ultimate-media-tracker/server
Tronax de353f0218
feat: add Android app and end-to-end encrypted library sync
Introduce the Kotlin/Compose Android companion app and extend the TMDB
proxy into a combo server that synchronizes the whole library as an
encrypted snapshot, with all three components (Go server, Android,
desktop) sharing one zero-knowledge crypto envelope and JSON schema.

- server: add PostgreSQL-backed /sync/library (GET/PUT) with optimistic
  concurrency (revision + 409 on conflict); sync stays disabled unless
  DATABASE_URL is set. Add docker-compose with Postgres.
- desktop: add libsodium CryptoEnvelope, LibrarySerializer and SyncClient;
  storage-mode and passphrase settings; a "Sync now" toolbar action with
  conflict resolution.
- android: Room-backed library with local/cloud storage modes, encrypted
  sync client, and settings UI. The proxy server (URL + token) can be
  configured as a TMDB proxy even in local-only mode.

Crypto is identical across platforms: Argon2id (libsodium crypto_pwhash,
INTERACTIVE) + XChaCha20-Poly1305 in a versioned "UMTS" envelope, so a
snapshot encrypted on one client decrypts on the other.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-06-21 00:35:54 +02:00
..
.env.example feat: add Android app and end-to-end encrypted library sync 2026-06-21 00:35:54 +02:00
config.go feat: add Android app and end-to-end encrypted library sync 2026-06-21 00:35:54 +02:00
docker-compose.yml feat: add Android app and end-to-end encrypted library sync 2026-06-21 00:35:54 +02:00
Dockerfile feat: initial commit for media tracking software 2026-06-15 02:02:25 +02:00
go.mod feat: add Android app and end-to-end encrypted library sync 2026-06-21 00:35:54 +02:00
go.sum feat: add Android app and end-to-end encrypted library sync 2026-06-21 00:35:54 +02:00
main.go feat: add Android app and end-to-end encrypted library sync 2026-06-21 00:35:54 +02:00
README.md feat: initial commit for media tracking software 2026-06-15 02:02:25 +02:00
store.go feat: add Android app and end-to-end encrypted library sync 2026-06-21 00:35:54 +02:00
sync.go feat: add Android app and end-to-end encrypted library sync 2026-06-21 00:35:54 +02:00
token.go feat: initial commit for media tracking software 2026-06-15 02:02:25 +02:00

UMT TMDB Proxy

A small Go server that lets a group share one TMDB API key. Access is gated by OIDC via Authentik: each user signs in once and receives a personal token that they paste into the Ultimate Media Tracker desktop app.

desktop app ──Bearer token──▶ proxy ──?api_key=SHARED──▶ api.themoviedb.org
                                 ▲
                                 └── login gated by Authentik (OIDC)

How it works

  1. A user opens the proxy URL and clicks Mit Authentik anmelden.
  2. The server runs the OIDC Authorization-Code + PKCE flow against Authentik and verifies the returned ID token (signature, issuer, audience, expiry).
  3. On success it mints a stateless, HMAC-signed token and shows it on a page.
  4. The user enters the proxy URL + token into the app (Einstellungen → Filme/ Serien über → Proxy-Server).
  5. Every /3/... request from the app is validated and forwarded to TMDB with the shared key appended. (Poster images come straight from the public image.tmdb.org and need no key.)

Configure

Copy .env.example to .env and fill it in. Required: TMDB_API_KEY, OIDC_ISSUER, OIDC_CLIENT_ID, OIDC_CLIENT_SECRET, SESSION_SECRET.

Authentik setup

Create an OAuth2/OpenID Provider + Application:

  • Client type: Confidential
  • Redirect URI: https://tmdb.example.com/callback (your OIDC_REDIRECT_URL)
  • Scopes: openid, profile, email (add a groups mapping if you use ALLOWED_GROUPS)
  • Copy the Client ID / Secret and the provider's OpenID Configuration Issuer into .env.

Run

With Go

go mod tidy        # once, to fetch dependencies
set -a; . ./.env; set +a
go run .

With Docker

docker build -t umt-tmdb-proxy .
docker run --env-file .env -p 8080:8080 umt-tmdb-proxy

Put it behind a TLS-terminating reverse proxy (Caddy, Traefik, nginx) so PUBLIC_URL is https://…; cookies are then marked Secure automatically.

Endpoints

Path Purpose
/ Landing page with a login button
/login Starts the Authentik OIDC flow
/callback OIDC redirect target; shows the personal token
/3/* Authenticated TMDB API proxy
/healthz Liveness probe