v1.2.0: Authentication, directory permissions, and security hardening

- User authentication system (none/full modes) with admin panel
- Directory-level permissions with root '/' full-access option
- Protect direct /fits/ downloads via nginx auth_request
- GAIN FITS header indexing with schema upgrade system
- Faster ZIP downloads (STORE compression + streaming)
- Permission-aware duplicate badges and improved sorting

Author: michelegz

.env.example

@@ -25,4 +25,12 @@ MYSQL_PORT=3306
 HEADER_TITLE=Astro Web Indexer
 
 # Data paths
-FITS_DATA_PATH=./data/fits
+FITS_DATA_PATH=./data/fits
+
+# Authentication configuration
+# AUTH_MODE: 'none' = no auth (default), 'full' = login required with directory permissions
+AUTH_MODE=none
+
+# Initial admin user (created automatically on first startup when AUTH_MODE is not 'none')
+ADMIN_USER=admin
+ADMIN_PASSWORD=changeme

CHANGELOG.md

@@ -0,0 +1,31 @@
+# Changelog
+
+## v1.2.0
+
+### Authentication & Security
+- **User authentication system** with two modes: `none` (legacy, no auth) and `full` (login required)
+- **Directory-level permissions** — restrict user access to specific root directories
+- **Root `/` permission** — grants full access to all directories via a single toggle
+- **Admin panel** for user CRUD with directory checkboxes and last-admin protection
+- **Protect direct file downloads** — nginx `auth_request` gates all `/fits/` access through PHP session/permission checks
+- Auto-creation of initial admin user via `ADMIN_USER` / `ADMIN_PASSWORD` env vars
+- CSRF protection on all forms
+- i18n for all auth strings (en, it, fr, es, de)
+
+### Features
+- **GAIN FITS header indexing** — new `gain` column (camera gain setting), separate from the existing `egain` (electrons per ADU)
+- **Schema upgrade system** — lightweight header-only reindex when new fields are added (no thumbnail regeneration)
+- Fix: AstroBin CSV export now includes `filter` and uses `gain` instead of `egain`
+
+### Performance
+- **Faster ZIP downloads** — `STORE` compression for binary FITS/XISF files + nginx streaming (no buffering)
+
+### Improvements
+- **Permission-aware duplicate badges** — duplicate counts reflect only files the user can access
+- **Duplicate sorting** — secondary sort by total count when ordering by visible duplicates
+- Language selector on login and admin pages
+- UI layout fixes for header when auth is enabled
+
+## v1.1.0
+
+Initial public release.

README.md

@@ -66,10 +66,15 @@ The indexing engine is designed to be fast, efficient, and resilient, making it
 - 🎨 Modern, dark-themed interface
 - ⚡ Fast and efficient file browsing
 
+### 🔒 Authentication & Access Control
+- Optional user authentication with two modes: `none` (open access) and `full` (login required)
+- Directory-level permissions to restrict user access to specific folders
+- Admin panel for user management
+- Direct file download protection via nginx
+
 ### Technical Features
 - 🐳 Dockerized deployment for easy setup
 - 🗄️ MariaDB backend with schema migrations managed by **Phinx**.
-- 🔒 Secure file handling and access control
 - 📊 Extensive FITS/XISF header metadata extraction and indexing.
 
 ## 📋 Requirements
@@ -146,6 +151,14 @@ These variables are shared across all services to connect to the MariaDB contain
 | `DB_PASSWORD` | The password for the database user. | `awi_password` |
 | `MYSQL_ROOT_PASSWORD` | The root password for the MariaDB server. **It is highly recommended to change this.** | `rootpassword` |
 
+### 🔒 Authentication
+
+| Variable | Description | Default |
+|----------|-------------|---------|
+| `AUTH_MODE` | Set to `full` to enable login and directory permissions. Set to `none` to disable authentication. | `none` |
+| `ADMIN_USER` | Username for the initial admin account (created on first startup). | `admin` |
+| `ADMIN_PASSWORD` | Password for the initial admin account. **Change this immediately.** | `changeme` |
+
 ### 🎨 Custom Logo
 
 You can replace the default logo with your own by mapping a local SVG file. 

docker-compose.release.yml

@@ -4,7 +4,7 @@
 
 services:
   nginx:
-    image: ghcr.io/michelegz/astro-web-indexer-nginx:v1.1.0
+    image: ghcr.io/michelegz/astro-web-indexer-nginx:v1.2.0
     container_name: nginx-awi
     ports:
       - "${NGINX_PORT:-2080}:80"
@@ -15,7 +15,7 @@ services:
       - php
 
   php:
-    image: ghcr.io/michelegz/astro-web-indexer-php:v1.1.0
+    image: ghcr.io/michelegz/astro-web-indexer-php:v1.2.0
     container_name: php-awi
     volumes:
       - ${FITS_DATA_PATH:-./data/fits}:/var/fits:ro
@@ -29,13 +29,16 @@ services:
       - DB_NAME=${DB_NAME:-awi_db}
       - DB_USER=${DB_USER:-awi_user}
       - DB_PASSWORD=${DB_PASSWORD:-awi_password}
+      - AUTH_MODE=${AUTH_MODE:-none}
+      - ADMIN_USER=${ADMIN_USER:-admin}
+      - ADMIN_PASSWORD=${ADMIN_PASSWORD:-changeme}
     restart: unless-stopped
     depends_on:
       mariadb:
         condition: service_healthy
 
   python:
-    image: ghcr.io/michelegz/astro-web-indexer-python:v1.1.0
+    image: ghcr.io/michelegz/astro-web-indexer-python:v1.2.0
     container_name: python-awi
     volumes:
       - ${FITS_DATA_PATH:-./data/fits}:/var/fits:ro
@@ -54,7 +57,7 @@ services:
         condition: service_healthy
 
   mariadb:
-    image: ghcr.io/michelegz/astro-web-indexer-mariadb:v1.1.0
+    image: ghcr.io/michelegz/astro-web-indexer-mariadb:v1.2.0
     container_name: mariadb-awi
     environment:
       MYSQL_ROOT_PASSWORD: ${MYSQL_ROOT_PASSWORD:-rootpassword}

docker-compose.yml

@@ -33,6 +33,9 @@ services:
       - DB_NAME=${DB_NAME:-awi_db}
       - DB_USER=${DB_USER:-awi_user}
       - DB_PASSWORD=${DB_PASSWORD:-awi_password}
+      - AUTH_MODE=${AUTH_MODE:-none}
+      - ADMIN_USER=${ADMIN_USER:-admin}
+      - ADMIN_PASSWORD=${ADMIN_PASSWORD:-changeme}
     restart: unless-stopped
     depends_on:
       mariadb:

docker/nginx/default.conf

@@ -10,10 +10,23 @@ server {
     }
 
     location /fits/ {
+        auth_request /auth_check;
         alias /var/fits/;
         autoindex on;
     }
 
+    # Internal endpoint for auth_request subrequests
+    location = /auth_check {
+        internal;
+        fastcgi_pass php:9000;
+        include fastcgi_params;
+        fastcgi_param SCRIPT_FILENAME /var/www/html/auth_check.php;
+        fastcgi_param CONTENT_LENGTH "";
+        fastcgi_param CONTENT_TYPE "";
+        fastcgi_pass_request_body off;
+        fastcgi_param HTTP_X_ORIGINAL_URI $request_uri;
+    }
+
     location ~ \.php$ {
         include fastcgi_params;
         fastcgi_pass php:9000;
@@ -29,6 +42,10 @@ server {
 
         # Increase the timeout specifically for zip file generation
         fastcgi_read_timeout 3600;
+
+        # Disable buffering for streaming ZIP downloads
+        fastcgi_buffering off;
+        proxy_buffering off;
     }
 
     location ~ /\. {

docker/php/docker-entrypoint.sh

@@ -5,6 +5,22 @@ set -e
 echo "Running database migrations..."
 vendor/bin/phinx migrate
 
+# Create initial admin user if AUTH_MODE is set and no users exist
+if [ "$AUTH_MODE" != "" ] && [ "$AUTH_MODE" != "none" ]; then
+    if [ -n "$ADMIN_USER" ] && [ -n "$ADMIN_PASSWORD" ]; then
+        php -r "
+            require_once '/var/www/html/includes/config.php';
+            require_once '/var/www/html/includes/db_functions.php';
+            require_once '/var/www/html/includes/auth.php';
+            \$conn = connectDB();
+            if (!hasAnyUser(\$conn)) {
+                createUser(\$conn, getenv('ADMIN_USER'), getenv('ADMIN_PASSWORD'), true, true, []);
+                echo \"Initial admin user created.\n\";
+            }
+        "
+    fi
+fi
+
 # Execute the command passed to the script (e.g., "php-fpm")
 echo "Starting PHP-FPM..."
 exec "$@"

docker/python/indexer_lib/schema_upgrade.py

@@ -0,0 +1,87 @@
+"""
+Schema upgrade utilities for the reindexer.
+
+When a new FITS header field is added to the database schema, a new entry
+must be added to SCHEMA_VERSION_FIELDS mapping the new schema version to the
+list of DB column names that are populated from the FITS header.
+
+The upgrade worker reads only the file header (no pixel data, no thumbnail
+regeneration), extracts the relevant fields, and returns them to the main
+process which performs the DB UPDATE.
+
+To add a new schema version in the future:
+  1. Add the DB column via a Phinx migration.
+  2. Add the new version and its fields to SCHEMA_VERSION_FIELDS.
+  3. Add the corresponding header extraction inside schema_upgrade_worker.
+  4. Increment current_schema_version in reindex.py.
+"""
+
+import os
+import logging
+
+from astropy.io import fits
+from xisf import XISF
+
+from indexer_lib.file_utils import get_header_value, get_xisf_header_value
+
+logger = logging.getLogger('reindex')
+
+# Maps each schema version to the DB column names introduced in that step.
+# Keys are version numbers; values are lists of field names.
+# Only steps with version > old_version are applied to a given file.
+SCHEMA_VERSION_FIELDS = {
+    2: ['gain'],  # v1 -> v2: GAIN FITS header (camera gain setting, ADU units)
+}
+
+
+def schema_upgrade_worker(task, fits_root):
+    """Lightweight multiprocessing worker for schema version upgrades.
+
+    Reads only the FITS/XISF header — does NOT load pixel data or regenerate
+    thumbnails.
+
+    Args:
+        task: Tuple of (full_path: str, old_schema_version: int)
+        fits_root: Root directory of the FITS file tree
+
+    Returns:
+        dict with 'status', 'path', 'old_version', and one key per extracted
+        field. On error: {'status': 'error', 'path': ..., 'reason': ...}
+    """
+    full_path, old_version = task
+    rel_path = os.path.relpath(full_path, fits_root)
+    file_lower = full_path.lower()
+
+    # Determine which fields need to be extracted for this upgrade path
+    needed_fields = set()
+    for step_v in sorted(SCHEMA_VERSION_FIELDS.keys()):
+        if step_v > old_version:
+            needed_fields.update(SCHEMA_VERSION_FIELDS[step_v])
+
+    try:
+        result = {'status': 'success', 'path': rel_path, 'old_version': old_version}
+
+        if needed_fields:
+            header = None
+            get_value = None
+            if file_lower.endswith(('.fits', '.fit')):
+                with fits.open(full_path, ignore_missing_end=True) as hdul:
+                    header = hdul[0].header
+                    get_value = get_header_value
+            elif file_lower.endswith('.xisf'):
+                xisf_file = XISF(full_path)
+                images_meta = xisf_file.get_images_metadata()
+                if images_meta:
+                    header = images_meta[0].get('FITSKeywords', {})
+                    get_value = get_xisf_header_value
+
+            if header is not None and get_value is not None:
+                # v1 -> v2
+                if 'gain' in needed_fields:
+                    result['gain'] = get_value(header, 'GAIN', None, float)
+                # v2 -> v3: add new fields here in the future
+
+        return result
+    except Exception as e:
+        logger.error(f"Schema upgrade error for {rel_path}: {e}")
+        return {'status': 'error', 'path': rel_path, 'reason': str(e)}