter the password you configured. --- diff --git a/documentation/ENVIRONMENT_VARIABLES.md b/documentation/ENVIRONMENT_VARIABLES.md index 4b32ef2..5a0c268 100644 --- a/documentation/ENVIRONMENT_VARIABLES.md +++ b/documentation/ENVIRONMENT_VARIABLES.md @@ -17,9 +17,22 @@ NoteDiscovery supports environment variables to override configuration settings, | Variable | Type | Default | Description | |----------|------|---------|-------------| | `AUTHENTICATION_ENABLED` | boolean | `config.yaml` | Enable/disable authentication | -| `AUTHENTICATION_PASSWORD_HASH` | string | `config.yaml` | Bcrypt password hash | +| `AUTHENTICATION_PASSWORD` | string | `admin` | Plain text password (hashed automatically at startup) | +| `AUTHENTICATION_PASSWORD_HASH` | string | - | Pre-hashed bcrypt password (for advanced users) | | `AUTHENTICATION_SECRET_KEY` | string | `config.yaml` | Session secret key (for session security) | +> **Password Priority:** `AUTHENTICATION_PASSWORD` takes precedence over `AUTHENTICATION_PASSWORD_HASH`. If both are set, the plain text password is used. + +#### Example: Setting password via environment variable + +```bash +# Docker +docker run -e AUTHENTICATION_ENABLED=true -e AUTHENTICATION_PASSWORD=mysecretpassword ... + +# Docker Compose (in .env file or docker-compose.yml) +AUTHENTICATION_PASSWORD=mysecretpassword +``` + ### Demo Mode | Variable | Type | Default | Description | From bfc636f636fec169a940be9ca835da3d9eeaa895 Mon Sep 17 00:00:00 2001 From: Gamosoft Date: Fri, 9 Jan 2026 10:57:34 +0100 Subject: [PATCH 2/6] fixed misalignment of list items when using syntax highlight --- frontend/app.js | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/frontend/app.js b/frontend/app.js index 8595b8b..83f482d 100644 --- a/frontend/app.js +++ b/frontend/app.js @@ -800,9 +800,17 @@ function noteApp() { // Links [text](url) html = html.replace(/\[([^\]]+)\]\(([^)]+)\)/g, '[$1]($2)'); - // Lists - html = html.replace(/^(\s*)([-*+])\s/gm, '$1$2 '); - html = html.replace(/^(\s*)(\d+\.)\s/gm, '$1$2 '); + // Lists - use [ \t] instead of \s to avoid matching newlines + // Capture rest of line to handle empty bullets properly (issue #142) + html = html.replace(/^(\s*)([-*+])[ \t](.*)$/gm, (match, indent, bullet, rest) => { + // If rest is empty/whitespace-only, add zero-width space to prevent line collapse + const content = rest.trim() === '' ? '\u200B' : rest; + return `${indent}${bullet} ${content}`; + }); + html = html.replace(/^(\s*)(\d+\.)[ \t](.*)$/gm, (match, indent, bullet, rest) => { + const content = rest.trim() === '' ? '\u200B' : rest; + return `${indent}${bullet} ${content}`; + }); // Blockquotes html = html.replace(/^(>.*)$/gm, '$1'); From 17204de7e7dbe567275125b54c629af6f7c693b0 Mon Sep 17 00:00:00 2001 From: Gamosoft Date: Fri, 9 Jan 2026 11:16:38 +0100 Subject: [PATCH 3/6] added venv setup instructions --- README.md | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/README.md b/README.md index 4da348f..62476ed 100644 --- a/README.md +++ b/README.md @@ -146,6 +146,31 @@ python run.py - Python 3.8 or higher - pip (Python package manager) +#### Using Virtual Environments (Recommended for Arch/Fedora/Ubuntu 23.04+) + +Modern Linux distributions enforce [PEP 668](https://peps.python.org/pep-0668/), which prevents system-wide pip installs. Use a virtual environment instead: + +```bash +# Clone the repository +git clone https://github.com/gamosoft/notediscovery.git +cd notediscovery + +# Create a virtual environment +python -m venv venv + +# Activate it (choose your shell): +source venv/bin/activate # Bash/Zsh (most Linux distros) +source venv/bin/activate.fish # Fish (CachyOS, etc.) +source venv/bin/activate.csh # Csh/Tcsh +.\venv\Scripts\activate # Windows PowerShell + +# Install dependencies and run +pip install -r requirements.txt +python run.py +``` + +> ๐Ÿ’ก **Tip:** You'll need to activate the virtual environment (`source venv/bin/activate`) each time you open a new terminal before running the app. + ### Advanced Docker Setup The image includes bundled config, themes, plugins, and locales. To customize, you must: From a6c7f9f3f7c39ed1d6bb5ea14f4db0fdfed67b49 Mon Sep 17 00:00:00 2001 From: Gamosoft Date: Fri, 9 Jan 2026 11:39:23 +0100 Subject: [PATCH 4/6] changed tip to warning --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 62476ed..c8b55dd 100644 --- a/README.md +++ b/README.md @@ -169,7 +169,9 @@ pip install -r requirements.txt python run.py ``` -> ๐Ÿ’ก **Tip:** You'll need to activate the virtual environment (`source venv/bin/activate`) each time you open a new terminal before running the app. +> โš ๏ธ **Warning** +> +> *You'll need to activate the virtual environment (source venv/bin/activate) each time you open a new terminal before running the app* ### Advanced Docker Setup From 2738d64c2657bc7684540ef7d4395495e65facec Mon Sep 17 00:00:00 2001 From: Gamosoft Date: Fri, 9 Jan 2026 12:35:48 +0100 Subject: [PATCH 5/6] changed landing page and features doc --- docs/index.html | 66 +++++++++++---------------------------- documentation/FEATURES.md | 20 ++++++++++++ 2 files changed, 38 insertions(+), 48 deletions(-) diff --git a/docs/index.html b/docs/index.html index 16d1081..6b02042 100644 --- a/docs/index.html +++ b/docs/index.html @@ -353,7 +353,7 @@ animation: fadeInScale 0.6s ease-out forwards; } - /* Stagger animation delays for feature cards */ + /* Stagger animation delays for feature cards (5 rows ร— 3 cols = 15 cards) */ .feature.animated:nth-child(1) { animation-delay: 0s; } .feature.animated:nth-child(2) { animation-delay: 0.1s; } .feature.animated:nth-child(3) { animation-delay: 0.2s; } @@ -367,6 +367,8 @@ .feature.animated:nth-child(11) { animation-delay: 0.25s; } .feature.animated:nth-child(12) { animation-delay: 0.35s; } .feature.animated:nth-child(13) { animation-delay: 0.2s; } + .feature.animated:nth-child(14) { animation-delay: 0.3s; } + .feature.animated:nth-child(15) { animation-delay: 0.4s; } .screenshot-section { margin: 4rem 0 3rem 0; @@ -832,12 +834,6 @@

No subscriptions, no hidden fees. Free and open source forever.

-
-
๐Ÿš€
-

Lightning Fast

-

Instant search and navigation. Works offline, always responsive.

-
-
๐Ÿงฎ

LaTeX Math

@@ -868,12 +864,6 @@

Create from custom templates with dynamic placeholders. Meeting notes, journals, and more.

-
-
๐Ÿ”—
-

Wikilinks

-

Link notes with [[double brackets]] Obsidian-style. Jump to sections with [[note#heading]] anchors.

-
-
๐Ÿ•ธ๏ธ

Graph View

@@ -909,6 +899,18 @@

Extensible

Plugin system lets you add custom features and integrations.

+ +
+
๐Ÿ“ฒ
+

Install as App

+

Progressive Web App (PWA) - install on desktop or mobile for a native experience.

+
+ +
+
๐ŸŒ
+

Multi-Language

+

Built-in translations for English, Spanish, German, and French. Easy to add more.

+
@@ -946,38 +948,6 @@
-
- ๐ŸŒ™ -
- Dark Mode - Easy on the eyes -
-
- -
- ๐Ÿ’ป -
- Self-Hosted - You own your data -
-
- -
- ๐Ÿ”— -
- Wikilinks - [[Link notes]] Obsidian-style -
-
- -
- ๐Ÿ•ธ๏ธ -
- Graph View - Visualize note connections -
-
-
๐Ÿ–ผ๏ธ
@@ -1011,10 +981,10 @@
- โš™๏ธ + ๐Ÿ”—
- Properties Panel - View frontmatter metadata at a glance + Wikilinks + [[Link notes]] Obsidian-style
diff --git a/documentation/FEATURES.md b/documentation/FEATURES.md index 2f1a20a..1a8287d 100644 --- a/documentation/FEATURES.md +++ b/documentation/FEATURES.md @@ -318,12 +318,32 @@ Full immersive distraction-free writing experience: - **Easy exit** - Press `Esc`, click exit button, or use shortcut again - **State preserved** - Returns to your previous view mode on exit +## ๐Ÿ“ฑ Progressive Web App (PWA) + +NoteDiscovery can be installed as a standalone app on your device: + +- **Install as app** - Add to home screen on mobile, or install via browser on desktop +- **Standalone mode** - Runs without browser chrome for a native app feel + +### How to Install +- **Desktop (Chrome/Edge)**: Click the install icon in the address bar, or Menu โ†’ "Install NoteDiscovery" +- **Android**: Chrome Menu โ†’ "Add to Home Screen" +- **iOS**: Safari Share โ†’ "Add to Home Screen" + +## ๐ŸŒ Internationalization + +- **Multiple languages** - English, Spanish, German, French built-in +- **Easy to add** - Drop JSON files in `locales/` folder +- **Instant switch** - Change language in Settings without reload +- **Community translations** - Contributions welcome! + ## ๐Ÿš€ Performance - **Instant loading** - No lag, no loading spinners - **Efficient caching** - Smart local storage - **Minimal resources** - Runs on modest hardware - **No bloat** - Focused on what matters +- **Lightweight** - No heavy frameworks --- From c9a73a4a1bc97d83e61a96a55b8374bd46b43857 Mon Sep 17 00:00:00 2001 From: Gamosoft Date: Mon, 12 Jan 2026 12:22:24 +0100 Subject: [PATCH 6/6] updated auth --- documentation/AUTHENTICATION.md | 221 ++++++++++++-------------------- 1 file changed, 80 insertions(+), 141 deletions(-) diff --git a/documentation/AUTHENTICATION.md b/documentation/AUTHENTICATION.md index ed53822..7d5c6b7 100644 --- a/documentation/AUTHENTICATION.md +++ b/documentation/AUTHENTICATION.md @@ -1,83 +1,68 @@ # ๐Ÿ”’ NoteDiscovery Authentication Guide -## โš ๏ธ **IMPORTANT: Default Password Warning** +## โš ๏ธ Default Password Warning -> **The default `config.yaml` includes authentication disabled by default, with password: `admin`** -> -> ๐Ÿ”ด **CHANGE THIS if you're exposing NoteDiscovery to a network!** -> -> The default configuration is provided for **quick testing only**. Follow the setup guide below to set your own secure password and secret key. +> **Default password is `admin`** โ€” CHANGE THIS before exposing to any network! --- ## Overview -NoteDiscovery includes a simple, secure authentication system for single-user deployments. When enabled, users must log in with a password before accessing the application. +NoteDiscovery includes simple password protection for single-user deployments. When enabled, users must log in before accessing notes. -## โœจ Features - -- โœ… **Single User** - Perfect for personal/self-hosted use -- โœ… **Secure** - Passwords hashed with bcrypt -- โœ… **Session-based** - Stay logged in for 7 days (configurable) +- โœ… Single user / self-hosted use +- โœ… Passwords hashed with bcrypt +- โœ… Session-based (7 days default, configurable) --- -## ๐Ÿš€ Quick Setup +## Quick Test (Local Only) -**Default Configuration:** -- Authentication is **disabled by default** -- Default password is `admin` -- Default secret key is insecure +For local testing, authentication is **disabled by default**. To test with auth: -**โš ๏ธ IMPORTANT:** For production or network-exposed deployments, **change both the password and secret key immediately**. - ---- - -### ๐Ÿงช **Quick Test (Use Default Password)** - -For **local testing only**, you can use the default configuration: - -1. Start NoteDiscovery (Docker or locally) -2. Navigate to `http://localhost:8000` +1. Set `authentication.enabled: true` in `config.yaml` +2. Restart the app 3. Log in with password: `admin` -**โš ๏ธ Only use this for local testing on your own machine!** +โš ๏ธ **Don't use the default password on any network!** --- -### ๐Ÿ”’ **Production Setup (Change Password & Secret Key)** +## Production Setup For any deployment exposed to a network, follow these steps: ---- +### Step 1: Generate a Secret Key -## Password Configuration Options +The secret key encrypts session cookies. Generate a random one: -NoteDiscovery supports two ways to set passwords: - -| Method | Best For | Security | -|--------|----------|----------| -| **Plain text password** | Docker, PikaPods, easy deployment | Password is hashed at startup | -| **Pre-hashed password** | Advanced users, extra security | You control the hashing | - -Both methods are secure - the plain text option simply hashes the password when the app starts. - ---- - -### Option A: Plain Text Password (Recommended for Docker/PikaPods) - -The easiest approach - just set your password directly: - -**Via Environment Variable:** ```bash -# Docker run -docker run -e AUTHENTICATION_ENABLED=true \ - -e AUTHENTICATION_PASSWORD=your_secure_password \ - ... +# Docker +docker exec -it notediscovery python -c "import secrets; print(secrets.token_hex(32))" -# Docker Compose (.env file) -AUTHENTICATION_ENABLED=true -AUTHENTICATION_PASSWORD=your_secure_password +# Local +python -c "import secrets; print(secrets.token_hex(32))" +``` + +**Save this key** โ€” you'll need it in Step 2. + +--- + +### Step 2: Configure Authentication + +Choose **one** of these options: + +#### Option A: Plain Text Password (Recommended) + +The easiest approach. Your password is automatically hashed at startup. + +**Via Environment Variables (Docker):** +```bash +docker run -d \ + -e AUTHENTICATION_ENABLED=true \ + -e AUTHENTICATION_PASSWORD=your_secure_password \ + -e AUTHENTICATION_SECRET_KEY=your_generated_secret_key \ + ... ``` **Via config.yaml:** @@ -85,142 +70,96 @@ AUTHENTICATION_PASSWORD=your_secure_password authentication: enabled: true password: "your_secure_password" - secret_key: "your_generated_secret_key_here" + secret_key: "your_generated_secret_key" ``` -The password is automatically hashed with bcrypt when the app starts. - --- -### Option B: Pre-Hashed Password (Advanced) +#### Option B: Pre-Hashed Password (Advanced) -For users who prefer to hash passwords themselves: - -#### Step 1: Generate a Password Hash - -**Docker Users:** +For users who prefer to hash passwords themselves. +**Generate a hash:** ```bash -# Docker Compose with the GHCR compose file -docker-compose -f docker-compose.ghcr.yml exec notediscovery python generate_password.py - -# Or with docker run +# Docker docker exec -it notediscovery python generate_password.py -``` -**Local Users:** - -```bash -# Install bcrypt if not already installed -pip install bcrypt - -# Run the password generator +# Local python generate_password.py ``` -The script will: -1. Prompt you for your password (input is hidden) -2. Ask you to confirm it -3. Generate a bcrypt hash -4. Display the hash with instructions - -**Copy the hash** - you'll need it for Step 3. - -#### Step 2: Generate a Secret Key - -Generate a random secret key for session encryption: - -**Docker Users:** -```bash -docker-compose exec notediscovery python -c "import secrets; print(secrets.token_hex(32))" - -# Or with docker run -docker exec -it notediscovery python -c "import secrets; print(secrets.token_hex(32))" -``` - -**Local Users:** -```bash -python -c "import secrets; print(secrets.token_hex(32))" -``` - -**Copy the key** - you'll need it for Step 3. - -#### Step 3: Update `config.yaml` - -Edit your `config.yaml` and update the authentication section: - +**Then configure:** ```yaml authentication: - # Enable authentication enabled: true - - # Session secret key (paste the output from Step 2) - secret_key: "your_generated_secret_key_here" - - # Password hash (paste the output from Step 1) - password_hash: "$2b$12$..." - - # Session expiry in seconds (7 days by default) - session_max_age: 604800 + password_hash: "$2b$12$..." # paste your hash here + secret_key: "your_generated_secret_key" ``` --- -### Restart the Application +### Step 3: Restart & Test ```bash -# If running locally -uvicorn backend.main:app --reload - -# If using Docker Compose +# Docker Compose docker-compose restart -# Or with docker run +# Docker run docker restart notediscovery + +# Local +python run.py ``` -### Test Login - -Navigate to `http://localhost:8000` and you'll be redirected to the login page. - -Enter the password you configured. +Navigate to `http://localhost:8000` โ€” you'll be redirected to the login page. --- -## ๐Ÿ”’ Security Considerations +## Configuration Priority + +If multiple sources are configured, this priority applies (first wins): + +| Priority | Source | Type | +|----------|--------|------| +| 1st | `AUTHENTICATION_PASSWORD` env var | Plain text | +| 2nd | `AUTHENTICATION_PASSWORD_HASH` env var | Pre-hashed | +| 3rd | `password` in config.yaml | Plain text | +| 4th | `password_hash` in config.yaml | Pre-hashed | + +**Example:** If you set `AUTHENTICATION_PASSWORD` as an env var, it overrides anything in config.yaml. + +--- + +## Security Considerations ### โœ… What This Protects - Unauthorized access to your notes -- Viewing, creating, editing, and deleting notes - All API endpoints +- Viewing, creating, editing, deleting notes ### โš ๏ธ What This Doesn't Protect -This is a **simple authentication system** designed for **self-hosted, single-user** deployments. It is **NOT** suitable for: +This is a **simple single-user** system. NOT suitable for: - โŒ Multi-user environments -- โŒ Public internet exposure without HTTPS -- โŒ Production SaaS applications +- โŒ Public internet without HTTPS - โŒ Compliance requirements (HIPAA, GDPR, etc.) ### ๐Ÿ›ก๏ธ Best Practices -1. **Use HTTPS** - Always run behind a reverse proxy (Traefik, nginx, Caddy) with SSL/TLS -2. **Strong Password** - Use at least 12 characters with mixed case, numbers, and symbols -3. **Unique Secret Key** - Never reuse secret keys across applications -4. **Keep Config Secure** - Don't commit `config.yaml` with real credentials to version control -5. **VPN/Private Network** - Keep NoteDiscovery on a private network or behind a VPN +1. **Use HTTPS** โ€” Run behind a reverse proxy (Traefik, nginx, Caddy) +2. **Strong password** โ€” At least 12 characters, mixed case, numbers, symbols +3. **Unique secret key** โ€” Never reuse across applications +4. **Keep config secure** โ€” Don't commit credentials to version control --- -## ๐Ÿšซ Disabling Authentication - -To disable authentication and allow open access: +## Disabling Authentication ```yaml authentication: enabled: false ``` -Restart the application, and authentication will be bypassed. \ No newline at end of file +Restart the app to apply.