@apocaliss92/nodelink-js 0.1.14 → 0.1.18

package/README.md

@@ -45,6 +45,24 @@ The library includes a **complete web-based management interface** for easy came
 - 📱 **PWA Support** - Install as a Progressive Web App on mobile devices
 - 🌐 **Responsive Design** - Works on desktop, tablet, and mobile
 
+### External Requirements
+
+To run the Manager UI outside Docker, you need:
+
+Some features also rely on external binaries that must be available on the host when running outside Docker:
+
+Install examples:
+
+```bash
+# macOS
+brew install ffmpeg
+
+# Debian/Ubuntu
+sudo apt-get update && sudo apt-get install -y ffmpeg
+```
+
+If you use the Docker image, FFmpeg is already included (see Docker Deployment below).
+
 ### Quick Start (Development)
 
 ```bash
@@ -53,9 +71,6 @@ npm install
 npm run dev
 ```
 
-- Web UI: http://localhost:5173
-- API Server: http://localhost:3000
-
 ### Production Build
 
 ```bash
@@ -66,19 +81,23 @@ npm start
 
 Open http://localhost:3000 in your browser.
 
+### SSO (Authentik) via Trusted Proxy
+
+See [documentation/authentik-nginx.md](documentation/authentik-nginx.md) for a step-by-step Authentik + NGINX setup and the required environment variables.
+
 ### Docker Deployment (Recommended)
 
 The easiest way to run the Manager UI is with Docker:
 
 ```bash
 # Using pre-built image
-docker pull ghcr.io/apocaliss92/nodelink-manager:latest
+docker pull ghcr.io/apocaliss92/nodelink-js-manager:latest
 
 docker run -d \
   --name nodelink-manager \
   --network host \
   -v nodelink-data:/data \
-  ghcr.io/apocaliss92/nodelink-manager:latest
+  ghcr.io/apocaliss92/nodelink-js-manager:latest
 ```
 
 Or with Docker Compose:
@@ -87,6 +106,38 @@ Or with Docker Compose:
 docker-compose up -d
 ```
 
+#### WebRTC in Docker (bridge network)
+
+If you run the container in **bridge** mode (i.e. with `ports:` mappings), WebRTC needs two things to work reliably:
+
+1. **A fixed UDP port range** exposed from container → host.
+2. ICE candidates that contain an address the browser can reach (usually your **host LAN IP**) — configured in **Settings → WebRTC (ICE)**.
+
+Otherwise WebRTC may get stuck and you may see warnings like:
+
+```text
+Video data channel not open for session ...: connecting
+```
+
+Recommended example:
+
+```yaml
+services:
+  nodelink-manager:
+    ports:
+      - "3000:3000" # Web UI and API
+      - "8554:8554" # RTSP proxy
+      - "50000-50100:50000-50100/udp" # WebRTC / ICE UDP
+    # Then configure Settings → WebRTC (ICE):
+    # - ICE UDP port range: 50000-50100
+    # - Additional host addresses: 192.168.1.123
+```
+
+Notes:
+
+- The **Additional host addresses** setting should be an IP address that your browser can reach (typically the host machine IP on your LAN).
+- If you use `network_mode: host`, you usually **don’t need** any of the above (no port mapping).
+
 **Environment Variables:**
 
 | Variable    | Default | Description                          |
@@ -95,6 +146,107 @@ docker-compose up -d
 | `RTSP_PORT` | `8554`  | RTSP proxy port                      |
 | `DATA_PATH` | `/data` | Directory for settings.json and logs |
 
+**WebRTC / ICE (Docker bridge mode):**
+
+- Configure the UDP port mapping in Docker.
+- Configure ICE options in **Settings → WebRTC (ICE)**.
+
+**Dashboard authentication (optional):**
+
+| Variable         | Default | Description                                                                                                             |
+| ---------------- | ------- | ----------------------------------------------------------------------------------------------------------------------- |
+| `AUTH_ENABLED`   | (unset) | Enable auth when set to `1/true` (or disable with `0/false`). If unset, auth auto-enables when `ADMIN_PASSWORD` is set. |
+| `ADMIN_PASSWORD` | (unset) | Sets the `admin` password. This credential works for both the web login form and HTTP Basic auth.                       |
+
+### Streaming Authentication (RTSP / MJPEG / HLS / WebRTC)
+
+When authentication is enabled (see `AUTH_ENABLED` / `ADMIN_PASSWORD`), **all streaming endpoints are protected**.
+
+#### Step-by-step
+
+1. **Login to the Manager UI** (or use the API login) to obtain an auth token.
+2. (Recommended) **Generate a long-lived personal token** from **Settings → Personal token**.
+3. Use the correct auth mechanism depending on the streaming protocol:
+
+- RTSP: **Digest** with username/password
+- MJPEG/HLS: token in query string `?token=...`
+- WebRTC signaling + status endpoints: `Authorization: Bearer ...`
+- WebSocket logs: `?token=...` in the WS URL
+
+There are two auth mechanisms depending on the protocol:
+
+1. **RTSP (RTSP proxy): Digest auth with username/password**
+
+- URL format: `rtsp://<host>:<RTSP_PORT>/<camera>/<main|sub|ext>`
+- Credentials: the same **Users** list used by the dashboard.
+- Digest realm: `RTSP Proxy`
+- You can toggle whether auth is required via the Manager UI setting **“Require auth for RTSP connections”**.
+
+Examples:
+
+```bash
+# ffmpeg (Digest)
+ffmpeg -rtsp_transport tcp -i "rtsp://USERNAME:PASSWORD@HOST:8554/camera/main" -f null -
+
+# VLC (it will prompt for credentials, or use URL user:pass)
+vlc "rtsp://USERNAME:PASSWORD@HOST:8554/camera/main"
+```
+
+2. **HTTP-based streaming (MJPEG / HLS): token in query string**
+
+Browsers cannot reliably attach custom headers (like `Authorization`) to media tags (`<img>`, `<video>`), so MJPEG/HLS streams must be accessed with the auth token in the URL query string:
+
+- MJPEG: `/api/mpeg/<camera>/<profile>?token=...`
+- HLS playlist: `/api/hls/<camera>/<profile>/playlist.m3u8?token=...` (and segment requests will inherit the query param)
+
+Examples:
+
+```text
+MJPEG:
+  http://HOST:3000/api/mpeg/camera/main?token=YOUR_TOKEN
+
+HLS:
+  http://HOST:3000/api/hls/camera/main/playlist.m3u8?token=YOUR_TOKEN
+```
+
+Security note: query tokens may end up in logs/history. Treat them like passwords.
+
+3. **WebRTC control endpoints: Bearer token in Authorization header**
+
+WebRTC signaling uses JSON endpoints (create session, send ICE candidates, send answer) and supports standard Bearer auth:
+
+```bash
+# 1) Login to obtain a token
+curl -sS -X POST http://HOST:3000/api/auth/login \
+  -H 'content-type: application/json' \
+  -d '{"username":"admin","password":"YOUR_PASSWORD"}'
+
+# 2) Use the returned token for WebRTC signaling
+curl -sS http://HOST:3000/api/webrtc/status \
+  -H "Authorization: Bearer YOUR_TOKEN"
+```
+
+You can also generate a personal token via API (requires an existing valid token):
+
+```bash
+curl -sS -X POST http://HOST:3000/api/auth/personal-token \
+  -H "Authorization: Bearer YOUR_TOKEN" \
+  -H 'content-type: application/json' \
+  -d '{}'
+```
+
+4. **WebSocket logs: token in query string**
+
+The browser WebSocket handshake cannot reliably attach custom headers, so use:
+
+```text
+ws://HOST:3000/ws/logs?token=YOUR_TOKEN
+```
+
+If authentication is disabled, these endpoints work without credentials.
+
+Tip: a personal token is ideal for integrations (Home Assistant, scripts, etc.) because it does not expire.
+
 📖 **[Full Docker documentation →](./DOCKER.md)**
 
 ---

package/dist/{DiagnosticsTools-YEML4E5V.js → DiagnosticsTools-6WEMO4L4.js}

@@ -9,7 +9,7 @@ import {
   runMultifocalDiagnosticsConsecutively,
   sampleStreams,
   testChannelStreams
-} from "./chunk-QEA2V52E.js";
+} from "./chunk-ZE7D7LI4.js";
 export {
   collectCgiDiagnostics,
   collectMultifocalDiagnostics,
@@ -22,4 +22,4 @@ export {
   sampleStreams,
   testChannelStreams
 };
-//# sourceMappingURL=DiagnosticsTools-YEML4E5V.js.map
+//# sourceMappingURL=DiagnosticsTools-6WEMO4L4.js.map