tldr; nothing works

.gitignore

@@ -16,6 +16,7 @@ main
 *.zst
 *.gzip
 *.env
+*.db
 
 bin/
 

app/Dockerfile

@@ -0,0 +1,33 @@
+FROM ghcr.io/prantlf/vlang:latest AS builder
+WORKDIR ./src/
+
+COPY . .
+RUN mkdir -p ./src/../../build/
+
+# Build release binary. Output to /src/bin/cdn_app
+# If your main file is main.v in the root of the context, this will work.
+RUN v -prod -o ./src/../../build/ ./main.v
+
+# Stage 2: runtime
+FROM debian:bookworm-slim AS runtime
+WORKDIR /app
+
+# create non-root user (good practice)
+RUN useradd -m appuser
+
+# copy binary from builder
+COPY --from=builder /src/bin/cdn_app /app/cdn_app
+
+# copy templates/assets if your binary loads embedded files at runtime or expects files on disk
+# (If you use V's $embed_file at compile time then templates are already embedded and this is optional)
+COPY template/ /app/template/
+COPY util/ /app/util/
+COPY database/ /app/database/
+
+RUN chown -R appuser:appuser /app
+USER appuser
+
+# expose container ports your app might use (adjust if you use different ports)
+EXPOSE 8080 6767
+
+ENTRYPOINT ["/app/cdn_app"]

app/build

@@ -0,0 +1,6 @@
+#!/bin/bash
+
+cd src
+v install fleximus.argon2
+v install thomaspeissl.dotenv
+v -prod -cflags "-static" -os linux -o ../../build/app/cdn .

app/src/cryptography/crypto.v

@@ -0,0 +1,14 @@
+module cryptography
+
+import rand
+import fleximus.argon2
+
+pub fn hash_password(password string) !string {
+	salt := rand.bytes(16) or { return error('failed to generate salt: ${err}') }
+	hash := argon2.hash(password.bytes(), salt) or { return error('argon2 hash failed: ${err}') }
+	return hash
+}
+
+pub fn hash_verify(password string, hash string) !bool {
+	return argon2.verify(hash, password.bytes()) or { return error('argon2 verify failed: ${err}') }
+}

app/src/database/db.v

@@ -1,58 +1,49 @@
 module database
 
-import rand
-// import db.mysql
-import db.redis
-import fleximus.argon2
+import os
+import orm
+import util
+import db.sqlite
 
-pub struct Crypto {}
-
-pub fn Crypto.hash_password(password string) !string {
-	salt := rand.bytes(16) or { return error('failed to generate salt: ${err}') }
-	hash := argon2.hash(password.bytes(), salt) or { return error('argon2 hash failed: ${err}') }
-	return hash
+pub struct Database {
+	cfg util.Config
 }
 
-pub fn Crypto.hash_verify(password string, hash string) !bool {
-	return argon2.verify(hash, password.bytes()) or { return error('argon2 verify failed: ${err}') }
+pub fn get_dummy_exclusion_list(exe string, root string) []string {
+	return [
+		exe,
+		util.Utility.normalize_path(os.join_path(root, 'update.sh')),
+	]
 }
 
-// struct Database {
-// mut:
-// 	conn mysql.DB
-// }
-//
-// pub fn get_connection(cfg util.Config) !&Database {
-// 	// connection := mysql.connect(mysql.Config{
-// 	// 	host:     cfg.database.host
-// 	// 	// port:     u32(cfg.database.port)
-// 	// 	dbname:   'CDN_DATABASE'
-// 	// 	username: cfg.database.username
-// 	// 	password: cfg.database.password
-// 	// })!
-//
-// 	//return &Database{ conn: connection }
-// 	return &Database{}
-// }
-//
-// pub fn (mut db Database) query[T](query_fn fn(conn &mysql.Connection) ![]T) ![]T {
-// 	result := query_fn(db.conn) or {
-// 		// Connection died, reconnect
-// 		db.conn = mysql.connect(db.config)!
-// 		return query_fn(db.conn)!
-// 	}
-// 	return result
-// }
-//
-// pub fn Database.test() {}
+fn (db &Database) get_connection() !sqlite.DB {
+	conn := sqlite.connect(db.cfg.database)!
 
-pub fn test() ! {
-	mut r := redis.connect(redis.Config{
-		host:     'vpn.security-command.org'
-		port:     6767
-		password: 'SuperSecretPassword123'
-	})!
+	if db.cfg.debug {
+		conn.synchronization_mode(.off)!
+		conn.journal_mode(.memory)!
+	}
 
-	pong := r.ping() or { panic(err) }
-	println(pong)
+	sql conn {
+		create table User
+		create table Files
+		create table Logins
+	}!
+
+	return conn
+}
+
+pub fn get_database(cfg util.Config) !&Database {
+	return &Database{
+		cfg: cfg
+	}
+}
+
+pub fn (mut db Database) query[T](statement orm.QueryBuilder[T]) ![]T {
+	return statement.query()!
+}
+
+pub fn (db Database) get_query_builder[T]() &orm.QueryBuilder[T] {
+	conn := db.get_connection() or { panic(err) }
+	return orm.new_query[T](conn)
 }

app/src/database/files.v

@@ -0,0 +1,8 @@
+module database
+
+@[table: 'files']
+pub struct Files {
+	id      int    @[primary; serial]
+	path    string @[nonnull; unique]
+	visible bool   @[default: false; nonnull]
+}

app/src/database/logins.v

@@ -0,0 +1,46 @@
+module database
+
+import time
+
+@[table: 'login_attempts']
+pub struct Logins {
+mut:
+	ip           string    @[primary]
+	attempts     int       @[nonnull]
+	attempt_time time.Time @[nonnull]
+}
+
+pub fn Logins.by_ip(ip string, mut database_ Database) ?Logins {
+	query := database_.get_query_builder[Logins]().where('ip = ?', ip) or { return none }
+	result := database_.query[Logins](query) or { return none }
+
+	return result.first()
+}
+
+pub fn Logins.create_or_update(ip string, mut database_ Database) ?Logins {
+	mut login := Logins{
+		ip:           ip
+		attempts:     1
+		attempt_time: time.now()
+	}
+
+	if existing := Logins.by_ip(ip, mut database_) {
+		login.attempts = existing.attempts + 1
+		login.attempt_time = time.now()
+
+		db := database_.get_connection() or { panic(err) }
+
+		sql db {
+			update Logins set attempts = login.attempts, attempt_time = login.attempt_time
+			where ip == ip
+		} or { return none }
+	} else {
+		db := database_.get_connection() or { panic(err) }
+
+		sql db {
+			insert login into Logins
+		} or { return none }
+	}
+
+	return login
+}

app/src/database/tables.v

@@ -1,22 +0,0 @@
-module database
-
-@[table: 'users']
-struct Users {
-	id            int    @[primary; serial]
-	name          string @[nonnull; unique]
-	password_hash string @[nonnull]
-}
-
-@[table: 'login_attempts']
-struct Logins {
-	ip           string @[primary]
-	attempts     int    @[nonnull]
-	attempt_time string @[default: 'CURRENT_TIMESTAMP'; nonnull]
-}
-
-@[table: 'files']
-struct Files {
-	id      int    @[primary; serial]
-	path    string @[nonnull; unique]
-	visible bool   @[default: false; nonnull]
-}

app/src/database/user.v

@@ -0,0 +1,52 @@
+module database
+
+import orm
+import cryptography
+
+@[table: 'users']
+pub struct User {
+pub:
+	id       ?int   @[primary; serial]
+	username string @[nonnull; unique]
+	password string @[nonnull]
+}
+
+pub fn User.by_id(user_id orm.Primitive, mut database_ Database) ?User {
+	query := database_.get_query_builder[User]().where('id = ?', user_id) or { return none }
+	result := database_.query[User](query) or { return none }
+
+	return result.first()
+}
+
+pub fn User.by_name(username orm.Primitive, mut database_ Database) ?User {
+	eprintln('qb')
+	query := database_.get_query_builder[User]().where('username = ?', username) or { return none }
+	eprintln('result')
+	result := database_.query[User](*query) or { return none }
+
+	eprintln('first')
+	return result.first()
+}
+
+pub fn User.create(username string, password string, database_ Database) ?User {
+	hash := cryptography.hash_password(password) or { return none }
+	mut user := User{
+		id:       none
+		username: username
+		password: hash
+	}
+
+	db := database_.get_connection() or { panic(err) }
+
+	sql db {
+		insert user into User
+	} or { return none }
+
+	return user
+}
+
+pub fn User.verify(username orm.Primitive, password string, mut database_ Database) ?User {
+	eprintln('by_name')
+	user := User.by_name(username, mut database_) or { return none }
+	return if cryptography.hash_verify(password, user.password) or { false } { user } else { none }
+}

app/src/jwt/algoritm.v

@@ -0,0 +1,19 @@
+module jwt
+
+pub interface Algorithm {
+	name string
+	sign(contents string, secretOrKey string) !string
+	verify(token string, secretOrKey string) !Token
+}
+
+pub enum AlgorithmType {
+	hs256
+}
+
+pub fn new_algorithm(algorithmType AlgorithmType) Algorithm {
+	match algorithmType {
+		.hs256 {
+			return HS256{}
+		}
+	}
+}

app/src/jwt/hs256.v

@@ -0,0 +1,31 @@
+module jwt
+
+import crypto.hmac
+import crypto.sha256
+import encoding.base64
+
+pub struct HS256 {
+pub:
+	name string = 'HS256'
+}
+
+pub fn (algorithm HS256) sign(content string, secret string) !string {
+	return base64.url_encode(hmac.new(secret.bytes(), content.bytes(), sha256.sum, sha256.block_size))
+}
+
+pub fn (algorithm HS256) verify(token_raw string, secret string) !Token {
+	token := parse_token(token_raw)!
+	parts := token_raw.split('.')
+	header := parts[0]
+	claims := parts[1]
+	signed := algorithm.sign('${header}.${claims}', secret)!
+
+	if signed != token.signature {
+		return error('Invalid token')
+	}
+	if token.is_expired() {
+		return error('Token already expired')
+	}
+
+	return token
+}

app/src/jwt/jwt.v

@@ -0,0 +1,40 @@
+module jwt
+
+import json
+import time
+import x.json2
+import encoding.base64
+
+pub fn encode[T](claims T, algorithm Algorithm, secretOrKey string, exp int) !string {
+	header := new_header(algorithm)
+	header_b64 := base64.url_encode(json.encode(header).bytes())
+
+	mut claims_final := json2.decode[json2.Any](json.encode(claims))!.as_map()
+
+	if exp != 0 {
+		claims_final['exp'] = time.now().unix() + exp
+	}
+
+	claims_b64 := base64.url_encode(claims_final.str().bytes())
+	contents := '${header_b64}.${claims_b64}'
+	signature := algorithm.sign(contents, secretOrKey)!
+
+	return '${contents}.${signature}'
+}
+
+pub fn verify[T](token string, algorithm Algorithm, secretOrKey string) !T {
+	return algorithm.verify(token, secretOrKey)!.parse_claims[T]()
+}
+
+pub struct UserJwt {
+pub:
+	id string
+}
+
+pub fn create(user_id string, secret string) !string {
+	return encode[UserJwt](UserJwt{ id: user_id }, new_algorithm(.hs256), secret, 7 * 24 * 60 * 60)!
+}
+
+pub fn decode(token string, secret string) !string {
+	return verify[UserJwt](token, new_algorithm(.hs256), secret)!.id
+}

app/src/jwt/structs.v

@@ -0,0 +1,65 @@
+module jwt
+
+import json
+import time
+import x.json2
+import encoding.base64
+
+pub struct JWTHeader {
+pub:
+	alg string
+	typ string = 'JWT'
+}
+
+fn new_header(algorithm Algorithm) JWTHeader {
+	return JWTHeader{
+		alg: algorithm.name.str().to_upper()
+	}
+}
+
+struct Token {
+pub:
+	header     JWTHeader
+	claims     string
+	signature  string
+	expiration int
+}
+
+pub fn (t Token) parse_claims[T]() !T {
+	return json.decode(T, t.claims)
+}
+
+pub fn (t Token) is_expired() bool {
+	return t.expiration == -1 || time.unix(t.expiration) < time.now()
+}
+
+pub fn parse_token(token_raw string) !Token {
+	parts := token_raw.split('.')
+	if parts.len != 3 {
+		return error('Invalid token')
+	}
+
+	header_raw := if parts[0].len % 4 == 0 { parts[0] } else { parts[0] + '==' }
+	claims_raw := if parts[1].len % 4 == 0 { parts[1] } else { parts[1] + '==' }
+
+	decoded_header := base64.decode_str(header_raw)
+	decoded_claims := base64.decode_str(claims_raw)
+
+	claims := json2.decode[json2.Any](decoded_claims)!.as_map()
+
+	mut expiration_given := true
+
+	expiration_unix := claims['exp'] or {
+		expiration_given = false
+		json2.Null{}
+	}
+
+	token := Token{
+		header:     json.decode(JWTHeader, decoded_header)!
+		claims:     decoded_claims
+		signature:  parts[2]
+		expiration: if expiration_given { expiration_unix.int() } else { -1 }
+	}
+
+	return token
+}

app/src/main.v

@@ -2,24 +2,27 @@ module main
 
 import os
 import veb
+import jwt
 import util
+import sync
 import database
 import thomaspeissl.dotenv
+import time
+import net.http
 
-//
+// structs
 
-pub struct User {
-pub mut:
-	name string
-	id   int
+pub struct CachedUser {
+pub:
+	user    database.User
+	expires int
 }
 
 pub struct Context {
 	veb.Context
 pub mut:
-	embed      util.Embedded
-	user       User
-	session_id string
+	app  &App
+	user database.User
 }
 
 pub struct App {
@@ -27,11 +30,17 @@ pub struct App {
 	veb.StaticHandler
 	veb.Middleware[Context]
 pub:
-	cfg   &util.Config
+	cfg   util.Config
 	embed util.Embedded
+pub mut:
+	database   database.Database
+	cache_lock sync.RwMutex
+	user_cache map[string]CachedUser
 }
 
 pub struct Auth {
+	veb.Controller
+	veb.Middleware[Context]
 pub:
 	app &App
 }
@@ -40,8 +49,8 @@ pub:
 
 @['/:path...']
 pub fn (app &App) root(mut ctx Context, path string) veb.Result {
-	abs_root := util.Utility.normalize_path(os.abs_path(app.cfg.root))
-	abs_path := util.Utility.normalize_path(abs_root + os.abs_path(path))
+	abs_root := util.Utility.normalize_path(os.real_path(app.cfg.root))
+	abs_path := util.Utility.normalize_path(os.real_path(os.join_path(abs_root, path)))
 
 	if !abs_path.starts_with(abs_root) && abs_path != abs_root {
 		return ctx.forbidden()
@@ -55,25 +64,85 @@ pub fn (app &App) root(mut ctx Context, path string) veb.Result {
 		return ctx.text(content)
 	}
 
-	entries := util.Utility.list_files(abs_path, abs_root) or { return ctx.not_found() }
+	exclude := database.get_dummy_exclusion_list(app.cfg.exe, app.cfg.root)
+	entries := util.Utility.list_files(abs_path, abs_root, exclude) or { return ctx.not_found() }
 
 	directory := util.HtmlBuilder.generate_breadcrumbs(abs_path.split(abs_root)[1])
 	files, meta := util.HtmlBuilder.generate_file_list(entries, abs_path)
 	style := app.embed.style_css
 
+	username := if ctx.user.username != '' { ctx.user.username } else { 'noone' }
 	return ctx.html($tmpl('template/dashboard.html'))
 }
 
 // auth endpoints
 
+@['/']
+pub fn (auth &Auth) root(mut ctx Context) veb.Result {
+	return ctx.redirect('/')
+}
+
 @[get; post]
 pub fn (auth &Auth) login(mut ctx Context) veb.Result {
-	return ctx.text('login')
+	if ctx.req.method == .get {
+		style := auth.app.embed.admin_css
+		return ctx.html($tmpl('template/auth/login.html'))
+	}
+
+	token := ctx.get_cookie('veb_session') or { '' }
+	if token != '' {
+		return ctx.redirect('/')
+	}
+
+	username := ctx.form['username'] or { return ctx.request_error('') }
+	password := ctx.form['password'] or { return ctx.request_error('') }
+
+	if password.len < 8 {
+		return ctx.request_error('')
+	}
+
+	if user := database.User.verify(username, password, mut ctx.app.database) {
+		id := user.id or { return ctx.server_error('') }
+		ctx.set_cookie(http.Cookie{
+			name:      'veb_session'
+			value:     jwt.create(id.str(), ctx.app.cfg.jwt_key) or { return ctx.server_error('') }
+			path:      '/'
+			secure:    true
+			http_only: true
+			same_site: .same_site_strict_mode
+		})
+	} else {
+		// todo cache login attempts per ip as well and block early.
+		database.Logins.create_or_update(ctx.ip(), mut ctx.app.database)
+		return ctx.forbidden()
+	}
+
+	return ctx.redirect('/')
 }
 
 @[get; post]
 pub fn (auth &Auth) logout(mut ctx Context) veb.Result {
-	return ctx.text('logout')
+	if ctx.req.method == .get {
+		style := auth.app.embed.admin_css
+		return ctx.html($tmpl('template/auth/logout.html'))
+	}
+
+	token := ctx.get_cookie('veb_session') or { '' }
+	if token == '' {
+		return ctx.redirect('/')
+	}
+
+	ctx.set_cookie(http.Cookie{
+		name:      'veb_session'
+		value:     ''
+		path:      '/'
+		secure:    true
+		http_only: true
+		same_site: .same_site_strict_mode
+		max_age:   -1
+	})
+
+	return ctx.redirect('/')
 }
 
 @[get; post; put]
@@ -81,13 +150,68 @@ pub fn (auth &Auth) register(mut ctx Context) veb.Result {
 	return ctx.text('register')
 }
 
+// middleware
+
+fn (mut app App) prepare() fn (mut Context) bool {
+	return fn [mut app] (mut ctx Context) bool {
+		ctx.app = &app
+		return true
+	}
+}
+
+pub fn session(mut ctx Context) bool {
+	token := ctx.get_cookie('veb_session') or { '' }
+	if token == '' {
+		return true
+	}
+
+	if id := jwt.decode(token, ctx.app.cfg.jwt_key) {
+		if user := ctx.app.get_user(id) {
+			ctx.user = user
+		}
+	}
+
+	return true
+}
+
+fn (mut app App) get_user(user_id string) ?database.User {
+	now := time.now().unix()
+
+	app.cache_lock.rlock()
+
+	if cu := app.user_cache[user_id] {
+		if cu.expires > int(now) {
+			app.cache_lock.runlock()
+			return cu.user
+		}
+	}
+
+	app.cache_lock.runlock()
+
+	user := database.User.by_id(user_id, mut app.database) or { return none }
+
+	app.cache_lock.lock()
+	app.user_cache[user_id] = CachedUser{
+		user:    user
+		expires: int(now) + 300
+	}
+	app.cache_lock.unlock()
+
+	return user
+}
+
 // utility
 
 fn (mut ctx Context) error_page(code int, short string, long string) string {
-	style := ctx.embed.error_css.clone()
+	style := ctx.app.embed.error_css
 	return $tmpl('template/error.html')
 }
 
+pub fn (mut ctx Context) request_error(msg string) veb.Result {
+	ctx.res.set_status(.bad_request)
+	return ctx.html(ctx.error_page(400, 'Bad Request', 'This request is malformed or otherwise invalid.'))
+}
+
 pub fn (mut ctx Context) forbidden() veb.Result {
 	ctx.res.set_status(.forbidden)
 	return ctx.html(ctx.error_page(403, 'Forbidden', "Oops! You aren't allowed around here."))
@@ -98,66 +222,50 @@ pub fn (mut ctx Context) not_found() veb.Result {
 	return ctx.html(ctx.error_page(404, 'Not found', 'Oops! The page you are looking for does not exist.'))
 }
 
-// --
+pub fn (mut ctx Context) server_error(msg string) veb.Result {
+	ctx.res.set_status(.internal_server_error)
+	return ctx.html(ctx.error_page(500, 'Interal Server Error', 'Oops! Something went wrong here.'))
+}
 
-fn populate() (&util.Config, &util.Embedded) {
+// main
+
+fn populate() (util.Config, util.Embedded) {
 	dotenv.load()
-	dotenv.require('CDN_DB_HOST', 'CDN_DB_PORT')
 
-	def_root := $d('root', '.')
+	executable := os.executable()
+	def_root := os.dir(executable)
 	def_port := int($d('port', 6767))
+	def_sqlt := $d('database', 'cdn_web.db')
+	def_jwt := $d('jwt', 'supersecurejwttokenkey')
 
-	def_user := $d('username', 'cdn')
-	def_pass := $d('password', 'totallySafeCdnDatabasePassword1235')
-
-	return &util.Config{
-		root:     if os.getenv('CDN_ROOT') != '' { os.getenv('CDN_ROOT').str() } else { def_root }
+	// vfmt off
+	return util.Config{
+		exe:      util.Utility.normalize_path(executable)
+		root:     util.Utility.normalize_path(if os.getenv('CDN_ROOT') != '' { util.Utility.resolve_path(def_root, os.getenv('CDN_ROOT').str()) } else { def_root })
 		port:     if os.getenv('CDN_PORT')    != '' { os.getenv('CDN_PORT').int()    } else { def_port }
-		database: &util.Database{
-			host:     os.getenv('CDN_DB_HOST').str()
-			port:     os.getenv('CDN_DB_PORT').int()
-			username: if os.getenv('CDN_DB_USERNAME') != '' {
-				os.getenv('CDN_DB_USERNAME').str()
-			} else {
-				def_user
-			}
-			password: if os.getenv('CDN_DB_PASSWORD') != '' {
-				os.getenv('CDN_DB_PASSWORD').str()
-			} else {
-				def_pass
-			}
-		}
-	}, &util.Embedded{
+		jwt_key:  if os.getenv('CDN_JWT_KEY') != '' { os.getenv('CDN_JWT_KEY').str() } else { def_jwt  }
+		database: if os.getenv('CDN_SQL_DSN') != '' { os.getenv('CDN_SQL_DSN').str() } else { def_sqlt }
+	}, util.Embedded{
 		style_css: $embed_file('template/assets/style.css', .zlib).to_string()
 		error_css: $embed_file('template/assets/error.css', .zlib).to_string()
+		admin_css: $embed_file('template/assets/admin.css', .zlib).to_string()
 	}
+	// vfmt on
 }
 
 fn main() {
-	cfg, mut embed := populate()
-	mut app := &App{
-		cfg:   cfg
-		embed: embed
-	}
-	mut auth := &Auth{
-		app: &app
-	}
-
-	database.test()!
-
-	// db := database.get_connection(app.cfg)!
+	// vfmt off
+	mut cfg, mut embed := populate()
+	mut app := &App{ cfg: cfg, embed: embed, database: database.get_database(cfg)! }
+	mut auth := &Auth{ app: app }
+	// vfmt on
 
 	app.register_controller[Auth, Context]('/auth', mut auth)!
 
 	app.enable_static_compression = true
 	app.use(veb.encode_auto[Context]())
-
-	app.use(veb.MiddlewareOptions[Context]{
-		handler: fn [mut embed] (mut ctx Context) bool {
-			ctx.embed = embed
-			return true
-		}
-	})
+	app.use(handler: app.prepare())
+	app.use(handler: session)
 
 	veb.run[App, Context](mut app, app.cfg.port)
 }

app/src/template/assets/admin.css

@@ -0,0 +1,157 @@
+/* General Reset */
+* {
+    margin: 0;
+    padding: 0;
+    box-sizing: border-box;
+}
+
+/* Light Theme */
+:root[data-theme="light"] {
+    --bg-primary: #ffffff;
+    --bg-secondary: #f5f7fb;
+    --bg-tertiary: #eff2f5;
+    --text-primary: #1a202c;
+    --text-secondary: #6c757d;
+    --border-color: #d4d7de;
+    --accent: #0051ba;
+    --accent-hover: #003e8f;
+}
+
+/* Dark Theme */
+:root[data-theme="dark"] {
+    --bg-primary: #0d1117;
+    --bg-secondary: #161b22;
+    --bg-tertiary: #21262d;
+    --text-primary: #e6edf3;
+    --text-secondary: #8b949e;
+    --border-color: #30363d;
+    --accent: #58a6ff;
+    --accent-hover: #79c0ff;
+}
+
+/* Default theme */
+:root {
+    --bg-primary: #0d1117;
+    --bg-secondary: #161b22;
+    --bg-tertiary: #21262d;
+    --text-primary: #e6edf3;
+    --text-secondary: #8b949e;
+    --border-color: #30363d;
+    --accent: #58a6ff;
+    --accent-hover: #79c0ff;
+}
+
+body {
+    font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif;
+    background-color: var(--bg-primary);
+    color: var(--text-primary);
+    display: flex;
+    justify-content: center;
+    align-items: center;
+    height: 100vh;
+    flex-direction: column;
+    text-align: center;
+    transition: background-color 0.3s ease, color 0.3s ease;
+}
+
+.container {
+    background-color: var(--bg-secondary);
+    border: 1px solid var(--border-color);
+    padding: 2rem 3rem;
+    border-radius: 0.5rem;
+    box-shadow: 0 4px 12px rgba(0,0,0,0.15);
+    width: 100%;
+    max-width: 400px;
+}
+
+h1 {
+    font-size: 2rem;
+    margin-bottom: 1.5rem;
+    color: var(--accent);
+}
+
+form {
+    display: flex;
+    flex-direction: column;
+    gap: 1rem;
+}
+
+label {
+    text-align: left;
+    font-size: 0.875rem;
+    color: var(--text-secondary);
+}
+
+input[type="text"],
+input[type="password"] {
+    padding: 0.5rem 0.75rem;
+    border-radius: 0.375rem;
+    border: 1px solid var(--border-color);
+    background-color: var(--bg-tertiary);
+    color: var(--text-primary);
+    font-size: 1rem;
+    transition: all 0.2s ease;
+}
+
+input[type="text"]:focus,
+input[type="password"]:focus {
+    border-color: var(--accent);
+    outline: none;
+}
+
+button {
+    padding: 0.5rem 1rem;
+    border-radius: 0.375rem;
+    border: 1px solid var(--border-color);
+    background-color: var(--bg-tertiary);
+    color: var(--text-primary);
+    cursor: pointer;
+    font-size: 1rem;
+    transition: all 0.2s ease;
+}
+
+button:hover {
+    background-color: var(--accent);
+    border-color: var(--accent);
+    color: #fff;
+}
+
+button:active {
+    transform: scale(0.98);
+}
+
+a.logout-link {
+    color: var(--accent);
+    text-decoration: none;
+    margin-top: 1rem;
+    display: inline-block;
+    font-size: 0.875rem;
+}
+
+a.logout-link:hover {
+    color: var(--accent-hover);
+}
+
+.theme-toggle {
+    margin-top: 1rem;
+    width: 1.75rem;
+    height: 1.75rem;
+    border: none;
+    background-color: var(--text-secondary);
+    border-radius: 6px;
+    cursor: pointer;
+}
+
+.theme-toggle:active {
+    transform: scale(0.98);
+}
+
+@media (max-width: 480px) {
+    .container {
+        padding: 1.5rem 2rem;
+    }
+
+    h1 {
+        font-size: 1.75rem;
+    }
+}

app/src/template/assets/style.css

@@ -63,7 +63,7 @@ body {
 .header {
     background-color: var(--bg-secondary);
     border-bottom: 1px solid var(--border-color);
-    padding: 3rem;
+    padding: 2rem 3rem 1rem 3rem;
     position: sticky;
     top: 0;
     z-index: 10;

app/src/template/auth/login.html

@@ -0,0 +1,25 @@
+<!DOCTYPE html>
+<!--suppress HtmlFormInputWithoutLabel -->
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>Login</title>
+    <style>@{style}</style>
+</head>
+<body>
+<div class="container">
+    <h1>Login</h1>
+    <form action="/auth/login" method="POST">
+        <input placeholder="Username" type="text" id="username" name="username" required>
+        <input placeholder="Password" type="password" id="password" name="password" minlength="8" required>
+
+        <button type="submit">Sign In</button>
+    </form>
+</div>
+<script>
+    if ((savedTheme = (localStorage.getItem('theme') || 'light')))
+        document.documentElement.setAttribute('data-theme', savedTheme);
+</script>
+</body>
+</html>

app/src/template/auth/logout.html

@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>Logout</title>
+    <style>@{style}</style>
+</head>
+<body>
+<div class="container">
+    <h1>Log Out?</h1>
+    <form action="/auth/logout" method="POST">
+        <button type="submit">Logout</button>
+    </form>
+</div>
+<script>
+    if ((savedTheme = (localStorage.getItem('theme') || 'light')))
+        document.documentElement.setAttribute('data-theme', savedTheme);
+</script>
+</body>
+</html>

app/src/util/http.v

@@ -0,0 +1 @@
+module util

app/src/util/structs.v

@@ -3,26 +3,23 @@ module util
 
 import os
 import time
-
-pub struct Database {
-pub:
-	host     string
-	port     int
-	username string
-	password string
-}
+import encoding.base64
 
 pub struct Config {
 pub:
+	exe      string
 	root     string
 	port     int
-	database Database
+	debug    bool
+	jwt_key  string
+	database string
 }
 
 pub struct Embedded {
 pub mut:
 	style_css string
 	error_css string
+	admin_css string
 }
 
 pub struct FileEntry {
@@ -71,13 +68,11 @@ pub fn Utility.get_icon(ext string, is_dir bool) string {
 		'unknown': '<svg xmlns="http://www.w3.org/2000/svg" height="24px" viewBox="0 -960 960 960" width="24px" fill="#e3e3e3"><path d="M240-80q-33 0-56.5-23.5T160-160v-640q0-33 23.5-56.5T240-880h320l240 240v480q0 33-23.5 56.5T720-80H240Zm280-520v-200H240v640h480v-440H520ZM240-800v200-200 640-640Z"/></svg>'
 	}
 
-	return Utility.svg_to_data_uri(if is_dir { icons['dir'] } else { icons[ext] or {
-			icons['unknown']} })
+	return if is_dir { icons['dir'] } else { icons[ext] or { icons['unknown'] } }
 }
 
 pub fn Utility.svg_to_data_uri(svg string) string {
-	return svg
-	// return 'data:image/svg+xml;base64,${base64.encode(svg.bytes())}'
+	return 'data:image/svg+xml;base64,${base64.encode(svg.bytes())}'
 }
 
 pub fn Utility.format_size(bytes i64) string {
@@ -105,20 +100,34 @@ pub fn Utility.format_date(unix_time i64) string {
 	return time.unix(unix_time).format_ss_milli()
 }
 
-pub fn Utility.list_files(dir_path string, relative string) ![]FileEntry {
+pub fn Utility.resolve_path(base string, path string) string {
+	if os.is_abs_path(path) {
+		return path
+	}
+
+	return os.real_path(os.join_path(base, path))
+}
+
+pub fn Utility.list_files(dir_path string, relative string, exclude []string) ![]FileEntry {
 	mut entries := []FileEntry{}
 
 	files := os.ls(dir_path)!
 
 	for file in files {
 		full_path := os.join_path(dir_path, file)
+		normalized := Utility.normalize_path(full_path)
+
+		if normalized in exclude {
+			continue
+		}
+
 		is_dir := os.is_dir(full_path)
 		file_info := os.stat(full_path)!
 		file_ext := full_path.split('.').last()
 
 		entries << FileEntry{
 			name:     if is_dir { '${file}/' } else { file }
-			abs_path: Utility.normalize_path(full_path)
+			abs_path: normalized
 			path:     Utility.normalize_path(full_path).split(relative)[1] or { 'err' }
 			is_dir:   is_dir
 			size:     if !is_dir { file_info.size } else { 0 }
@@ -145,7 +154,7 @@ pub fn Utility.list_files(dir_path string, relative string) ![]FileEntry {
 }
 
 pub fn Utility.normalize_path(path string) string {
-	return path.replace('\\', '/')
+	return path.replace('\\', '/').replace('//', '/')
 }
 
 pub struct HtmlBuilder {}

docker-compose.yml

@@ -1,15 +1,11 @@
 services:
   app:
-    build:
-      context: ./app
-      dockerfile: Dockerfile
     container_name: cdn_web
     depends_on:
       - db
     ports:
-      - "8080:8080"
+      - "8080:8080" // how do these get passed to my exe?, etc
     environment:
-      # env shee
       DB_HOST: db
       DB_USER: appuser
       DB_PASS: s3cret