diff --git a/README.md b/README.md index 28fd3cd..9968e6f 100644 --- a/README.md +++ b/README.md @@ -102,6 +102,29 @@ The application includes automated backups to S3-compatible storage (like Minio) - Check your Minio bucket for backup files named `weight-tracker-backup-[timestamp].json` - Backups are automatically rotated based on the retention setting +### Authentication + +The Weight Tracker application can be password-protected to secure your personal health data. To enable password protection, set the following environment variables in your Coolify deployment: + +- `AUTH_USERNAME`: The username for authentication (defaults to `user` if not specified) +- `AUTH_PASSWORD`: The password for authentication (defaults to `password` if not specified) + +Example: +``` +AUTH_USERNAME=myusername +AUTH_PASSWORD=mysecurepassword +``` + +### Authentication Details + +1. **Simple Setup**: Just set the username and password directly in your environment variables +2. **Browser Login**: When accessing your Weight Tracker, you'll be prompted with a browser login dialog +3. **Login Credentials**: + - Username: The value of `AUTH_USERNAME` (defaults to `user`) + - Password: The value of `AUTH_PASSWORD` (defaults to `password`) + +> **Note**: This approach uses Nginx's basic authentication with plaintext passwords stored in environment variables. While simpler to set up, ensure your Coolify environment is secure and that you're using HTTPS for all connections. + ### Password Protection The application includes password protection to secure your health data: diff --git a/docker-compose.yml b/docker-compose.yml index 1833a00..c9895ed 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -16,6 +16,8 @@ services: environment: # Authentication Configuration - PASSWORD_HASH=${PASSWORD_HASH:-$2a$10$EgxHKjDDFcZKtQY9hl/N4.QvEQHCXVnQXw9dzFYlUDVKOcLMGp9eq} + - AUTH_USERNAME=${AUTH_USERNAME:-user} + - AUTH_PASSWORD=${AUTH_PASSWORD:-password} - SESSION_SECRET=${SESSION_SECRET:-change-this-to-a-random-string} - COOKIE_SECURE=${COOKIE_SECURE:-false} diff --git a/generate-htpasswd.js b/generate-htpasswd.js index 2081f01..297f590 100644 --- a/generate-htpasswd.js +++ b/generate-htpasswd.js @@ -8,15 +8,19 @@ const fs = require('fs'); const path = require('path'); -// Default username -const USERNAME = 'user'; +// Get username from environment variable or use default +const USERNAME = process.env.AUTH_USERNAME || 'user'; // Get password hash from environment variable const passwordHash = process.env.PASSWORD_HASH || '$2a$10$EgxHKjDDFcZKtQY9hl/N4.QvEQHCXVnQXw9dzFYlUDVKOcLMGp9eq'; -// Format for .htpasswd: username:$2y$...hash... -// Note: Nginx requires $2y$ format instead of bcrypt's $2a$ format -const htpasswdContent = `${USERNAME}:${passwordHash.replace('$2a$', '$2y$')}`; +// For Nginx basic auth, we need to use the format: username:{PLAIN}password +// This is simpler and more reliable than trying to use bcrypt hashes with Nginx +// Extract the original password from environment variable if available +const plainPassword = process.env.AUTH_PASSWORD || 'password'; + +// Format for .htpasswd with plaintext password +const htpasswdContent = `${USERNAME}:{PLAIN}${plainPassword}`; // Path to the .htpasswd file const htpasswdPath = '/etc/nginx/.htpasswd'; diff --git a/supervisord.conf b/supervisord.conf index 77ea2b3..d8ff089 100644 --- a/supervisord.conf +++ b/supervisord.conf @@ -8,7 +8,7 @@ pidfile=/var/run/supervisord.pid [program:generate-htpasswd] command=node /usr/share/nginx/api/generate-htpasswd.js directory=/usr/share/nginx/api -environment=PASSWORD_HASH="%(ENV_PASSWORD_HASH)s" +environment=PASSWORD_HASH="%(ENV_PASSWORD_HASH)s",AUTH_USERNAME="%(ENV_AUTH_USERNAME)s",AUTH_PASSWORD="%(ENV_AUTH_PASSWORD)s" autostart=true autorestart=false startsecs=0