Introduce the Kotlin/Compose Android companion app and extend the TMDB proxy into a combo server that synchronizes the whole library as an encrypted snapshot, with all three components (Go server, Android, desktop) sharing one zero-knowledge crypto envelope and JSON schema. - server: add PostgreSQL-backed /sync/library (GET/PUT) with optimistic concurrency (revision + 409 on conflict); sync stays disabled unless DATABASE_URL is set. Add docker-compose with Postgres. - desktop: add libsodium CryptoEnvelope, LibrarySerializer and SyncClient; storage-mode and passphrase settings; a "Sync now" toolbar action with conflict resolution. - android: Room-backed library with local/cloud storage modes, encrypted sync client, and settings UI. The proxy server (URL + token) can be configured as a TMDB proxy even in local-only mode. Crypto is identical across platforms: Argon2id (libsodium crypto_pwhash, INTERACTIVE) + XChaCha20-Poly1305 in a versioned "UMTS" envelope, so a snapshot encrypted on one client decrypts on the other. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| .env.example | ||
| config.go | ||
| docker-compose.yml | ||
| Dockerfile | ||
| go.mod | ||
| go.sum | ||
| main.go | ||
| README.md | ||
| store.go | ||
| sync.go | ||
| token.go | ||
UMT TMDB Proxy
A small Go server that lets a group share one TMDB API key. Access is gated by OIDC via Authentik: each user signs in once and receives a personal token that they paste into the Ultimate Media Tracker desktop app.
desktop app ──Bearer token──▶ proxy ──?api_key=SHARED──▶ api.themoviedb.org
▲
└── login gated by Authentik (OIDC)
How it works
- A user opens the proxy URL and clicks Mit Authentik anmelden.
- The server runs the OIDC Authorization-Code + PKCE flow against Authentik and verifies the returned ID token (signature, issuer, audience, expiry).
- On success it mints a stateless, HMAC-signed token and shows it on a page.
- The user enters the proxy URL + token into the app (Einstellungen → Filme/ Serien über → Proxy-Server).
- Every
/3/...request from the app is validated and forwarded to TMDB with the shared key appended. (Poster images come straight from the publicimage.tmdb.organd need no key.)
Configure
Copy .env.example to .env and fill it in. Required: TMDB_API_KEY,
OIDC_ISSUER, OIDC_CLIENT_ID, OIDC_CLIENT_SECRET, SESSION_SECRET.
Authentik setup
Create an OAuth2/OpenID Provider + Application:
- Client type: Confidential
- Redirect URI:
https://tmdb.example.com/callback(yourOIDC_REDIRECT_URL) - Scopes:
openid,profile,email(add agroupsmapping if you useALLOWED_GROUPS) - Copy the Client ID / Secret and the provider's OpenID Configuration Issuer
into
.env.
Run
With Go
go mod tidy # once, to fetch dependencies
set -a; . ./.env; set +a
go run .
With Docker
docker build -t umt-tmdb-proxy .
docker run --env-file .env -p 8080:8080 umt-tmdb-proxy
Put it behind a TLS-terminating reverse proxy (Caddy, Traefik, nginx) so
PUBLIC_URL is https://…; cookies are then marked Secure automatically.
Endpoints
| Path | Purpose |
|---|---|
/ |
Landing page with a login button |
/login |
Starts the Authentik OIDC flow |
/callback |
OIDC redirect target; shows the personal token |
/3/* |
Authenticated TMDB API proxy |
/healthz |
Liveness probe |