Skip to content

AUTH.md

Latest commit

 

History

History
62 lines (48 loc) · 2.55 KB

AUTH.md

File metadata and controls

62 lines (48 loc) · 2.55 KB

Authentication

Authentication is enabled by default from v0.9.6 thanks to the env var AUTH_ENABLED; it use this mandatory env var AUDIOMUSE_USER, AUDIOMUSE_PASSWORD and this optional env var API_TOKEN, JWT_SECRET.

The API_TOKEN is need only for external plugin use. The JWT_SECRET is if you want to keep the session when you restart the container.

If you deploy to Kubernetes, do not place these values in a ConfigMap; use a Secret resource so the credentials aren’t stored in plaintext imagery or git history:

AUTH_ENABLED=true
AUDIOMUSE_USER=alice
AUDIOMUSE_PASSWORD=secret123
API_TOKEN=foo-bar-baz
JWT_SECRET=<random-string>

The web UI provides a /login page where the user posts the username/password and receives a JWT cookie on success. Subsequent browser requests are authenticated via that cookie.

Machine‑to‑machine callers may bypass the login page by supplying the API_TOKEN in an Authorization: Bearer … header. For example:

curl -v \
  -X POST 'http://192.168.3.233:8000/api/analysis/start' \
  -H 'Authorization: Bearer 123456' \
  -H 'Content-Type: application/json' \
  -d '{}'

NOTE: if you start AudioMuse-AI without properly setting the authentication parameter a message like the one below will be displayed on the login page and temporary user and password will be printed in flaks container log.

AUTH_ENABLED is true by default and one or more credentials were autogenerated and visible in FLASK log. You should set the final values for AUDIOMUSE_USER and AUDIOMUSE_PASSWORD in your environment variables. Optionally set API_TOKEN if you need external/plugin access.

HTTPS

To have a more secure Authentication running everything over HTTPS is needed to avoid that your password go in plain text. This part is something that relay from your infrastracture and not from AudioMuse-AI itself. For example if you're deploy everything on K3S thatr come with Traefik integrated, and you have certmanager with let's encrypt, you can add an IngressRoute like this:

apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: audiomuse-ingressroute
  namespace: playlist
spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`playlist.192.168.3.169.nip.io`)
      kind: Rule
      services:
        - name: audiomuse-ai-flask-service
          port: 8000
  tls:
    certResolver: letsencrypt-production

Plugin

Actually Jellyfin plugin v0.1.51 (for Jellyfin 10.10.7) and v0.1.52 (for jellyfin 10.11) already added this support

Navidrome plugin support it from release v7