- Setup C++/Qt6 desktop application structure - Added initial Go proxy backend for TMDB/IGDB integration
69 lines
2.5 KiB
Markdown
69 lines
2.5 KiB
Markdown
# UMT TMDB Proxy
|
|
|
|
A small Go server that lets a group share **one** TMDB API key. Access is gated
|
|
by **OIDC via Authentik**: each user signs in once and receives a personal token
|
|
that they paste into the Ultimate Media Tracker desktop app.
|
|
|
|
```
|
|
desktop app ──Bearer token──▶ proxy ──?api_key=SHARED──▶ api.themoviedb.org
|
|
▲
|
|
└── login gated by Authentik (OIDC)
|
|
```
|
|
|
|
## How it works
|
|
|
|
1. A user opens the proxy URL and clicks **Mit Authentik anmelden**.
|
|
2. The server runs the OIDC Authorization-Code + PKCE flow against Authentik and
|
|
verifies the returned ID token (signature, issuer, audience, expiry).
|
|
3. On success it mints a stateless, HMAC-signed token and shows it on a page.
|
|
4. The user enters the proxy URL + token into the app (*Einstellungen → Filme/
|
|
Serien über → Proxy-Server*).
|
|
5. Every `/3/...` request from the app is validated and forwarded to TMDB with
|
|
the shared key appended. (Poster images come straight from the public
|
|
`image.tmdb.org` and need no key.)
|
|
|
|
## Configure
|
|
|
|
Copy `.env.example` to `.env` and fill it in. Required: `TMDB_API_KEY`,
|
|
`OIDC_ISSUER`, `OIDC_CLIENT_ID`, `OIDC_CLIENT_SECRET`, `SESSION_SECRET`.
|
|
|
|
### Authentik setup
|
|
|
|
Create an **OAuth2/OpenID Provider** + **Application**:
|
|
|
|
- Client type: **Confidential**
|
|
- Redirect URI: `https://tmdb.example.com/callback` (your `OIDC_REDIRECT_URL`)
|
|
- Scopes: `openid`, `profile`, `email` (add a `groups` mapping if you use
|
|
`ALLOWED_GROUPS`)
|
|
- Copy the Client ID / Secret and the provider's **OpenID Configuration Issuer**
|
|
into `.env`.
|
|
|
|
## Run
|
|
|
|
### With Go
|
|
|
|
```bash
|
|
go mod tidy # once, to fetch dependencies
|
|
set -a; . ./.env; set +a
|
|
go run .
|
|
```
|
|
|
|
### With Docker
|
|
|
|
```bash
|
|
docker build -t umt-tmdb-proxy .
|
|
docker run --env-file .env -p 8080:8080 umt-tmdb-proxy
|
|
```
|
|
|
|
Put it behind a TLS-terminating reverse proxy (Caddy, Traefik, nginx) so
|
|
`PUBLIC_URL` is `https://…`; cookies are then marked `Secure` automatically.
|
|
|
|
## Endpoints
|
|
|
|
| Path | Purpose |
|
|
|-------------|----------------------------------------------------|
|
|
| `/` | Landing page with a login button |
|
|
| `/login` | Starts the Authentik OIDC flow |
|
|
| `/callback` | OIDC redirect target; shows the personal token |
|
|
| `/3/*` | Authenticated TMDB API proxy |
|
|
| `/healthz` | Liveness probe |
|