feat: add scan status and cover art endpoints

Track scanner status for the web API and Subsonic-compatible scan endpoints, add authenticated cover art serving, and wire album artwork into the web UI. Keep Subsonic auth limited to legacy password mode for now so behavior stays honest with the current bcrypt-based user storage.
2026-04-02 22:37:10 +03:00
parent 46c2c3fb28
commit f8880aa9a4
9 changed files with 394 additions and 23 deletions
--- a/internal/auth/service.go
+++ b/internal/auth/service.go
@@ -107,6 +107,40 @@ func (s *Service) CurrentUserByToken(ctx context.Context, token string) (User, e
 	return user, nil
 }

+func (s *Service) CurrentUserBySubsonicAuth(ctx context.Context, username, password, token, salt string) (User, error) {
+	if username == "" {
+		return User{}, ErrUnauthorized
+	}
+
+	user, passwordHash, err := s.findUserByUsername(ctx, username)
+	if err != nil {
+		if errors.Is(err, sql.ErrNoRows) {
+			return User{}, ErrUnauthorized
+		}
+		return User{}, fmt.Errorf("find user by username: %w", err)
+	}
+
+	if token != "" || salt != "" {
+		// We only support legacy `p` auth right now because password hashes are stored using bcrypt
+		// and cannot be converted back into the plain password needed for Subsonic token auth.
+		return User{}, ErrUnauthorized
+	}
+
+	if strings.HasPrefix(password, "enc:") {
+		decoded, err := hex.DecodeString(strings.TrimPrefix(password, "enc:"))
+		if err != nil {
+			return User{}, ErrUnauthorized
+		}
+		password = string(decoded)
+	}
+
+	if err := bcrypt.CompareHashAndPassword([]byte(passwordHash), []byte(password)); err != nil {
+		return User{}, ErrUnauthorized
+	}
+
+	return user, nil
+}
+
 func (s *Service) findUserByUsername(ctx context.Context, username string) (User, string, error) {
 	var user User
 	var passwordHash string