feat: add configurable username/password auth via environment variables

README.md

@@ -102,6 +102,29 @@ The application includes automated backups to S3-compatible storage (like Minio)
    - Check your Minio bucket for backup files named `weight-tracker-backup-[timestamp].json`
    - Backups are automatically rotated based on the retention setting
 
+### Authentication
+
+The Weight Tracker application can be password-protected to secure your personal health data. To enable password protection, set the following environment variables in your Coolify deployment:
+
+- `AUTH_USERNAME`: The username for authentication (defaults to `user` if not specified)
+- `AUTH_PASSWORD`: The password for authentication (defaults to `password` if not specified)
+
+Example:
+```
+AUTH_USERNAME=myusername
+AUTH_PASSWORD=mysecurepassword
+```
+
+### Authentication Details
+
+1. **Simple Setup**: Just set the username and password directly in your environment variables
+2. **Browser Login**: When accessing your Weight Tracker, you'll be prompted with a browser login dialog
+3. **Login Credentials**:
+   - Username: The value of `AUTH_USERNAME` (defaults to `user`)
+   - Password: The value of `AUTH_PASSWORD` (defaults to `password`)
+
+> **Note**: This approach uses Nginx's basic authentication with plaintext passwords stored in environment variables. While simpler to set up, ensure your Coolify environment is secure and that you're using HTTPS for all connections.
+
 ### Password Protection
 
 The application includes password protection to secure your health data:

docker-compose.yml

@@ -16,6 +16,8 @@ services:
     environment:
       # Authentication Configuration
       - PASSWORD_HASH=${PASSWORD_HASH:-$2a$10$EgxHKjDDFcZKtQY9hl/N4.QvEQHCXVnQXw9dzFYlUDVKOcLMGp9eq}
+      - AUTH_USERNAME=${AUTH_USERNAME:-user}
+      - AUTH_PASSWORD=${AUTH_PASSWORD:-password}
       - SESSION_SECRET=${SESSION_SECRET:-change-this-to-a-random-string}
       - COOKIE_SECURE=${COOKIE_SECURE:-false}
       

generate-htpasswd.js

@@ -8,15 +8,19 @@
 const fs = require('fs');
 const path = require('path');
 
-// Default username
+// Get username from environment variable or use default
-const USERNAME = 'user';
+const USERNAME = process.env.AUTH_USERNAME || 'user';
 
 // Get password hash from environment variable
 const passwordHash = process.env.PASSWORD_HASH || '$2a$10$EgxHKjDDFcZKtQY9hl/N4.QvEQHCXVnQXw9dzFYlUDVKOcLMGp9eq';
 
-// Format for .htpasswd: username:$2y$...hash...
+// For Nginx basic auth, we need to use the format: username:{PLAIN}password
-// Note: Nginx requires $2y$ format instead of bcrypt's $2a$ format
+// This is simpler and more reliable than trying to use bcrypt hashes with Nginx
-const htpasswdContent = `${USERNAME}:${passwordHash.replace('$2a$', '$2y$')}`;
+// Extract the original password from environment variable if available
+const plainPassword = process.env.AUTH_PASSWORD || 'password';
+
+// Format for .htpasswd with plaintext password
+const htpasswdContent = `${USERNAME}:{PLAIN}${plainPassword}`;
 
 // Path to the .htpasswd file
 const htpasswdPath = '/etc/nginx/.htpasswd';

supervisord.conf

@@ -8,7 +8,7 @@ pidfile=/var/run/supervisord.pid
 [program:generate-htpasswd]
 command=node /usr/share/nginx/api/generate-htpasswd.js
 directory=/usr/share/nginx/api
-environment=PASSWORD_HASH="%(ENV_PASSWORD_HASH)s"
+environment=PASSWORD_HASH="%(ENV_PASSWORD_HASH)s",AUTH_USERNAME="%(ENV_AUTH_USERNAME)s",AUTH_PASSWORD="%(ENV_AUTH_PASSWORD)s"
 autostart=true
 autorestart=false
 startsecs=0