Yundera
diff --git a/‎README.md‎
Lines changed: 6 additions & 0 deletions b/‎README.md‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎auth-service/app.js‎
Lines changed: 69 additions & 20 deletions b/‎auth-service/app.js‎
Lines changed: 69 additions & 20 deletions
diff --git a/‎auto-add-hash.sh‎
Lines changed: 94 additions & 4 deletions b/‎auto-add-hash.sh‎
Lines changed: 94 additions & 4 deletions
@@ -205,6 +205,12 @@ ALLOWED_PATHS: "login,about,api/health,api/public"
 
 Now `/login` and `/api/health` work without a hash, but `/dashboard` still requires it.
 
+**Important - Reserved Paths:**
+- `/nhl-auth/` is reserved for internal authentication endpoints and cannot be used in ALLOWED_PATHS
+- `/login` is reserved for the login page
+- All other paths are available for use in ALLOWED_PATHS
+- The `/auth` path is now available for your application (previously reserved)
+
 ## Dynamic Path Allowlisting (Advanced Feature)
 
 ### What Problem Does It Solve?
 
@@ -10,11 +10,17 @@ const PORT = 9999;
 // Configuration from environment
 const USERNAME = process.env.USER || '';
 const PASSWORD = process.env.PASSWORD || '';
+const AUTH_HASH = process.env.AUTH_HASH || '';
 const SESSION_DURATION_HOURS = parseInt(process.env.SESSION_DURATION_HOURS || '720', 10);
 const SESSION_DURATION_MS = SESSION_DURATION_HOURS * 60 * 60 * 1000;
 
+// Generate password hash for session validation
+// When password changes (container restart), password-based sessions become invalid
+const PASSWORD_HASH = crypto.createHash('sha256').update(PASSWORD + USERNAME).digest('hex');
+
 // In-memory session store
-// Format: { sessionId: { expires: timestamp } }
+// Format: { sessionId: { expires: timestamp, passwordHash?: string, authHash?: string } }
+// Sessions can be authenticated via password OR auth hash
 const sessions = {};
 
 // Generate secure random session ID
@@ -123,7 +129,7 @@ app.get('/login', (req, res) => {
 <body>
     <div class="container">
         <h1>🔒 Login Required</h1>
-        <form method="POST" action="/auth/login">
+        <form method="POST" action="/nhl-auth/login">
             <div class="form-group">
                 <label>Username</label>
                 <input type="text" name="username" required autofocus>
@@ -157,7 +163,7 @@ app.get('/login', (req, res) => {
 });
 
 // Handle login submission
-app.post('/auth/login', async (req, res) => {
+app.post('/nhl-auth/login', async (req, res) => {
     const { username, password, redirect } = req.body;
     const startTime = Date.now();
 
@@ -168,7 +174,8 @@ app.post('/auth/login', async (req, res) => {
         // Create session
         const sessionId = generateSessionId();
         sessions[sessionId] = {
-            expires: Date.now() + SESSION_DURATION_MS
+            expires: Date.now() + SESSION_DURATION_MS,
+            passwordHash: PASSWORD_HASH
         };
 
         console.log(`[Auth Service] Login successful for user: ${username}`);
@@ -197,14 +204,34 @@ app.post('/auth/login', async (req, res) => {
 });
 
 // Auth check endpoint (called by nginx auth_request)
-app.get('/auth/check', (req, res) => {
+app.get('/nhl-auth/check', (req, res) => {
     // Check for existing session first
     let sessionId = req.cookies.nginxhashlock_session;
 
-    if (sessionId && sessions[sessionId] && sessions[sessionId].expires > Date.now()) {
-        // Valid session exists
-        console.log(`[Auth Service] Auth check passed via session (${sessionId.substring(0, 8)}...)`);
-        return res.status(200).send('OK');
+    if (sessionId && sessions[sessionId]) {
+        const session = sessions[sessionId];
+
+        // Check if session is expired
+        if (session.expires < Date.now()) {
+            console.log(`[Auth Service] Auth check failed: Session expired (${sessionId.substring(0, 8)}...)`);
+            delete sessions[sessionId];
+            // Continue to check other auth methods
+        }
+        // Check if credentials are still valid
+        else {
+            // Session is valid if EITHER password hash OR auth hash matches
+            const passwordValid = session.passwordHash && session.passwordHash === PASSWORD_HASH;
+            const authHashValid = session.authHash && session.authHash === AUTH_HASH;
+
+            if (passwordValid || authHashValid) {
+                console.log(`[Auth Service] Auth check passed via session (${sessionId.substring(0, 8)}...)`);
+                return res.status(200).send('OK');
+            } else {
+                console.log(`[Auth Service] Auth check failed: Credentials changed, invalidating session (${sessionId.substring(0, 8)}...)`);
+                delete sessions[sessionId];
+                // Continue to check other auth methods
+            }
+        }
     }
 
     // No valid session - check if hash parameter is valid
@@ -219,7 +246,8 @@ app.get('/auth/check', (req, res) => {
             if (!sessionId || !sessions[sessionId]) {
                 sessionId = generateSessionId();
                 sessions[sessionId] = {
-                    expires: Date.now() + SESSION_DURATION_MS
+                    expires: Date.now() + SESSION_DURATION_MS,
+                    authHash: AUTH_HASH
                 };
 
                 console.log(`[Auth Service] Session created for hash auth: ${sessionId.substring(0, 8)}... (expires in ${SESSION_DURATION_HOURS}h)`);
@@ -258,36 +286,57 @@ app.get('/auth/check', (req, res) => {
         return res.status(401).send('Unauthorized');
     }
 
+    // Check if password has changed
+    if (session.passwordHash && session.passwordHash !== PASSWORD_HASH) {
+        console.log(`[Auth Service] Auth check failed: Password changed, invalidating session (${sessionId.substring(0, 8)}...)`);
+        delete sessions[sessionId];
+        return res.status(401).send('Unauthorized');
+    }
+
     // Session is valid
     console.log(`[Auth Service] Auth check passed via session (${sessionId.substring(0, 8)}...)`);
     res.status(200).send('OK');
 });
 
 // Establish session endpoint (for hash authentication to set cookies properly)
-app.get('/auth/establish-session', (req, res) => {
+app.get('/nhl-auth/establish-session', (req, res) => {
     // Check if hash parameter is valid
     if (process.env.AUTH_HASH) {
         const hash = req.query.hash;
-        const returnTo = req.query.return_to || '/';
+        let returnTo = req.query.return_to || '/';
+
+        // Strip hash parameter from return URL to prevent redirect loop
+        returnTo = returnTo.replace(/[?&]hash=[^&]+(&|$)/, (match, p1) => p1 === '&' ? '&' : '?').replace(/[?&]$/, '').replace(/\?$/, '') || '/';
 
         if (hash && hash === process.env.AUTH_HASH) {
             // Check if session already exists
             let sessionId = req.cookies.nginxhashlock_session;
 
-            if (sessionId && sessions[sessionId] && sessions[sessionId].expires > Date.now()) {
-                // Valid session already exists
-                console.log(`[Auth Service] Session already valid: ${sessionId.substring(0, 8)}...`);
-                // Redirect back if requested
-                if (req.query.return_to) {
-                    return res.redirect(returnTo);
+            if (sessionId && sessions[sessionId]) {
+                const session = sessions[sessionId];
+                // Check if session is valid (not expired and credentials are still valid)
+                const passwordValid = session.passwordHash && session.passwordHash === PASSWORD_HASH;
+                const authHashValid = session.authHash && session.authHash === AUTH_HASH;
+
+                if (session.expires > Date.now() && (passwordValid || authHashValid)) {
+                    // Valid session already exists
+                    console.log(`[Auth Service] Session already valid: ${sessionId.substring(0, 8)}...`);
+                    // Redirect back if requested
+                    if (req.query.return_to) {
+                        return res.redirect(returnTo);
+                    }
+                    return res.status(200).json({ status: 'ok', message: 'Session already valid' });
+                } else {
+                    // Session expired or password changed, delete it
+                    delete sessions[sessionId];
                 }
-                return res.status(200).json({ status: 'ok', message: 'Session already valid' });
             }
 
             // Create new session
             sessionId = generateSessionId();
             sessions[sessionId] = {
-                expires: Date.now() + SESSION_DURATION_MS
+                expires: Date.now() + SESSION_DURATION_MS,
+                authHash: AUTH_HASH
             };
 
             console.log(`[Auth Service] Session established via hash: ${sessionId.substring(0, 8)}... (expires in ${SESSION_DURATION_HOURS}h)`);
 
@@ -18,8 +18,34 @@ const fs = require('fs');
 const DYNAMIC_PATHS_FILE = process.env.DYNAMIC_PATHS_FILE || '/tmp/dynamic_paths/allowed.txt';
 const DEFAULT_TTL = 3600; // 1 hour in seconds
 const LISTEN_PORT = 9997;
-const AUTH_SERVICE_URL = 'http://127.0.0.1:9999/auth/check';
+const AUTH_SERVICE_URL = 'http://127.0.0.1:9999/nhl-auth/check';
 
+// Helper function to check if IP is from Docker internal network
+function isDockerInternalIP(ip) {
+    // Remove IPv6 prefix if present
+    ip = ip.replace(/^::ffff:/, '');
+
+    // Localhost
+    if (ip === '127.0.0.1' || ip === '::1') return true;
+
+    const parts = ip.split('.');
+    if (parts.length !== 4) return false;
+
+    const first = parseInt(parts[0]);
+    const second = parseInt(parts[1]);
+
+    // Docker network ranges
+    // 10.0.0.0/8
+    if (first === 10) return true;
+
+    // 172.16.0.0/12
+    if (first === 172 && second >= 16 && second <= 31) return true;
+
+    // 192.168.0.0/16
+    if (first === 192 && second === 168) return true;
+
+    return false;
+}
 
 const server = http.createServer((req, res) => {
     const originalUri = req.headers['x-original-uri'] || '';
@@ -33,6 +59,36 @@ const server = http.createServer((req, res) => {
         return;
     }
 
+    // Handle request errors to prevent crashes
+    req.on('error', (err) => {
+        console.error('[AUTO-ADD] Request error:', err);
+        try {
+            res.writeHead(500);
+            res.end();
+        } catch (e) {
+            console.error('[AUTO-ADD] Failed to send error response:', e);
+        }
+    });
+
+    res.on('error', (err) => {
+        console.error('[AUTO-ADD] Response error:', err);
+    });
+
+    // Check if request is from Docker internal network (container-to-container)
+    const remoteAddr = req.headers['x-real-ip'] || req.connection.remoteAddress || '';
+    const isInternalRequest = isDockerInternalIP(remoteAddr);
+
+    if (isInternalRequest) {
+        // Internal requests from Stremio server itself - always allow and add to allowlist
+        console.log(`[AUTO-ADD] Internal request from ${remoteAddr} for hash ${hash} - bypassing auth`);
+        if (!isHashAllowed(hash)) {
+            addHashToAllowlist(hash);
+        }
+        res.writeHead(204);
+        res.end();
+        return;
+    }
+
     // FIRST check if hash is already in allowlist (for subsequent requests)
     if (isHashAllowed(hash)) {
         res.writeHead(204);
@@ -90,8 +146,9 @@ const server = http.createServer((req, res) => {
         }
     });
 
-    authReq.on('error', () => {
+    authReq.on('error', (err) => {
         // Auth service error - fall back to dynamic allowlist check
+        console.error('[AUTO-ADD] Auth service connection error:', err.message);
         if (isHashAllowed(hash)) {
             res.writeHead(204);
             res.end();
@@ -101,6 +158,12 @@ const server = http.createServer((req, res) => {
         }
     });
 
+    // Add timeout to prevent hanging connections
+    authReq.setTimeout(5000, () => {
+        console.error('[AUTO-ADD] Auth service request timeout');
+        authReq.destroy();
+    });
+
     authReq.end();
 });
 
@@ -167,10 +230,37 @@ function addHashToAllowlist(hash) {
     }
 }
 
+// Handle server-level errors
+server.on('error', (err) => {
+    console.error('[AUTO-ADD] Server error:', err);
+});
+
+server.on('clientError', (err, socket) => {
+    console.error('[AUTO-ADD] Client error:', err.message);
+    socket.end('HTTP/1.1 400 Bad Request\r\n\r\n');
+});
+
 server.listen(LISTEN_PORT, '127.0.0.1', () => {
     console.log(`[AUTO-ADD] Listening on port ${LISTEN_PORT}`);
 });
+
+// Prevent crashes from uncaught exceptions
+process.on('uncaughtException', (err) => {
+    console.error('[AUTO-ADD] Uncaught exception:', err);
+    console.error('[AUTO-ADD] Service continuing...');
+});
+
+process.on('unhandledRejection', (reason, promise) => {
+    console.error('[AUTO-ADD] Unhandled rejection at:', promise, 'reason:', reason);
+    console.error('[AUTO-ADD] Service continuing...');
+});
 JSEOF
 
-# Run the Node.js server
-exec node /tmp/auto-add-hash-server.js
+# Run the Node.js server with auto-restart
+while true; do
+    echo "[AUTO-ADD] Starting service..."
+    node /tmp/auto-add-hash-server.js
+    EXIT_CODE=$?
+    echo "[AUTO-ADD] Service exited with code $EXIT_CODE, restarting in 2 seconds..."
+    sleep 2
+done