feat: add PRIVATE_MODE site-wide auth gate (0.48.0)

When `PRIVATE_MODE=true`, every API path except a small allowlist (`/health`, `/auth/{config,login,logout,register}`) requires a valid session cookie or bearer token — anonymous reads are rejected with 401. Self-registration is force-disabled in private mode regardless of `ALLOW_SELF_REGISTER`, so a locked-down instance flips with a single switch (admins still mint accounts via `POST /admin/users`). The backend gate is a tower middleware that reuses the existing `CurrentUser` extractor, so the cookie + bearer paths cannot drift from per-handler auth. `/auth/config` now exposes the flag plus the effective `self_register_enabled` value so the frontend can render the navbar correctly on the first paint. On the frontend, a new universal root `+layout.ts` fetches the config and redirects anonymous visitors to `/login?next=<path>` before page-specific loads fire. The redirect is UX only — the backend middleware is the source of truth, so crafted requests still 401. Defaults stay public (`PRIVATE_MODE=false`); existing deployments need no env change. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
feat(crawler): honour CRAWLER_LIMIT in the in-process daemon (0.47.0)
2026-06-01 20:11:22 +02:00 · 2026-06-01 20:07:01 +02:00 · 2026-05-31 20:56:45 +02:00 · 2026-05-31 20:56:45 +02:00
18 changed files with 719 additions and 16 deletions
--- a/.env.example
+++ b/.env.example
@@ -74,6 +74,10 @@ CRAWLER_DOWNLOAD_ALLOWLIST=
 CRAWLER_ALLOW_ANY_HOST=false
 # Hard cap on a single image body. Default 32 MiB.
 CRAWLER_MAX_IMAGE_BYTES=33554432
+# Max manga detail fetches per metadata pass (both the in-process daemon
+# and the `bin/crawler` CLI). 0 means no cap — let the source walker run
+# to completion. Useful for capped test runs against a new source.
+CRAWLER_LIMIT=0
 # Path to a system Chromium binary. When set, the crawler skips the
 # bundled-fetcher download. Required on platforms without a usable
 # upstream Chromium build (notably Linux_arm64 / Raspberry Pi). On
--- a/backend/Cargo.lock
+++ b/backend/Cargo.lock
@@ -1470,7 +1470,7 @@ checksum = "c41e0c4fef86961ac6d6f8a82609f55f31b05e4fce149ac5710e439df7619ba4"

 [[package]]
 name = "mangalord"
-version = "0.46.0"
+version = "0.48.0"
 dependencies = [
 "anyhow",
 "argon2",
--- a/backend/Cargo.toml
+++ b/backend/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "mangalord"
-version = "0.46.0"
+version = "0.48.0"
 edition = "2021"
 default-run = "mangalord"

--- a/backend/src/api/auth.rs
+++ b/backend/src/api/auth.rs
@@ -42,18 +42,22 @@ pub fn routes() -> Router<AppState> {
        .route("/auth/tokens/:id", delete(delete_token))
 }

-/// Public, unauthenticated. Exposes anonymous-relevant auth policy
-/// (currently just whether self-registration is open) so the frontend
-/// can render its login / register affordances correctly without a
-/// probe request that would conflate "disabled" with "rate-limited".
+/// Public, unauthenticated. Exposes anonymous-relevant auth policy so
+/// the frontend can render its login / register affordances correctly
+/// without a probe request that would conflate "disabled" with
+/// "rate-limited". `self_register_enabled` is the *effective* value
+/// (`allow_self_register && !private_mode`), so a private-mode
+/// instance reports `false` even if the raw flag is on.
 #[derive(Debug, Serialize)]
 pub struct AuthConfigResponse {
    pub self_register_enabled: bool,
+    pub private_mode: bool,
 }

 async fn auth_config(State(state): State<AppState>) -> Json<AuthConfigResponse> {
    Json(AuthConfigResponse {
-        self_register_enabled: state.auth.allow_self_register,
+        self_register_enabled: state.auth.allow_self_register && !state.auth.private_mode,
+        private_mode: state.auth.private_mode,
    })
 }

@@ -103,7 +107,10 @@ async fn register(
    // disabled and enabled paths both consume a token, and disabled
    // returns 403 instead of running argon2.
    check_auth_rate_limit(&state, "register")?;
-    if !state.auth.allow_self_register {
+    // Private mode force-blocks self-registration regardless of
+    // ALLOW_SELF_REGISTER — operators of locked-down instances mint
+    // accounts via `POST /admin/users` instead.
+    if !state.auth.allow_self_register || state.auth.private_mode {
        return Err(AppError::Forbidden);
    }
    let username = input.username.trim();
--- a/backend/src/app.rs
+++ b/backend/src/app.rs
@@ -3,8 +3,10 @@ use std::sync::atomic::AtomicBool;

 use anyhow::Context;
 use async_trait::async_trait;
-use axum::extract::DefaultBodyLimit;
+use axum::extract::{DefaultBodyLimit, FromRequestParts, Request, State};
 use axum::http::{HeaderName, HeaderValue, Method};
+use axum::middleware::{self, Next};
+use axum::response::Response;
 use axum::Router;
 use sqlx::postgres::PgPoolOptions;
 use sqlx::PgPool;
@@ -12,7 +14,9 @@ use tokio_util::sync::CancellationToken;
 use tower_http::cors::{AllowOrigin, CorsLayer};
 use tower_http::trace::TraceLayer;

+use crate::auth::extractor::CurrentUser;
 use crate::auth::rate_limit::AuthRateLimiter;
+use crate::error::AppError;
 use crate::config::{AuthConfig, Config, CrawlerConfig, UploadConfig};
 use crate::crawler::browser_manager::{self, BrowserManager};
 use crate::crawler::content::{self, SyncOutcome};
@@ -140,7 +144,8 @@ async fn spawn_crawler_daemon(
    // authenticated without operator action.
    let mut launch_opts = cfg.browser.clone();
    if let Some(proxy) = &cfg.proxy {
-        launch_opts.extra_args.push(format!("--proxy-server={proxy}"));
+        let chromium_proxy = crate::crawler::url_utils::chromium_proxy_arg(proxy);
+        launch_opts.extra_args.push(format!("--proxy-server={chromium_proxy}"));
    }
    let on_launch = match (&cfg.phpsessid, &cfg.cookie_domain, &cfg.start_url) {
        (Some(sid), Some(domain), Some(start_url)) => {
@@ -184,6 +189,7 @@ async fn spawn_crawler_daemon(
            http: http.clone(),
            rate: Arc::clone(&rate),
            start_url: url.clone(),
+            manga_limit: cfg.manga_limit,
            download_allowlist: cfg.download_allowlist.clone(),
            max_image_bytes: cfg.max_image_bytes,
            tor: tor.as_ref().map(Arc::clone),
@@ -251,6 +257,7 @@ struct RealMetadataPass {
    http: reqwest::Client,
    rate: Arc<HostRateLimiters>,
    start_url: String,
+    manga_limit: usize,
    download_allowlist: DownloadAllowlist,
    max_image_bytes: usize,
    tor: Option<Arc<crate::crawler::tor::TorController>>,
@@ -266,7 +273,7 @@ impl MetadataPass for RealMetadataPass {
            &self.http,
            &self.rate,
            &self.start_url,
-            0,
+            self.manga_limit,
            false,
            &self.download_allowlist,
            self.max_image_bytes,
@@ -350,11 +357,62 @@ pub fn router(state: AppState) -> Router {
    let max_request_bytes = state.upload.max_request_bytes;
    Router::new()
        .nest("/api/v1", crate::api::routes())
+        .layer(middleware::from_fn_with_state(
+            state.clone(),
+            private_mode_guard,
+        ))
        .layer(DefaultBodyLimit::max(max_request_bytes))
        .with_state(state)
        .layer(TraceLayer::new_for_http())
 }

+/// Paths reachable anonymously even when `PRIVATE_MODE=true`. Login and
+/// logout are needed for the auth flow itself; `/health` is reserved
+/// for load-balancer probes; `/auth/config` lets the frontend decide
+/// whether to render the login form or its anonymous alternatives;
+/// `/auth/register` is exempted from the gate so the handler can
+/// return its informative `registration_disabled` 403 (the same code
+/// public-mode deployments use when `ALLOW_SELF_REGISTER=false`) —
+/// the handler itself force-blocks the request body in private mode,
+/// so no account ever gets created here. Everything else demands a
+/// valid session cookie or bearer token.
+fn is_public_in_private_mode(path: &str) -> bool {
+    matches!(
+        path,
+        "/api/v1/health"
+            | "/api/v1/auth/config"
+            | "/api/v1/auth/login"
+            | "/api/v1/auth/logout"
+            | "/api/v1/auth/register"
+    )
+}
+
+/// Site-wide auth gate for `PRIVATE_MODE=true`. With the flag off this
+/// is a no-op pass-through, so public deployments take no extra DB
+/// hit. With it on, the guard reuses [`CurrentUser`] — the same
+/// session-cookie-then-bearer-token logic the per-handler extractor
+/// uses — so the two paths can never drift.
+async fn private_mode_guard(
+    State(state): State<AppState>,
+    req: Request,
+    next: Next,
+) -> Result<Response, AppError> {
+    if !state.auth.private_mode {
+        return Ok(next.run(req).await);
+    }
+    if is_public_in_private_mode(req.uri().path()) {
+        return Ok(next.run(req).await);
+    }
+    let (mut parts, body) = req.into_parts();
+    match CurrentUser::from_request_parts(&mut parts, &state).await {
+        Ok(_) => {
+            let req = Request::from_parts(parts, body);
+            Ok(next.run(req).await)
+        }
+        Err(_) => Err(AppError::Unauthenticated),
+    }
+}
+
 pub(crate) fn cors_layer(allowed_origins: &[String]) -> CorsLayer {
    if allowed_origins.is_empty() {
        // Same-origin only — no CORS headers emitted.
--- a/backend/src/bin/crawler.rs
+++ b/backend/src/bin/crawler.rs
@@ -127,7 +127,8 @@ async fn main() -> anyhow::Result<()> {

    let mut options = LaunchOptions::from_env();
    if let Some(proxy) = &proxy_url {
-        options.extra_args.push(format!("--proxy-server={proxy}"));
+        let chromium_proxy = mangalord::crawler::url_utils::chromium_proxy_arg(proxy);
+        options.extra_args.push(format!("--proxy-server={chromium_proxy}"));
    }
    let keep_open = match (keep_browser_open, options.mode) {
        (true, BrowserMode::Headed) => true,
--- a/backend/src/config.rs
+++ b/backend/src/config.rs
@@ -19,6 +19,14 @@ pub struct AuthConfig {
    /// `POST /admin/users`. Defaults to `true` (open registration)
    /// for backward compatibility.
    pub allow_self_register: bool,
+    /// When `true`, every API path except a small allowlist
+    /// (`/health`, `/auth/config`, `/auth/login`, `/auth/logout`)
+    /// requires a valid session cookie or bearer token — anonymous
+    /// reads are rejected with 401. Self-registration is also
+    /// force-disabled regardless of [`Self::allow_self_register`]
+    /// so a private instance is locked down with a single switch.
+    /// Defaults to `false` (current public behaviour).
+    pub private_mode: bool,
 }

 impl Default for AuthConfig {
@@ -33,6 +41,7 @@ impl Default for AuthConfig {
            // defaults.
            rate_limit: crate::auth::rate_limit::RateLimitConfig::default(),
            allow_self_register: true,
+            private_mode: false,
        }
    }
 }
@@ -119,6 +128,10 @@ pub struct CrawlerConfig {
    pub download_allowlist: DownloadAllowlist,
    /// Hard upper bound on a single image download. Defaults to 32 MiB.
    pub max_image_bytes: usize,
+    /// Max manga detail fetches per metadata pass. `0` means no cap
+    /// (full sweep up to the source's own bound). Sourced from
+    /// `CRAWLER_LIMIT`, mirroring the CLI binary.
+    pub manga_limit: usize,
 }

 impl Default for CrawlerConfig {
@@ -145,6 +158,7 @@ impl Default for CrawlerConfig {
            browser: LaunchOptions::headless(),
            download_allowlist: DownloadAllowlist::new(),
            max_image_bytes: DEFAULT_MAX_IMAGE_BYTES,
+            manga_limit: 0,
        }
    }
 }
@@ -176,6 +190,7 @@ impl Config {
                    ) as u32,
                },
                allow_self_register: env_bool("ALLOW_SELF_REGISTER", true),
+                private_mode: env_bool("PRIVATE_MODE", false),
            },
            upload: UploadConfig {
                max_request_bytes: env_usize("MAX_REQUEST_BYTES", 200 * 1024 * 1024),
@@ -267,6 +282,7 @@ impl CrawlerConfig {
            browser: LaunchOptions::from_env(),
            download_allowlist,
            max_image_bytes: env_usize("CRAWLER_MAX_IMAGE_BYTES", DEFAULT_MAX_IMAGE_BYTES),
+            manga_limit: env_usize("CRAWLER_LIMIT", 0),
        })
    }
 }
@@ -340,3 +356,64 @@ fn env_usize(name: &str, default: usize) -> usize {
        .unwrap_or(default)
 }

+#[cfg(test)]
+mod tests {
+    use super::*;
+    use std::sync::Mutex;
+
+    // Serialise env-touching tests so concurrent cargo-test threads don't
+    // race on the process-global env. Re-acquire on poison since a
+    // panicking test still leaves the env in a consistent state for us
+    // (we set/unset within each guard region).
+    static ENV_GUARD: Mutex<()> = Mutex::new(());
+
+    #[test]
+    fn crawler_limit_env_populates_manga_limit() {
+        let _g = ENV_GUARD.lock().unwrap_or_else(|p| p.into_inner());
+        std::env::set_var("CRAWLER_LIMIT", "96");
+        let cfg = CrawlerConfig::from_env().expect("from_env");
+        std::env::remove_var("CRAWLER_LIMIT");
+        assert_eq!(cfg.manga_limit, 96);
+    }
+
+    #[test]
+    fn crawler_limit_unset_defaults_to_zero() {
+        let _g = ENV_GUARD.lock().unwrap_or_else(|p| p.into_inner());
+        std::env::remove_var("CRAWLER_LIMIT");
+        let cfg = CrawlerConfig::from_env().expect("from_env");
+        assert_eq!(cfg.manga_limit, 0);
+    }
+
+    #[test]
+    fn private_mode_env_parses_true() {
+        let _g = ENV_GUARD.lock().unwrap_or_else(|p| p.into_inner());
+        std::env::set_var("PRIVATE_MODE", "true");
+        std::env::set_var("DATABASE_URL", "postgres://test");
+        let cfg = Config::from_env().expect("from_env");
+        std::env::remove_var("PRIVATE_MODE");
+        std::env::remove_var("DATABASE_URL");
+        assert!(cfg.auth.private_mode);
+    }
+
+    #[test]
+    fn private_mode_env_parses_false() {
+        let _g = ENV_GUARD.lock().unwrap_or_else(|p| p.into_inner());
+        std::env::set_var("PRIVATE_MODE", "false");
+        std::env::set_var("DATABASE_URL", "postgres://test");
+        let cfg = Config::from_env().expect("from_env");
+        std::env::remove_var("PRIVATE_MODE");
+        std::env::remove_var("DATABASE_URL");
+        assert!(!cfg.auth.private_mode);
+    }
+
+    #[test]
+    fn private_mode_defaults_to_false() {
+        let _g = ENV_GUARD.lock().unwrap_or_else(|p| p.into_inner());
+        std::env::remove_var("PRIVATE_MODE");
+        std::env::set_var("DATABASE_URL", "postgres://test");
+        let cfg = Config::from_env().expect("from_env");
+        std::env::remove_var("DATABASE_URL");
+        assert!(!cfg.auth.private_mode);
+    }
+}
+
--- a/backend/src/crawler/url_utils.rs
+++ b/backend/src/crawler/url_utils.rs
@@ -91,6 +91,26 @@ pub fn registrable_domain(url: &str) -> Option<String> {
    Some(format!(".{}", registrable.join(".")))
 }

+/// Normalise a SOCKS proxy URL for Chromium's `--proxy-server=` flag.
+///
+/// reqwest accepts both `socks5://` (resolve locally) and
+/// `socks5h://` (resolve via the SOCKS server — important when the
+/// proxy is TOR and we don't want the host's resolver to see the
+/// target hostname). Chromium does **not** know the `socks5h` scheme
+/// and refuses navigations with `ERR_NO_SUPPORTED_PROXIES`. It
+/// already sends destination hostnames over SOCKS5 by default
+/// regardless, so stripping the `h` is a pure scheme rename — the
+/// remote-DNS behaviour is preserved.
+///
+/// Non-SOCKS schemes pass through unchanged.
+pub fn chromium_proxy_arg(proxy: &str) -> String {
+    if let Some(rest) = proxy.strip_prefix("socks5h://") {
+        format!("socks5://{rest}")
+    } else {
+        proxy.to_string()
+    }
+}
+
 #[cfg(test)]
 mod tests {
    use super::*;
@@ -191,4 +211,34 @@ mod tests {
            Some("[2001:db8::1]")
        );
    }
+
+    #[test]
+    fn chromium_proxy_arg_strips_socks5h_to_socks5() {
+        // Regression: passing socks5h:// to Chromium yields
+        // ERR_NO_SUPPORTED_PROXIES at navigation time.
+        assert_eq!(
+            chromium_proxy_arg("socks5h://127.0.0.1:9050"),
+            "socks5://127.0.0.1:9050"
+        );
+        assert_eq!(
+            chromium_proxy_arg("socks5h://tor:9050"),
+            "socks5://tor:9050"
+        );
+    }
+
+    #[test]
+    fn chromium_proxy_arg_passes_socks5_unchanged() {
+        assert_eq!(
+            chromium_proxy_arg("socks5://127.0.0.1:9050"),
+            "socks5://127.0.0.1:9050"
+        );
+    }
+
+    #[test]
+    fn chromium_proxy_arg_passes_non_socks_unchanged() {
+        assert_eq!(
+            chromium_proxy_arg("http://proxy.example:8080"),
+            "http://proxy.example:8080"
+        );
+    }
 }
--- a/backend/tests/api_private_mode.rs
+++ b/backend/tests/api_private_mode.rs
@@ -0,0 +1,189 @@
+//! Site-wide auth gate (`PRIVATE_MODE=true`).
+//!
+//! With private mode on, every API path except a small allowlist
+//! (`/health`, `/auth/config`, `/auth/login`, `/auth/logout`) requires
+//! a valid session cookie or bearer token, and `/auth/register` is
+//! force-blocked regardless of `ALLOW_SELF_REGISTER`. With private mode
+//! off (the default), nothing changes — the `public_mode_*` test
+//! pins that regression guard.
+
+mod common;
+
+use serde_json::json;
+use sqlx::PgPool;
+use tower::ServiceExt;
+
+use axum::http::StatusCode;
+
+#[sqlx::test(migrations = "./migrations")]
+async fn private_mode_blocks_anonymous_manga_list(pool: PgPool) {
+    let h = common::harness_with_private_mode(pool);
+    let resp = h.app.oneshot(common::get("/api/v1/mangas")).await.unwrap();
+    assert_eq!(resp.status(), StatusCode::UNAUTHORIZED);
+}
+
+#[sqlx::test(migrations = "./migrations")]
+async fn private_mode_blocks_anonymous_files(pool: PgPool) {
+    let h = common::harness_with_private_mode(pool);
+    // The path doesn't have to exist — the guard runs before routing,
+    // so the response is 401 (not 404). That's the property the test
+    // is pinning: nothing leaks via crafted URLs.
+    let resp = h
+        .app
+        .oneshot(common::get("/api/v1/files/anything.png"))
+        .await
+        .unwrap();
+    assert_eq!(resp.status(), StatusCode::UNAUTHORIZED);
+}
+
+#[sqlx::test(migrations = "./migrations")]
+async fn private_mode_allows_session_cookie_read(pool: PgPool) {
+    // Register through a non-private harness sharing the same DB pool
+    // so the session row exists. Then exercise the gate using a fresh
+    // private-mode harness against the same DB.
+    let public = common::harness(pool.clone());
+    let (_, cookie) = common::register_user(&public.app).await;
+
+    let private = common::harness_with_private_mode(pool);
+    let resp = private
+        .app
+        .oneshot(common::get_with_cookie("/api/v1/mangas", &cookie))
+        .await
+        .unwrap();
+    assert_eq!(resp.status(), StatusCode::OK);
+}
+
+#[sqlx::test(migrations = "./migrations")]
+async fn private_mode_allows_bearer_token_read(pool: PgPool) {
+    let public = common::harness(pool.clone());
+    let (_, cookie) = common::register_user(&public.app).await;
+
+    let resp = public
+        .app
+        .clone()
+        .oneshot(common::post_json_with_cookie(
+            "/api/v1/auth/tokens",
+            json!({ "name": "private-mode-bot" }),
+            &cookie,
+        ))
+        .await
+        .unwrap();
+    assert_eq!(resp.status(), StatusCode::CREATED);
+    let body = common::body_json(resp).await;
+    let bearer = body["bearer"].as_str().unwrap().to_string();
+
+    let private = common::harness_with_private_mode(pool);
+    let resp = private
+        .app
+        .oneshot(common::get_with_bearer("/api/v1/mangas", &bearer))
+        .await
+        .unwrap();
+    assert_eq!(resp.status(), StatusCode::OK);
+}
+
+#[sqlx::test(migrations = "./migrations")]
+async fn private_mode_allows_login_endpoint_anonymous(pool: PgPool) {
+    // Seed a user via the public harness so login has credentials to
+    // verify against.
+    let public = common::harness(pool.clone());
+    let _ = public
+        .app
+        .clone()
+        .oneshot(common::post_json(
+            "/api/v1/auth/register",
+            json!({ "username": "alice", "password": "hunter2hunter2" }),
+        ))
+        .await
+        .unwrap();
+
+    let private = common::harness_with_private_mode(pool);
+    let resp = private
+        .app
+        .oneshot(common::post_json(
+            "/api/v1/auth/login",
+            json!({ "username": "alice", "password": "hunter2hunter2" }),
+        ))
+        .await
+        .unwrap();
+    // Reaches the login handler and succeeds — *not* 401 from the
+    // gate. That's the property we're pinning.
+    assert_eq!(resp.status(), StatusCode::OK);
+}
+
+#[sqlx::test(migrations = "./migrations")]
+async fn private_mode_allows_health_and_config_anonymous(pool: PgPool) {
+    let h = common::harness_with_private_mode(pool);
+
+    let r = h
+        .app
+        .clone()
+        .oneshot(common::get("/api/v1/health"))
+        .await
+        .unwrap();
+    assert_eq!(r.status(), StatusCode::OK);
+
+    let r = h
+        .app
+        .oneshot(common::get("/api/v1/auth/config"))
+        .await
+        .unwrap();
+    assert_eq!(r.status(), StatusCode::OK);
+}
+
+#[sqlx::test(migrations = "./migrations")]
+async fn private_mode_blocks_register_even_when_self_register_enabled(pool: PgPool) {
+    // harness_with_private_mode keeps `allow_self_register=true` (the
+    // default) — private mode is supposed to force-block register
+    // regardless. That's what this test pins.
+    let h = common::harness_with_private_mode(pool);
+    let resp = h
+        .app
+        .oneshot(common::post_json(
+            "/api/v1/auth/register",
+            json!({ "username": "alice", "password": "hunter2hunter2" }),
+        ))
+        .await
+        .unwrap();
+    assert_eq!(resp.status(), StatusCode::FORBIDDEN);
+    let body = common::body_json(resp).await;
+    assert_eq!(body["error"]["code"], "forbidden");
+}
+
+#[sqlx::test(migrations = "./migrations")]
+async fn auth_config_reports_private_mode_and_effective_self_register(pool: PgPool) {
+    let h = common::harness_with_private_mode(pool);
+    let resp = h
+        .app
+        .oneshot(common::get("/api/v1/auth/config"))
+        .await
+        .unwrap();
+    assert_eq!(resp.status(), StatusCode::OK);
+    let body = common::body_json(resp).await;
+    assert_eq!(body["private_mode"], true);
+    // Effective value: `allow_self_register && !private_mode` is false
+    // here even though the raw `allow_self_register` is true.
+    assert_eq!(body["self_register_enabled"], false);
+}
+
+#[sqlx::test(migrations = "./migrations")]
+async fn public_mode_does_not_gate_anonymous_reads(pool: PgPool) {
+    // Regression guard: with private_mode off (the default), the gate
+    // must be a no-op so existing public deployments stay public.
+    let h = common::harness(pool);
+    let resp = h.app.oneshot(common::get("/api/v1/mangas")).await.unwrap();
+    assert_eq!(resp.status(), StatusCode::OK);
+}
+
+#[sqlx::test(migrations = "./migrations")]
+async fn public_mode_reports_private_mode_false(pool: PgPool) {
+    let h = common::harness(pool);
+    let resp = h
+        .app
+        .oneshot(common::get("/api/v1/auth/config"))
+        .await
+        .unwrap();
+    assert_eq!(resp.status(), StatusCode::OK);
+    let body = common::body_json(resp).await;
+    assert_eq!(body["private_mode"], false);
+    assert_eq!(body["self_register_enabled"], true);
+}
--- a/backend/tests/common/mod.rs
+++ b/backend/tests/common/mod.rs
@@ -92,6 +92,21 @@ pub fn harness_with_self_register_disabled(pool: PgPool) -> Harness {
    harness_with_auth_config(pool, storage, storage_dir, auth)
 }

+/// Like [`harness`] but flips `PRIVATE_MODE` on so the site-wide auth
+/// gate is exercised. `allow_self_register` stays at its default `true`
+/// to verify that private mode force-disables self-registration on top
+/// of whatever `ALLOW_SELF_REGISTER` says.
+pub fn harness_with_private_mode(pool: PgPool) -> Harness {
+    let storage_dir = tempfile::tempdir().expect("tempdir");
+    let storage = Arc::new(LocalStorage::new(storage_dir.path()));
+    let auth = AuthConfig {
+        cookie_secure: false,
+        private_mode: true,
+        ..AuthConfig::default()
+    };
+    harness_with_auth_config(pool, storage, storage_dir, auth)
+}
+
 /// Like [`harness`] but configures a tight auth rate limit. Used by
 /// the brute-force-rate-limiting test.
 pub fn harness_with_auth_rate_limit(
--- a/docker-compose.dev.yml
+++ b/docker-compose.dev.yml
@@ -17,5 +17,28 @@ services:
      timeout: 5s
      retries: 10

+  # Optional: TOR daemon for crawler dev. Ports bind to 127.0.0.1 only
+  # — never the LAN — so a native `cargo run` on the host can reach
+  # 127.0.0.1:9050 / 9051. Mirrors the prod tor service (see
+  # docker-compose.yml), just with host-loopback ports and a default
+  # password baked in for friction-free dev.
+  tor:
+    image: dockurr/tor:latest
+    entrypoint: ["/bin/sh", "/usr/local/bin/mangalord-entrypoint.sh"]
+    environment:
+      PASSWORD: ${TOR_CONTROL_PASSWORD:-dev-tor-password}
+    volumes:
+      - ./tor/torrc:/etc/tor/torrc:ro
+      - ./tor/entrypoint.sh:/usr/local/bin/mangalord-entrypoint.sh:ro
+    ports:
+      - "127.0.0.1:9050:9050"
+      - "127.0.0.1:9051:9051"
+    healthcheck:
+      test: ["CMD-SHELL", "nc -z 127.0.0.1 9050 && nc -z 127.0.0.1 9051"]
+      interval: 5s
+      timeout: 5s
+      retries: 20
+      start_period: 30s
+
 volumes:
  mangalord-postgres-dev:
--- a/frontend/e2e/private-mode.spec.ts
+++ b/frontend/e2e/private-mode.spec.ts
@@ -0,0 +1,101 @@
+import { test, expect, type Page } from '@playwright/test';
+
+// Network-level mocks for the private-mode UX. The backend integration
+// tests (api_private_mode.rs) cover the actual gate; here we only
+// verify that the SvelteKit universal load redirects anonymous
+// visitors to /login and then back to where they were going.
+
+const userFixture = {
+    id: 'user-1',
+    username: 'alice',
+    created_at: '2026-01-01T00:00:00Z',
+    is_admin: false
+};
+const emptyPage = { items: [], page: { limit: 50, offset: 0, total: null } };
+
+async function stubPrivateInstance(page: Page) {
+    let loggedIn = false;
+
+    // The flag that flips the gate on. Frontend reads it in
+    // `+layout.ts` to decide whether to redirect.
+    await page.route('**/api/v1/auth/config', async (route) => {
+        await route.fulfill({
+            status: 200,
+            contentType: 'application/json',
+            body: JSON.stringify({
+                self_register_enabled: false,
+                private_mode: true
+            })
+        });
+    });
+
+    await page.route('**/api/v1/auth/me', async (route) => {
+        if (loggedIn) {
+            await route.fulfill({
+                status: 200,
+                contentType: 'application/json',
+                body: JSON.stringify({ user: userFixture })
+            });
+        } else {
+            await route.fulfill({
+                status: 401,
+                contentType: 'application/json',
+                body: JSON.stringify({
+                    error: { code: 'unauthenticated', message: 'unauthenticated' }
+                })
+            });
+        }
+    });
+
+    await page.route('**/api/v1/auth/login', async (route) => {
+        loggedIn = true;
+        await route.fulfill({
+            status: 200,
+            contentType: 'application/json',
+            body: JSON.stringify({ user: userFixture })
+        });
+    });
+
+    // The real backend would 401 these too in private mode; we stub
+    // success so the post-login navigation can render the home page
+    // without an additional redirect cycle.
+    await page.route('**/api/v1/mangas*', async (route) => {
+        await route.fulfill({
+            status: 200,
+            contentType: 'application/json',
+            body: JSON.stringify(emptyPage)
+        });
+    });
+}
+
+test('private mode: anonymous visit to / redirects to /login?next=%2F', async ({ page }) => {
+    await stubPrivateInstance(page);
+    await page.goto('/');
+    await expect(page).toHaveURL(/\/login\?next=%2F$/);
+    await expect(page.getByTestId('login-username')).toBeVisible();
+});
+
+test('private mode: register link is hidden', async ({ page }) => {
+    await stubPrivateInstance(page);
+    await page.goto('/login');
+    await expect(page.getByTestId('nav-login')).toBeVisible();
+    // self_register_enabled is the effective value (false in private
+    // mode regardless of ALLOW_SELF_REGISTER), so the navbar must
+    // never render the register affordance here.
+    await expect(page.getByTestId('nav-register')).toHaveCount(0);
+});
+
+test('private mode: after login the user lands back on the requested page', async ({ page }) => {
+    await stubPrivateInstance(page);
+
+    // Visit a deep link → bounced to /login with next= preserving it.
+    await page.goto('/');
+    await expect(page).toHaveURL(/\/login\?next=%2F$/);
+
+    await page.getByTestId('login-username').fill('alice');
+    await page.getByTestId('login-password').fill('hunter2hunter2');
+    await page.getByTestId('login-submit').click();
+
+    // Authenticated → can now reach the home page without bouncing.
+    await expect(page.getByTestId('session-user')).toContainText('alice');
+});
--- a/frontend/package.json
+++ b/frontend/package.json
@@ -1,6 +1,6 @@
 {
  "name": "mangalord-frontend",
-  "version": "0.46.0",
+  "version": "0.48.0",
  "private": true,
  "type": "module",
  "scripts": {
--- a/frontend/src/lib/api/auth.ts
+++ b/frontend/src/lib/api/auth.ts
@@ -102,10 +102,14 @@ export async function deleteToken(id: string): Promise<void> {
 }

 export type AuthConfig = {
-    /** When false, /v1/auth/register returns 403 and the UI should
+    /** Effective value (`allow_self_register && !private_mode`).
+     * When false, /v1/auth/register returns 403 and the UI should
     * hide its register affordance. Admins can still mint accounts
     * via POST /v1/admin/users. */
    self_register_enabled: boolean;
+    /** When true, every read endpoint requires auth and anonymous
+     * visitors are redirected to `/login` (see `+layout.ts`). */
+    private_mode: boolean;
 };

 /** Public — no auth, no cookie required. */
--- a/frontend/src/lib/auth-config.svelte.ts
+++ b/frontend/src/lib/auth-config.svelte.ts
@@ -16,6 +16,7 @@ import { getAuthConfig } from './api/auth';

 class AuthConfigStore {
    self_register_enabled = $state(true);
+    private_mode = $state(false);
    loaded = $state(false);
    private loading = false;

@@ -25,6 +26,7 @@ class AuthConfigStore {
        try {
            const cfg = await getAuthConfig();
            this.self_register_enabled = cfg.self_register_enabled;
+            this.private_mode = cfg.private_mode;
            this.loaded = true;
        } catch {
            // Keep optimistic default; next page mount will retry.
@@ -32,6 +34,16 @@ class AuthConfigStore {
            this.loading = false;
        }
    }
+
+    /** Seed from server-rendered layout data so the very first paint
+     *  doesn't flash the loading state. Used by `+layout.ts` /
+     *  `+layout.svelte` on the universal-load path. Safe to call from
+     *  SSR (no `browser` guard) since it touches only reactive state. */
+    seed(cfg: { self_register_enabled: boolean; private_mode: boolean }): void {
+        this.self_register_enabled = cfg.self_register_enabled;
+        this.private_mode = cfg.private_mode;
+        this.loaded = true;
+    }
 }

 export const authConfig = new AuthConfigStore();
--- a/frontend/src/routes/+layout.svelte
+++ b/frontend/src/routes/+layout.svelte
@@ -14,15 +14,23 @@
    import Shield from '@lucide/svelte/icons/shield';
    import '$lib/styles/tokens.css';

-    let { children } = $props();
+    let { children, data } = $props();
    let loggingOut = $state(false);
    let headerEl: HTMLElement | undefined = $state();

+    // Seed authConfig from the universal layout load. $effect keeps
+    // the store in sync if `data` is replaced by a subsequent layout
+    // load (client-side nav). The first run also covers initial
+    // hydration so the navbar's register link reflects the real
+    // server flag without a separate fetch.
+    $effect(() => {
+        authConfig.seed(data.authConfig);
+    });
+
    onMount(() => {
        theme.init();
        preferences.init();
        if (!session.loaded) session.refresh();
-        if (!authConfig.loaded) authConfig.load();

        // Publish the header's measured height as a CSS custom
        // property so sticky descendants (e.g. the reader nav) can
--- a/frontend/src/routes/+layout.ts
+++ b/frontend/src/routes/+layout.ts
@@ -0,0 +1,41 @@
+// Universal root load. Surfaces /auth/config to every page so the
+// navbar + layout can render without an extra round-trip, and — when
+// the backend reports PRIVATE_MODE=true — bounces anonymous visitors
+// to /login before any page-specific load fires. The backend
+// middleware is still the source of truth for the gate; this just
+// matches the UX so users don't see a page full of failed fetches.
+import type { LayoutLoad } from './$types';
+import { redirect } from '@sveltejs/kit';
+import { getAuthConfig, me, type AuthConfig } from '$lib/api/auth';
+
+// Paths reachable anonymously even when private_mode is on. /login is
+// the entry point of the auth flow; everything else (including
+// /register, which is force-blocked in private mode) bounces.
+const PRIVATE_MODE_BYPASS = new Set(['/login']);
+
+const PUBLIC_DEFAULTS: AuthConfig = {
+    self_register_enabled: true,
+    private_mode: false
+};
+
+export const load: LayoutLoad = async ({ url }) => {
+    let authConfig: AuthConfig = PUBLIC_DEFAULTS;
+    try {
+        authConfig = await getAuthConfig();
+    } catch {
+        // Fail-soft: keep the optimistic public-mode defaults so a
+        // backend hiccup doesn't lock anyone out of the login page.
+        // No private data can leak through here — the backend
+        // middleware is still authoritative for the gate.
+    }
+
+    if (authConfig.private_mode && !PRIVATE_MODE_BYPASS.has(url.pathname)) {
+        const user = await me().catch(() => null);
+        if (!user) {
+            const next = url.pathname + url.search;
+            redirect(302, `/login?next=${encodeURIComponent(next)}`);
+        }
+    }
+
+    return { authConfig };
+};
--- a/frontend/src/routes/layout.test.ts
+++ b/frontend/src/routes/layout.test.ts
@@ -0,0 +1,113 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest';
+
+// Mock the API client *before* importing the load function so the
+// module under test picks up the mock when it resolves its imports.
+vi.mock('$lib/api/auth', () => ({
+    getAuthConfig: vi.fn(),
+    me: vi.fn()
+}));
+
+import { load } from './+layout';
+import { getAuthConfig, me, type AuthConfig } from '$lib/api/auth';
+
+type MinimalLoadEvent = { url: { pathname: string; search: string } };
+
+function event(pathname: string, search = ''): MinimalLoadEvent {
+    return { url: { pathname, search } };
+}
+
+// `LayoutLoad`'s declared return type is `void | …`. Our `load`
+// always returns `{ authConfig }`, but TypeScript can't narrow on
+// that at the call site. Wrap to remove the `void` arm so the
+// assertions stay terse.
+async function callLoad(ev: MinimalLoadEvent): Promise<{ authConfig: AuthConfig }> {
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    const result = await load(ev as any);
+    return result as { authConfig: AuthConfig };
+}
+
+const PUBLIC_CFG = { self_register_enabled: true, private_mode: false };
+const PRIVATE_CFG = { self_register_enabled: false, private_mode: true };
+
+const aliceUser = {
+    id: 'u1',
+    username: 'alice',
+    created_at: '2026-01-01T00:00:00Z',
+    is_admin: false
+};
+
+describe('root +layout load', () => {
+    beforeEach(() => {
+        vi.mocked(getAuthConfig).mockReset();
+        vi.mocked(me).mockReset();
+    });
+
+    it('public mode: returns authConfig data, never calls me()', async () => {
+        vi.mocked(getAuthConfig).mockResolvedValue(PUBLIC_CFG);
+        const data = await callLoad(event('/'));
+        expect(data.authConfig).toEqual(PUBLIC_CFG);
+        expect(me).not.toHaveBeenCalled();
+    });
+
+    it('private mode + anonymous on `/`: throws redirect(302) to /login with next=', async () => {
+        vi.mocked(getAuthConfig).mockResolvedValue(PRIVATE_CFG);
+        vi.mocked(me).mockResolvedValue(null);
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        await expect(load(event('/') as any)).rejects.toMatchObject({
+            status: 302,
+            location: '/login?next=%2F'
+        });
+    });
+
+    it('private mode + anonymous on `/login`: passes through without redirect', async () => {
+        vi.mocked(getAuthConfig).mockResolvedValue(PRIVATE_CFG);
+        const data = await callLoad(event('/login'));
+        expect(data.authConfig.private_mode).toBe(true);
+        // me() must not run on the login page itself, otherwise anonymous
+        // visits make an extra round-trip every page load.
+        expect(me).not.toHaveBeenCalled();
+    });
+
+    it('private mode + logged-in user: no redirect, returns authConfig', async () => {
+        vi.mocked(getAuthConfig).mockResolvedValue(PRIVATE_CFG);
+        vi.mocked(me).mockResolvedValue(aliceUser);
+        const data = await callLoad(event('/'));
+        expect(data.authConfig).toEqual(PRIVATE_CFG);
+    });
+
+    it('private mode + anonymous: preserves pathname AND search in next=', async () => {
+        vi.mocked(getAuthConfig).mockResolvedValue(PRIVATE_CFG);
+        vi.mocked(me).mockResolvedValue(null);
+        await expect(
+            // eslint-disable-next-line @typescript-eslint/no-explicit-any
+            load(event('/manga/abc', '?page=3') as any)
+        ).rejects.toMatchObject({
+            status: 302,
+            location: '/login?next=%2Fmanga%2Fabc%3Fpage%3D3'
+        });
+    });
+
+    it('private mode + anonymous on /register: redirects to /login (register is never reachable in private mode)', async () => {
+        vi.mocked(getAuthConfig).mockResolvedValue(PRIVATE_CFG);
+        vi.mocked(me).mockResolvedValue(null);
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        await expect(load(event('/register') as any)).rejects.toMatchObject({
+            status: 302,
+            location: '/login?next=%2Fregister'
+        });
+    });
+
+    it('getAuthConfig failure: falls back to public-mode defaults, no redirect', async () => {
+        // The backend middleware is the source of truth for the gate;
+        // if the config probe blips, fail soft so a brief outage doesn't
+        // lock everyone out of even the login page. No private data
+        // can leak because the backend still 401s every request.
+        vi.mocked(getAuthConfig).mockRejectedValue(new Error('network'));
+        const data = await callLoad(event('/'));
+        expect(data.authConfig).toEqual({
+            self_register_enabled: true,
+            private_mode: false
+        });
+        expect(me).not.toHaveBeenCalled();
+    });
+});
Author	SHA1	Message	Date
MechaCat02	e50fc093c3	feat: add PRIVATE_MODE site-wide auth gate (0.48.0) When `PRIVATE_MODE=true`, every API path except a small allowlist (`/health`, `/auth/{config,login,logout,register}`) requires a valid session cookie or bearer token — anonymous reads are rejected with 401. Self-registration is force-disabled in private mode regardless of `ALLOW_SELF_REGISTER`, so a locked-down instance flips with a single switch (admins still mint accounts via `POST /admin/users`). The backend gate is a tower middleware that reuses the existing `CurrentUser` extractor, so the cookie + bearer paths cannot drift from per-handler auth. `/auth/config` now exposes the flag plus the effective `self_register_enabled` value so the frontend can render the navbar correctly on the first paint. On the frontend, a new universal root `+layout.ts` fetches the config and redirects anonymous visitors to `/login?next=<path>` before page-specific loads fire. The redirect is UX only — the backend middleware is the source of truth, so crafted requests still 401. Defaults stay public (`PRIVATE_MODE=false`); existing deployments need no env change. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-06-01 20:11:22 +02:00
MechaCat02	72756cfef2	feat(crawler): honour CRAWLER_LIMIT in the in-process daemon (0.47.0) The CLI binary already capped runs at CRAWLER_LIMIT mangas, but the daemon's RealMetadataPass passed a hardcoded `0` (no cap) to `pipeline::run_metadata_pass`, so the env var was silently ignored once the daemon took over the metadata pass. Adds `manga_limit` to `CrawlerConfig`, reads it from `CRAWLER_LIMIT` (default 0 = no cap), and threads it through `RealMetadataPass::run` so a daemon-driven sweep stops at the same boundary as a CLI run. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-06-01 20:07:01 +02:00
MechaCat02	4e20350645	fix(crawler): translate socks5h:// → socks5:// for Chromium --proxy-server All checks were successful deploy / test-backend (push) Successful in 19m30s Details deploy / test-frontend (push) Successful in 9m42s Details deploy / build-and-push (push) Successful in 8m10s Details deploy / deploy (push) Successful in 15s Details Chromium doesn't know the socks5h scheme (curl/reqwest convention) and bails navigations with ERR_NO_SUPPORTED_PROXIES. It does, however, send destination hostnames over SOCKS5 by default, so stripping the `h` is a pure scheme rename — remote-DNS behaviour is preserved. reqwest keeps the user's original CRAWLER_PROXY string (`socks5h://...` remains valid and meaningful for it). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-31 20:56:45 +02:00
MechaCat02	713ca139c4	feat(deploy): add optional tor service to dev compose for native-backend dev Mirrors the prod tor service but with 127.0.0.1-only host port bindings so a `cargo run` on the host can reach 127.0.0.1:9050 / 9051. Default password baked in (overridable via TOR_CONTROL_PASSWORD env) since host-loopback is the only exposure surface — same friction-free posture as the postgres entry in this file. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-31 20:56:45 +02:00