feat: add JWT auth, configurable username, switch password auth to Basic

Add server-side JWT authentication with permission-based access control (read/write/delete claims). Password authentication now uses HTTP Basic auth only (replacing Bearer). Add configurable username for both server and client (--server-username/--client-username, defaults to "keep"). JWT secret supports file-based loading via --server-jwt-secret-file for Docker secrets. OPTIONS preflight requests bypass auth. HEAD mapped to read permission. Co-Authored-By: opencode <noreply@opencode.ai>
2026-03-13 13:56:35 -03:00
parent af1e0ca570
commit e672ec751e
17 changed files with 1052 additions and 196 deletions
--- a/5
+++ b/5
@@ -48,8 +48,11 @@ ENV KEEP_LIST_FORMAT="id,time,size,tags,meta:hostname"
 # Server options
 ENV KEEP_SERVER_ADDRESS=0.0.0.0
 ENV KEEP_SERVER_PORT=21080
+# ENV KEEP_SERVER_USERNAME="keep"
 # ENV KEEP_SERVER_PASSWORD=""
 # ENV KEEP_SERVER_PASSWORD_HASH=""
+# ENV KEEP_SERVER_JWT_SECRET=""
+# ENV KEEP_SERVER_JWT_SECRET_FILE=/config/jwt_secret

 # TLS options
 # ENV KEEP_SERVER_CERT=/certs/cert.pem
@@ -57,6 +60,8 @@ ENV KEEP_SERVER_PORT=21080

 # Client options
 # ENV KEEP_CLIENT_URL=""
+# ENV KEEP_CLIENT_USERNAME="keep"
 # ENV KEEP_CLIENT_PASSWORD=""
+# ENV KEEP_CLIENT_JWT=""

 ENTRYPOINT ["/keep"]