b135f11557
Security (P0): - Remove committed session-secret default; auto-generate and persist a random secret to the config volume when SESSION_SECRET is unset (prevents forgeable session cookies / auth bypass). - Validate playlist names to a safe charset and render sldl configs via literal Python substitution instead of sed (closes a command-injection and path-traversal path through playlist names). - shlex-quote credential values written to shell-sourced env files, and strip newlines from values patched into .conf files. - Render playlist .conf files 0600; warn at startup if the master key is co-located with the config volume; document keeping it separate. Portability: - Configurable timezone via TZ (default UTC) instead of hardcoded Edmonton. - Remove personal defaults (navidrome user "andrew", ephemeral.club URLs). - Ship generic example seeds; move the cross-album dedup keep-list and the legacy playlist import to editable config files; drop the personal _upgrade.csv. - Generic VPN reference in docker-compose.snippet.yml. First-run experience: - Redirect to /setup instead of 500 when OIDC is unconfigured; surface a missing master key inline; entrypoint exits with an actionable message when the config folder is not writable. - Add unauthenticated /health (JSON) and /setup (checklist) diagnostics. Docs: - Write docs/ARCHITECTURE.md and docs/MIGRATION.md (previously referenced but missing); expand README with ownership, backups, advanced settings, and migration guidance. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
55 lines
1.9 KiB
Python
55 lines
1.9 KiB
Python
import asyncio
|
|
import time
|
|
|
|
from fastapi import APIRouter, Depends, Request
|
|
from fastapi.templating import Jinja2Templates
|
|
from sqlalchemy import select
|
|
|
|
from app.db import get_db
|
|
from app.models import JobRun
|
|
from app.security.deps import require_auth
|
|
from app.services import beets_service, credential_service, diagnostics, network_service, playlist_service, scheduler_service
|
|
|
|
router = APIRouter(tags=["dashboard"])
|
|
templates = Jinja2Templates(directory="app/templates")
|
|
|
|
_RECENT_TRACKS_WINDOW_SECONDS = 24 * 60 * 60
|
|
|
|
|
|
def _human_bytes(n: int) -> str:
|
|
size = float(n)
|
|
for unit in ("B", "KB", "MB", "GB", "TB"):
|
|
if size < 1024 or unit == "TB":
|
|
return f"{size:.1f} {unit}"
|
|
size /= 1024
|
|
return f"{size:.1f} TB"
|
|
|
|
|
|
@router.get("/")
|
|
async def dashboard(request: Request, user: dict = Depends(require_auth), db=Depends(get_db)):
|
|
stats = beets_service.stats()
|
|
playlists = playlist_service.list_all(db)
|
|
recent_runs = list(
|
|
db.execute(select(JobRun).order_by(JobRun.started_at.desc()).limit(10)).scalars()
|
|
)
|
|
recent_tracks = beets_service.recently_added(time.time() - _RECENT_TRACKS_WINDOW_SECONDS)
|
|
public_ip = await asyncio.to_thread(network_service.public_ip)
|
|
setup_warnings = [c for c in diagnostics.checks() if not c["ok"] and (c["critical"] or c.get("warn"))]
|
|
return templates.TemplateResponse(
|
|
request,
|
|
"dashboard.html",
|
|
{
|
|
"user": user,
|
|
"setup_warnings": setup_warnings,
|
|
"stats": stats,
|
|
"total_size_human": _human_bytes(stats.get("total_bytes", 0)),
|
|
"playlist_count": len(playlists),
|
|
"active_playlist_count": len([p for p in playlists if p.active]),
|
|
"recent_runs": recent_runs,
|
|
"recent_tracks": recent_tracks,
|
|
"auth_states": credential_service.auth_states(db),
|
|
"humanize_job_key": scheduler_service.humanize_job_key,
|
|
"public_ip": public_ip,
|
|
},
|
|
)
|