diff --git a/README.md b/README.md index 8464f8c..df2dfd8 100644 --- a/README.md +++ b/README.md @@ -84,6 +84,8 @@ Use the pre-built image directly from GHCR - no building required! > # Now you have everything - run docker-compose below > ``` +> **๐Ÿ” Security Note**: Authentication is **enabled by default** with password `admin`. For testing/local use, this is fine. If exposing to a network, **change the password immediately** - see [AUTHENTICATION.md](data/notes/AUTHENTICATION.md) for instructions. + **Option 1: Docker Compose (Recommended)** > ๐Ÿ’ก **Multi-Architecture Support**: Docker images are available for both `x86_64` and `ARM64` (Raspberry Pi, Apple Silicon, etc.) @@ -224,9 +226,11 @@ NoteDiscovery is designed for **self-hosted, private use**. Please keep these se - By default, the app listens on `0.0.0.0:8000` (all network interfaces) ### Authentication -- **Optional password protection** is available (disabled by default) -- See **AUTHENTICATION.md** for setup instructions -- Simple to enable with Docker: `docker-compose exec notediscovery /app/generate_password_hash.sh` +- **Password protection is ENABLED by default** with password: `admin` +- โš ๏ธ **CHANGE THE DEFAULT PASSWORD IMMEDIATELY** if exposing to a network! +- See **[AUTHENTICATION.md](data/notes/AUTHENTICATION.md)** for complete setup instructions +- To disable auth, set `security.enabled: false` in `config.yaml` +- Change password with Docker: `docker-compose exec notediscovery /app/generate_password_hash.sh` - Perfect for single-user or small team deployments - For multi-user setups, consider a reverse proxy with OAuth/SSO diff --git a/config.yaml b/config.yaml index 92da79f..20ab0b1 100644 --- a/config.yaml +++ b/config.yaml @@ -29,14 +29,20 @@ security: secret_key: "change_this_to_a_random_secret_key_in_production" # Password hash - Generate with: python generate_password.py + # โš ๏ธ WARNING: The default hash below corresponds to password "admin" + # โš ๏ธ CHANGE THIS IMMEDIATELY in production! + # # INSTRUCTIONS: # 1. Run: pip install bcrypt # 2. Run: python generate_password.py # 3. Enter your desired password # 4. Copy the generated hash below - # 5. Set enabled: true above + # 5. ALSO change secret_key above # 6. Restart the application - password_hash: "$2b$12$t/6PGExFzdpU2PUta0iVY.eDQwvu63kH.c/d4bEnnHaQ5CspH1yrG" + # + # Docker users can generate a hash with: + # docker-compose exec notediscovery /app/generate_password_hash.sh + password_hash: "$2b$12$t/6PGExFzdpU2PUta0iVY.eDQwvu63kH.c/d4bEnnHaQ5CspH1yrG" # Default: "admin" # Session expiry in seconds (default: 7 days) session_max_age: 604800 diff --git a/data/notes/AUTHENTICATION.md b/data/notes/AUTHENTICATION.md index 0d358cc..5043108 100644 --- a/data/notes/AUTHENTICATION.md +++ b/data/notes/AUTHENTICATION.md @@ -1,5 +1,15 @@ # ๐Ÿ”’ NoteDiscovery Authentication Guide +## โš ๏ธ **IMPORTANT: Default Password Warning** + +> **The default `config.yaml` includes authentication enabled with password: `admin`** +> +> ๐Ÿ”ด **CHANGE THIS IMMEDIATELY if you're exposing NoteDiscovery to a network!** +> +> The default configuration is provided for **quick testing only**. Follow the setup guide below to set your own secure password and secret key. + +--- + ## Overview NoteDiscovery includes a simple, secure authentication system for single-user deployments. When enabled, users must log in with a password before accessing the application. @@ -16,7 +26,30 @@ NoteDiscovery includes a simple, secure authentication system for single-user de ## ๐Ÿš€ Quick Setup -**โš ๏ธ IMPORTANT:** Authentication is **disabled by default**. Follow these steps to enable it: +**Default Configuration:** +- Authentication is **enabled by default** +- Default password is `admin` +- Default secret key is insecure + +**โš ๏ธ IMPORTANT:** For production or network-exposed deployments, **change both the password and secret key immediately**. Follow these steps: + +--- + +### ๐Ÿงช **Quick Test (Use Default Password)** + +For **local testing only**, you can use the default configuration: + +1. Start NoteDiscovery (Docker or locally) +2. Navigate to `http://localhost:8000` +3. Log in with password: `admin` + +**โš ๏ธ Only use this for local testing on your own machine!** + +--- + +### ๐Ÿ”’ **Production Setup (Change Password & Secret Key)** + +For any deployment exposed to a network, follow these steps: ### Step 1: Generate a Password Hash