Context
The app currently has no authentication. For the planned Docker Compose + reverse-proxy deployment, ingress is protected only by network/proxy config. Decide on and implement an auth strategy.
Options
- (a) None — rely on VPN / private network only. Document clearly.
- (b) HTTP Basic via the proxy (Caddy/Traefik middleware). Zero app changes, minimal UX.
- (c) Forward auth (Authentik, Authelia, Cloudflare Access). SSO-capable, still no app changes.
- (d) App-level login — adds
users table, password hashing, Flask-Login or similar, session cookies (we already wire SECRET_KEY and ProxyFix).
Acceptance criteria
- Decision recorded in README.
- If (b)/(c): example proxy config committed under
deploy/.
- If (d): migration path, tests, and a bootstrap admin flow.
Notes
Current code already prepares for (d) via SECRET_KEY env var and ProxyFix middleware.
Context
The app currently has no authentication. For the planned Docker Compose + reverse-proxy deployment, ingress is protected only by network/proxy config. Decide on and implement an auth strategy.
Options
userstable, password hashing, Flask-Login or similar, session cookies (we already wireSECRET_KEYandProxyFix).Acceptance criteria
deploy/.Notes
Current code already prepares for (d) via
SECRET_KEYenv var andProxyFixmiddleware.