ultimate-media-tracker/server
Tronax 3f07c78316
feat: initial commit for media tracking software
- Setup C++/Qt6 desktop application structure
- Added initial Go proxy backend for TMDB/IGDB integration
2026-06-15 02:02:25 +02:00
..
.env.example feat: initial commit for media tracking software 2026-06-15 02:02:25 +02:00
config.go feat: initial commit for media tracking software 2026-06-15 02:02:25 +02:00
Dockerfile feat: initial commit for media tracking software 2026-06-15 02:02:25 +02:00
go.mod feat: initial commit for media tracking software 2026-06-15 02:02:25 +02:00
go.sum feat: initial commit for media tracking software 2026-06-15 02:02:25 +02:00
main.go feat: initial commit for media tracking software 2026-06-15 02:02:25 +02:00
README.md feat: initial commit for media tracking software 2026-06-15 02:02:25 +02:00
token.go feat: initial commit for media tracking software 2026-06-15 02:02:25 +02:00

UMT TMDB Proxy

A small Go server that lets a group share one TMDB API key. Access is gated by OIDC via Authentik: each user signs in once and receives a personal token that they paste into the Ultimate Media Tracker desktop app.

desktop app ──Bearer token──▶ proxy ──?api_key=SHARED──▶ api.themoviedb.org
                                 ▲
                                 └── login gated by Authentik (OIDC)

How it works

  1. A user opens the proxy URL and clicks Mit Authentik anmelden.
  2. The server runs the OIDC Authorization-Code + PKCE flow against Authentik and verifies the returned ID token (signature, issuer, audience, expiry).
  3. On success it mints a stateless, HMAC-signed token and shows it on a page.
  4. The user enters the proxy URL + token into the app (Einstellungen → Filme/ Serien über → Proxy-Server).
  5. Every /3/... request from the app is validated and forwarded to TMDB with the shared key appended. (Poster images come straight from the public image.tmdb.org and need no key.)

Configure

Copy .env.example to .env and fill it in. Required: TMDB_API_KEY, OIDC_ISSUER, OIDC_CLIENT_ID, OIDC_CLIENT_SECRET, SESSION_SECRET.

Authentik setup

Create an OAuth2/OpenID Provider + Application:

  • Client type: Confidential
  • Redirect URI: https://tmdb.example.com/callback (your OIDC_REDIRECT_URL)
  • Scopes: openid, profile, email (add a groups mapping if you use ALLOWED_GROUPS)
  • Copy the Client ID / Secret and the provider's OpenID Configuration Issuer into .env.

Run

With Go

go mod tidy        # once, to fetch dependencies
set -a; . ./.env; set +a
go run .

With Docker

docker build -t umt-tmdb-proxy .
docker run --env-file .env -p 8080:8080 umt-tmdb-proxy

Put it behind a TLS-terminating reverse proxy (Caddy, Traefik, nginx) so PUBLIC_URL is https://…; cookies are then marked Secure automatically.

Endpoints

Path Purpose
/ Landing page with a login button
/login Starts the Authentik OIDC flow
/callback OIDC redirect target; shows the personal token
/3/* Authenticated TMDB API proxy
/healthz Liveness probe