Merge bbe8fe164df8ba915d1cba17da9871c2fe435a53 into e36fef869278ec75f7a8b5e9c51ac02ab600de71

fix: retry insights collection when no admin user available (#4746 )
Previously, the insights collector would only try to get an admin user once at startup. If no admin user existed (e.g., fresh database before first user registration), insights collection would silently fail forever. This change moves the admin context creation inside the collection loop so it retries on each interval. It also updates log messages in WithAdminUser to remove the Scanner prefix since this function is now used by other components. Signed-off-by: Deluan <deluan@navidrome.org>
2026-05-03 06:51:16 +00:00 · 2025-11-29 12:57:20 +08:00 · 2025-11-28 19:38:28 -05:00 · 2025-11-28 17:08:34 -05:00 · 2025-11-28 16:11:13 -05:00 · 2025-11-28 08:52:26 -05:00
15 changed files with 625 additions and 64 deletions
--- a/core/auth/auth.go
+++ b/core/auth/auth.go
@ -113,9 +113,9 @@ func WithAdminUser(ctx context.Context, ds model.DataStore) context.Context {
 	if err != nil {
 		c, err := ds.User(ctx).CountAll()
 		if c == 0 && err == nil {
-			log.Debug(ctx, "Scanner: No admin user yet!", err)
+			log.Debug(ctx, "No admin user yet!", err)
 		} else {
-			log.Error(ctx, "Scanner: No admin user found!", err)
+			log.Error(ctx, "No admin user found!", err)
 		}
 		u = &model.User{}
 	}
--- a/core/media_streamer.go
+++ b/core/media_streamer.go
@ -130,58 +130,99 @@ func (s *Stream) EstimatedContentLength() int {
 	return int(s.mf.Duration * float32(s.bitRate) / 8 * 1024)
 }

-// TODO This function deserves some love (refactoring)
 func selectTranscodingOptions(ctx context.Context, ds model.DataStore, mf *model.MediaFile, reqFormat string, reqBitRate int) (format string, bitRate int) {
+	// Default case
 	format = "raw"
+	bitRate = 0
+
+	// If the client explicitly requests "raw"
+	// then always serve the original
 	if reqFormat == "raw" {
+		return format, bitRate
+	}
+
+	// If requested format matches the file’s suffix and
+	// no bitrate reduction is requested then
+	// stream the file without transcoding
+	if reqFormat == mf.Suffix && reqBitRate == 0 {
+		return format, mf.BitRate
+	}
+
+	targetFormat, targetBitRate := findTargetTranscodingOptions(ctx, mf, reqFormat, reqBitRate)
+
+	// If nothing was found then stream raw
+	if targetFormat == "" && targetBitRate == 0 {
 		return format, 0
 	}
-	if reqFormat == mf.Suffix && reqBitRate == 0 {
-		bitRate = mf.BitRate
-		return format, bitRate
+
+	t, err := ds.Transcoding(ctx).FindByFormat(targetFormat)
+	if err != nil {
+		// TODO: log error?
+		return format, 0
 	}
-	trc, hasDefault := request.TranscodingFrom(ctx)
-	var cFormat string
-	var cBitRate int
-	if reqFormat != "" {
-		cFormat = reqFormat
+
+	format = t.TargetFormat
+
+	// If no target bitrate was specified
+	// fall back to the transcoding’s configuration
+	// default bitrate
+	if targetBitRate == 0 {
+		bitRate = t.DefaultBitRate
 	} else {
-		if hasDefault {
-			cFormat = trc.TargetFormat
-			cBitRate = trc.DefaultBitRate
-			if p, ok := request.PlayerFrom(ctx); ok {
-				cBitRate = p.MaxBitRate
-			}
-		} else if reqBitRate > 0 && reqBitRate < mf.BitRate && conf.Server.DefaultDownsamplingFormat != "" {
-			// If no format is specified and no transcoding associated to the player, but a bitrate is specified,
-			// and there is no transcoding set for the player, we use the default downsampling format.
-			// But only if the requested bitRate is lower than the original bitRate.
-			log.Debug("Default Downsampling", "Using default downsampling format", conf.Server.DefaultDownsamplingFormat)
-			cFormat = conf.Server.DefaultDownsamplingFormat
-		}
-	}
-	if reqBitRate > 0 {
-		cBitRate = reqBitRate
-	}
-	if cBitRate == 0 && cFormat == "" {
-		return format, bitRate
-	}
-	t, err := ds.Transcoding(ctx).FindByFormat(cFormat)
-	if err == nil {
-		format = t.TargetFormat
-		if cBitRate != 0 {
-			bitRate = cBitRate
-		} else {
-			bitRate = t.DefaultBitRate
-		}
+		bitRate = targetBitRate
 	}
+
+	// If the final format is the same as the original
+	// and does not reduce bitrate
+	// there’s no reason to transcode
 	if format == mf.Suffix && bitRate >= mf.BitRate {
-		format = "raw"
-		bitRate = 0
+		return "raw", 0
 	}
+
 	return format, bitRate
 }

+func findTargetTranscodingOptions(ctx context.Context, mf *model.MediaFile, reqFormat string, reqBitRate int) (string, int) {
+	// If a format is requested use that
+	if reqFormat != "" {
+		return reqFormat, reqBitRate
+	}
+
+	// If a default transcoding configuration exists for this context
+	if trc, ok := request.TranscodingFrom(ctx); ok {
+		targetFormat := trc.TargetFormat
+		targetBitRate := trc.DefaultBitRate
+
+		// If a player is configured adjust bitrate based on
+		// user request or player limits
+		if p, hasPlayer := request.PlayerFrom(ctx); hasPlayer {
+			if reqBitRate > 0 {
+				targetBitRate = reqBitRate
+			} else if p.MaxBitRate > 0 {
+				targetBitRate = p.MaxBitRate
+			}
+		} else if reqBitRate > 0 {
+			targetBitRate = reqBitRate
+		}
+
+		return targetFormat, targetBitRate
+	}
+
+	// Use the default downsampling format the server is configured to but
+	// only if the requested bitrate is reduced
+	isBitrateReduced := reqBitRate > 0 && reqBitRate < mf.BitRate
+	hasDefaultDownsamplingFormat := conf.Server.DefaultDownsamplingFormat != ""
+
+	if isBitrateReduced && hasDefaultDownsamplingFormat {
+		log.Debug("Default Downsampling",
+			"Using default downsampling format",
+			conf.Server.DefaultDownsamplingFormat)
+		return conf.Server.DefaultDownsamplingFormat, reqBitRate
+	}
+
+	return "", 0
+}
+
 var (
 	onceTranscodingCache     sync.Once
 	instanceTranscodingCache TranscodingCache
--- a/core/metrics/insights.go
+++ b/core/metrics/insights.go
@ -22,6 +22,7 @@ import (
 	"github.com/navidrome/navidrome/core/metrics/insights"
 	"github.com/navidrome/navidrome/log"
 	"github.com/navidrome/navidrome/model"
+	"github.com/navidrome/navidrome/model/request"
 	"github.com/navidrome/navidrome/plugins/schema"
 	"github.com/navidrome/navidrome/utils/singleton"
 )
@ -64,9 +65,16 @@ func GetInstance(ds model.DataStore, pluginLoader PluginLoader) Insights {
 }

 func (c *insightsCollector) Run(ctx context.Context) {
-	ctx = auth.WithAdminUser(ctx, c.ds)
 	for {
-		c.sendInsights(ctx)
+		// Refresh admin context on each iteration to handle cases where
+		// admin user wasn't available on previous runs
+		insightsCtx := auth.WithAdminUser(ctx, c.ds)
+		u, _ := request.UserFrom(insightsCtx)
+		if !u.IsAdmin {
+			log.Trace(insightsCtx, "No admin user available, skipping insights collection")
+		} else {
+			c.sendInsights(insightsCtx)
+		}
 		select {
 		case <-time.After(consts.InsightsUpdateInterval):
 			continue
--- a/persistence/playlist_repository.go
+++ b/persistence/playlist_repository.go
@ -264,6 +264,11 @@ func (r *playlistRepository) refreshSmartPlaylist(pls *model.Playlist) bool {
 		"annotation.item_id = media_file.id" +
 		" AND annotation.item_type = 'media_file'" +
 		" AND annotation.user_id = '" + usr.ID + "')")
+
+	// Only include media files from libraries the user has access to
+	sq = r.applyLibraryFilter(sq, "media_file")
+
+	// Apply the criteria rules
 	sq = r.addCriteria(sq, rules)
 	insSql := Insert("playlist_tracks").Columns("id", "playlist_id", "media_file_id").Select(sq)
 	_, err = r.executeSQL(insSql)
--- a/persistence/playlist_repository_test.go
+++ b/persistence/playlist_repository_test.go
@ -366,4 +366,136 @@ var _ = Describe("PlaylistRepository", func() {
 			Expect(foundWithoutGrouping).To(BeTrue())
 		})
 	})
+
+	Describe("Smart Playlists Library Filtering", func() {
+		var mfRepo model.MediaFileRepository
+		var testPlaylistID string
+		var lib2ID int
+		var restrictedUserID string
+		var uniqueLibPath string
+
+		BeforeEach(func() {
+			db := GetDBXBuilder()
+
+			// Generate unique IDs for this test run
+			uniqueSuffix := time.Now().Format("20060102150405.000")
+			restrictedUserID = "restricted-user-" + uniqueSuffix
+			uniqueLibPath = "/music/lib2-" + uniqueSuffix
+
+			// Create a second library with unique name and path to avoid conflicts with other tests
+			_, err := db.DB().Exec("INSERT INTO library (name, path, created_at, updated_at) VALUES (?, ?, datetime('now'), datetime('now'))", "Library 2-"+uniqueSuffix, uniqueLibPath)
+			Expect(err).ToNot(HaveOccurred())
+			err = db.DB().QueryRow("SELECT last_insert_rowid()").Scan(&lib2ID)
+			Expect(err).ToNot(HaveOccurred())
+
+			// Create a restricted user with access only to library 1
+			_, err = db.DB().Exec("INSERT INTO user (id, user_name, name, is_admin, password, created_at, updated_at) VALUES (?, ?, 'Restricted User', false, 'pass', datetime('now'), datetime('now'))", restrictedUserID, restrictedUserID)
+			Expect(err).ToNot(HaveOccurred())
+			_, err = db.DB().Exec("INSERT INTO user_library (user_id, library_id) VALUES (?, 1)", restrictedUserID)
+			Expect(err).ToNot(HaveOccurred())
+
+			// Create test media files in each library
+			ctx := log.NewContext(GinkgoT().Context())
+			ctx = request.WithUser(ctx, model.User{ID: "userid", UserName: "userid", IsAdmin: true})
+			mfRepo = NewMediaFileRepository(ctx, db)
+
+			// Song in library 1 (accessible by restricted user)
+			songLib1 := model.MediaFile{
+				ID:           "lib1-song",
+				Title:        "Song in Lib1",
+				Artist:       "Test Artist",
+				ArtistID:     "1",
+				Album:        "Test Album",
+				AlbumID:      "101",
+				Path:         "/music/lib1/song.mp3",
+				LibraryID:    1,
+				Participants: model.Participants{},
+				Tags:         model.Tags{},
+				Lyrics:       "[]",
+			}
+			Expect(mfRepo.Put(&songLib1)).To(Succeed())
+
+			// Song in library 2 (NOT accessible by restricted user)
+			songLib2 := model.MediaFile{
+				ID:           "lib2-song",
+				Title:        "Song in Lib2",
+				Artist:       "Test Artist",
+				ArtistID:     "1",
+				Album:        "Test Album",
+				AlbumID:      "101",
+				Path:         uniqueLibPath + "/song.mp3",
+				LibraryID:    lib2ID,
+				Participants: model.Participants{},
+				Tags:         model.Tags{},
+				Lyrics:       "[]",
+			}
+			Expect(mfRepo.Put(&songLib2)).To(Succeed())
+		})
+
+		AfterEach(func() {
+			db := GetDBXBuilder()
+			if testPlaylistID != "" {
+				_ = repo.Delete(testPlaylistID)
+				testPlaylistID = ""
+			}
+			// Clean up test data
+			_, _ = db.Delete("media_file", dbx.HashExp{"id": "lib1-song"}).Execute()
+			_, _ = db.Delete("media_file", dbx.HashExp{"id": "lib2-song"}).Execute()
+			_, _ = db.Delete("user_library", dbx.HashExp{"user_id": restrictedUserID}).Execute()
+			_, _ = db.Delete("user", dbx.HashExp{"id": restrictedUserID}).Execute()
+			_, _ = db.DB().Exec("DELETE FROM library WHERE id = ?", lib2ID)
+		})
+
+		It("should only include tracks from libraries the user has access to (issue #4738)", func() {
+			db := GetDBXBuilder()
+			ctx := log.NewContext(GinkgoT().Context())
+
+			// Create the smart playlist as the restricted user
+			restrictedUser := model.User{ID: restrictedUserID, UserName: restrictedUserID, IsAdmin: false}
+			ctx = request.WithUser(ctx, restrictedUser)
+			restrictedRepo := NewPlaylistRepository(ctx, db)
+
+			// Create a smart playlist that matches all songs
+			rules := &criteria.Criteria{
+				Expression: criteria.All{
+					criteria.Gt{"playCount": -1}, // Matches everything
+				},
+			}
+			newPls := model.Playlist{Name: "All Songs", OwnerID: restrictedUserID, Rules: rules}
+			Expect(restrictedRepo.Put(&newPls)).To(Succeed())
+			testPlaylistID = newPls.ID
+
+			By("refreshing the smart playlist")
+			conf.Server.SmartPlaylistRefreshDelay = -1 * time.Second // Force refresh
+			pls, err := restrictedRepo.GetWithTracks(newPls.ID, true, false)
+			Expect(err).ToNot(HaveOccurred())
+
+			By("verifying only the track from library 1 is in the playlist")
+			var foundLib1Song, foundLib2Song bool
+			for _, track := range pls.Tracks {
+				if track.MediaFileID == "lib1-song" {
+					foundLib1Song = true
+				}
+				if track.MediaFileID == "lib2-song" {
+					foundLib2Song = true
+				}
+			}
+			Expect(foundLib1Song).To(BeTrue(), "Song from library 1 should be in the playlist")
+			Expect(foundLib2Song).To(BeFalse(), "Song from library 2 should NOT be in the playlist")
+
+			By("verifying playlist_tracks table only contains the accessible track")
+			var playlistTracksCount int
+			err = db.DB().QueryRow("SELECT count(*) FROM playlist_tracks WHERE playlist_id = ?", newPls.ID).Scan(&playlistTracksCount)
+			Expect(err).ToNot(HaveOccurred())
+			// Count should only include tracks visible to the user (lib1-song)
+			// The count may include other test songs from library 1, but NOT lib2-song
+			var lib2TrackCount int
+			err = db.DB().QueryRow("SELECT count(*) FROM playlist_tracks WHERE playlist_id = ? AND media_file_id = 'lib2-song'", newPls.ID).Scan(&lib2TrackCount)
+			Expect(err).ToNot(HaveOccurred())
+			Expect(lib2TrackCount).To(Equal(0), "lib2-song should not be in playlist_tracks")
+
+			By("verifying SongCount matches visible tracks")
+			Expect(pls.SongCount).To(Equal(len(pls.Tracks)), "SongCount should match the number of visible tracks")
+		})
+	})
 })
--- a/persistence/tag_library_filtering_test.go
+++ b/persistence/tag_library_filtering_test.go
@ -2,6 +2,7 @@ package persistence

 import (
 	"context"
+	"time"

 	"github.com/deluan/rest"
 	"github.com/navidrome/navidrome/conf/configtest"
@ -45,6 +46,9 @@ var _ = Describe("Tag Library Filtering", func() {
 	BeforeEach(func() {
 		DeferCleanup(configtest.SetupConfig())

+		// Generate unique path suffix to avoid conflicts with other tests
+		uniqueSuffix := time.Now().Format("20060102150405.000")
+
 		// Clean up database
 		db := GetDBXBuilder()
 		_, err := db.NewQuery("DELETE FROM library_tag").Execute()
@ -57,12 +61,12 @@ var _ = Describe("Tag Library Filtering", func() {
 		_, err = db.NewQuery("DELETE FROM library WHERE id > 1").Execute()
 		Expect(err).ToNot(HaveOccurred())

-		// Create test libraries
+		// Create test libraries with unique names and paths to avoid conflicts with other tests
 		_, err = db.NewQuery("INSERT INTO library (id, name, path) VALUES ({:id}, {:name}, {:path})").
-			Bind(dbx.Params{"id": libraryID2, "name": "Library 2", "path": "/music/lib2"}).Execute()
+			Bind(dbx.Params{"id": libraryID2, "name": "Library 2-" + uniqueSuffix, "path": "/music/lib2-" + uniqueSuffix}).Execute()
 		Expect(err).ToNot(HaveOccurred())
 		_, err = db.NewQuery("INSERT INTO library (id, name, path) VALUES ({:id}, {:name}, {:path})").
-			Bind(dbx.Params{"id": libraryID3, "name": "Library 3", "path": "/music/lib3"}).Execute()
+			Bind(dbx.Params{"id": libraryID3, "name": "Library 3-" + uniqueSuffix, "path": "/music/lib3-" + uniqueSuffix}).Execute()
 		Expect(err).ToNot(HaveOccurred())

 		// Give admin access to all libraries
--- a/server/server.go
+++ b/server/server.go
@ -1,8 +1,11 @@
 package server

 import (
+	"bytes"
 	"cmp"
 	"context"
+	"crypto/tls"
+	"encoding/pem"
 	"errors"
 	"fmt"
 	"net"
@ -69,6 +72,13 @@ func (s *Server) Run(ctx context.Context, addr string, port int, tlsCert string,
 	// Determine if TLS is enabled
 	tlsEnabled := tlsCert != "" && tlsKey != ""

+	// Validate TLS certificates before starting the server
+	if tlsEnabled {
+		if err := validateTLSCertificates(tlsCert, tlsKey); err != nil {
+			return err
+		}
+	}
+
 	// Create a listener based on the address type (either Unix socket or TCP)
 	var listener net.Listener
 	var err error
@ -89,17 +99,17 @@ func (s *Server) Run(ctx context.Context, addr string, port int, tlsCert string,
 	// Start the server in a new goroutine and send an error signal to errC if there's an error
 	errC := make(chan error)
 	go func() {
+		var err error
 		if tlsEnabled {
 			// Start the HTTPS server
 			log.Info("Starting server with TLS (HTTPS) enabled", "tlsCert", tlsCert, "tlsKey", tlsKey)
-			if err := server.ServeTLS(listener, tlsCert, tlsKey); !errors.Is(err, http.ErrServerClosed) {
-				errC <- err
-			}
+			err = server.ServeTLS(listener, tlsCert, tlsKey)
 		} else {
 			// Start the HTTP server
-			if err := server.Serve(listener); !errors.Is(err, http.ErrServerClosed) {
-				errC <- err
-			}
+			err = server.Serve(listener)
+		}
+		if !errors.Is(err, http.ErrServerClosed) {
+			errC <- err
 		}
 	}()

@ -249,3 +259,56 @@ func AbsoluteURL(r *http.Request, u string, params url.Values) string {
 	}
 	return buildUrl.String()
 }
+
+// validateTLSCertificates validates the TLS certificate and key files before starting the server.
+// It provides detailed error messages for common issues like encrypted private keys.
+func validateTLSCertificates(certFile, keyFile string) error {
+	// Read the key file to check for encryption
+	keyData, err := os.ReadFile(keyFile)
+	if err != nil {
+		return fmt.Errorf("reading TLS key file: %w", err)
+	}
+
+	// Parse PEM blocks and check for encryption
+	block, _ := pem.Decode(keyData)
+	if block == nil {
+		return errors.New("TLS key file does not contain a valid PEM block")
+	}
+
+	// Check for encrypted private key indicators
+	if isEncryptedPEM(block, keyData) {
+		return errors.New("TLS private key is encrypted (password-protected). " +
+			"Navidrome does not support encrypted private keys. " +
+			"Please decrypt your key using: openssl pkey -in <encrypted-key> -out <decrypted-key>")
+	}
+
+	// Try to load the certificate pair to validate it
+	_, err = tls.LoadX509KeyPair(certFile, keyFile)
+	if err != nil {
+		return fmt.Errorf("loading TLS certificate/key pair: %w", err)
+	}
+
+	return nil
+}
+
+// isEncryptedPEM checks if a PEM block represents an encrypted private key.
+func isEncryptedPEM(block *pem.Block, rawData []byte) bool {
+	// Check for PKCS#8 encrypted format (BEGIN ENCRYPTED PRIVATE KEY)
+	if block.Type == "ENCRYPTED PRIVATE KEY" {
+		return true
+	}
+
+	// Check for legacy encrypted format with Proc-Type header
+	if block.Headers != nil {
+		if procType, ok := block.Headers["Proc-Type"]; ok && strings.Contains(procType, "ENCRYPTED") {
+			return true
+		}
+	}
+
+	// Also check raw data for DEK-Info header (in case pem.Decode doesn't parse headers correctly)
+	if bytes.Contains(rawData, []byte("DEK-Info:")) || bytes.Contains(rawData, []byte("Proc-Type: 4,ENCRYPTED")) {
+		return true
+	}
+
+	return false
+}
--- a/server/server_test.go
+++ b/server/server_test.go
@ -1,13 +1,20 @@
 package server

 import (
+	"context"
+	"crypto/tls"
+	"crypto/x509"
+	"fmt"
 	"io/fs"
 	"net/http"
 	"net/url"
 	"os"
 	"path/filepath"
+	"time"

 	"github.com/navidrome/navidrome/conf"
+	"github.com/navidrome/navidrome/conf/configtest"
+	"github.com/navidrome/navidrome/tests"
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
 )
@ -107,3 +114,146 @@ var _ = Describe("createUnixSocketFile", func() {
 		})
 	})
 })
+
+var _ = Describe("TLS support", func() {
+	Describe("validateTLSCertificates", func() {
+		const testDataDir = "server/testdata"
+
+		When("certificate and key are valid and unencrypted", func() {
+			It("returns nil", func() {
+				certFile := filepath.Join(testDataDir, "test_cert.pem")
+				keyFile := filepath.Join(testDataDir, "test_key.pem")
+				err := validateTLSCertificates(certFile, keyFile)
+				Expect(err).ToNot(HaveOccurred())
+			})
+		})
+
+		When("private key is encrypted with PKCS#8 format", func() {
+			It("returns an error with helpful message", func() {
+				certFile := filepath.Join(testDataDir, "test_cert_encrypted.pem")
+				keyFile := filepath.Join(testDataDir, "test_key_encrypted.pem")
+				err := validateTLSCertificates(certFile, keyFile)
+				Expect(err).To(HaveOccurred())
+				Expect(err.Error()).To(ContainSubstring("encrypted"))
+				Expect(err.Error()).To(ContainSubstring("openssl"))
+			})
+		})
+
+		When("private key is encrypted with legacy format (Proc-Type header)", func() {
+			It("returns an error with helpful message", func() {
+				certFile := filepath.Join(testDataDir, "test_cert.pem")
+				keyFile := filepath.Join(testDataDir, "test_key_encrypted_legacy.pem")
+				err := validateTLSCertificates(certFile, keyFile)
+				Expect(err).To(HaveOccurred())
+				Expect(err.Error()).To(ContainSubstring("encrypted"))
+				Expect(err.Error()).To(ContainSubstring("openssl"))
+			})
+		})
+
+		When("key file does not exist", func() {
+			It("returns an error", func() {
+				certFile := filepath.Join(testDataDir, "test_cert.pem")
+				keyFile := filepath.Join(testDataDir, "nonexistent.pem")
+				err := validateTLSCertificates(certFile, keyFile)
+				Expect(err).To(HaveOccurred())
+				Expect(err.Error()).To(ContainSubstring("reading TLS key file"))
+			})
+		})
+
+		When("key file does not contain valid PEM", func() {
+			It("returns an error", func() {
+				// Create a temp file with invalid PEM content
+				tmpFile, err := os.CreateTemp("", "invalid_key*.pem")
+				Expect(err).ToNot(HaveOccurred())
+				DeferCleanup(func() {
+					_ = os.Remove(tmpFile.Name())
+				})
+				_, err = tmpFile.WriteString("not a valid PEM file")
+				Expect(err).ToNot(HaveOccurred())
+				_ = tmpFile.Close()
+
+				certFile := filepath.Join(testDataDir, "test_cert.pem")
+				err = validateTLSCertificates(certFile, tmpFile.Name())
+				Expect(err).To(HaveOccurred())
+				Expect(err.Error()).To(ContainSubstring("valid PEM block"))
+			})
+		})
+
+		When("certificate file does not exist", func() {
+			It("returns an error from tls.LoadX509KeyPair", func() {
+				certFile := filepath.Join(testDataDir, "nonexistent_cert.pem")
+				keyFile := filepath.Join(testDataDir, "test_key.pem")
+				err := validateTLSCertificates(certFile, keyFile)
+				Expect(err).To(HaveOccurred())
+				Expect(err.Error()).To(ContainSubstring("loading TLS certificate/key pair"))
+			})
+		})
+	})
+
+	Describe("Server TLS", func() {
+		const testDataDir = "server/testdata"
+
+		When("server is started with valid TLS certificates", func() {
+			It("accepts HTTPS connections", func() {
+				DeferCleanup(configtest.SetupConfig())
+
+				// Create server with mock dependencies
+				ds := &tests.MockDataStore{}
+				server := New(ds, nil, nil)
+
+				// Load the test certificate to create a trusted CA pool
+				certFile := filepath.Join(testDataDir, "test_cert.pem")
+				keyFile := filepath.Join(testDataDir, "test_key.pem")
+				caCert, err := os.ReadFile(certFile)
+				Expect(err).ToNot(HaveOccurred())
+
+				caCertPool := x509.NewCertPool()
+				caCertPool.AppendCertsFromPEM(caCert)
+
+				// Create an HTTPS client that trusts our test certificate
+				httpClient := &http.Client{
+					Timeout: 5 * time.Second,
+					Transport: &http.Transport{
+						TLSClientConfig: &tls.Config{
+							RootCAs:    caCertPool,
+							MinVersion: tls.VersionTLS12,
+						},
+					},
+				}
+
+				// Start the server in a goroutine
+				ctx, cancel := context.WithCancel(GinkgoT().Context())
+				defer cancel()
+
+				errChan := make(chan error, 1)
+				go func() {
+					errChan <- server.Run(ctx, "127.0.0.1", 14534, certFile, keyFile)
+				}()
+
+				Eventually(func() error {
+					// Make an HTTPS request to the server
+					resp, err := httpClient.Get("https://127.0.0.1:14534/ping")
+					if err != nil {
+						return err
+					}
+					defer resp.Body.Close()
+					if resp.StatusCode != http.StatusOK {
+						return fmt.Errorf("unexpected status code: %d", resp.StatusCode)
+					}
+					return nil
+				}, 2*time.Second, 100*time.Millisecond).Should(Succeed())
+
+				// Stop the server
+				cancel()
+
+				// Wait for server to stop (with timeout)
+				select {
+				case <-errChan:
+					// Server stopped
+				case <-time.After(2 * time.Second):
+					Fail("Server did not stop in time")
+				}
+			})
+		})
+	})
+})
--- a/server/testdata/test_cert.pem
+++ b/server/testdata/test_cert.pem
@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIIDwzCCAqugAwIBAgIUXqdUxUOo8kmsDe71iTR+Vr7btP8wDQYJKoZIhvcNAQEL
+BQAwYjELMAkGA1UEBhMCVVMxDTALBgNVBAgMBFRlc3QxDTALBgNVBAcMBFRlc3Qx
+EjAQBgNVBAoMCU5hdmlkcm9tZTENMAsGA1UECwwEVGVzdDESMBAGA1UEAwwJbG9j
+YWxob3N0MCAXDTI1MTEyODE5NTkxNVoYDzIxMjUxMTA0MTk1OTE1WjBiMQswCQYD
+VQQGEwJVUzENMAsGA1UECAwEVGVzdDENMAsGA1UEBwwEVGVzdDESMBAGA1UECgwJ
+TmF2aWRyb21lMQ0wCwYDVQQLDARUZXN0MRIwEAYDVQQDDAlsb2NhbGhvc3QwggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCkB/TQgl5ei5KRSHt5OJim8rKS
+MzRlkK4BjSEM4D9ESbebdpEVjX48QuBYACrCvgvVp7mQGF5anl8Hm89trvd8ooVQ
+x9IPQQ6gRKM+4gLrt9FHvFGGzZQS8UTQXN5oBi11E+8/Vs47HLUNXC2TRtRLCMyK
+LYXQIXbhdp9anImlt+IHUxIQUchK6Zkld/gCm56X1bbzN/Zq91PQLpx2FZ0eZTjN
+KaNgztLa+K/BDnTuk3iTTs9GEp6VCvqQE/6fk/UN/tkk2dLwKIFvPVR/YeAhVdz/
+OHC4L3B36QN3+VQ2yDjsp1PVAPX07UnzXO3Oj7uGYnMQxwprGMEubm3nADDxAgMB
+AAGjbzBtMB0GA1UdDgQWBBRAZHUVuLyzc0CfuZR9ApqMbawIqzAfBgNVHSMEGDAW
+gBRAZHUVuLyzc0CfuZR9ApqMbawIqzAPBgNVHRMBAf8EBTADAQH/MBoGA1UdEQQT
+MBGCCWxvY2FsaG9zdIcEfwAAATANBgkqhkiG9w0BAQsFAAOCAQEAmDLXcPx9LNHs
+GxQIE6Q5BXbVO7c8qrWmJf5FK5VWaifNZ9U+IBi+VlB4jCLK/OkwsviN/jOnwRYx
+owjq0QG0YdRT4uD9fEMrAj+EwbnrQYZQvT0yGEWA+KW5TW08wt+/qnGJDwEgbjYJ
+HTdICVMhs/e8Ex48fAgO8WSsdTDekOrhuwzIfeJ1LU4ZptLsD2ePFxuzutdIuW51
+/mspQGsjXqZ1qnLsavLXh/lds2g602rTpYBNZVjV9WiOvaQS8vviOxBN6f+9vgRz
+a8SEbHqBG6jeyVqVZ7MjxcYxaIkxeBwMyMwgb+wwDfVXo2FZzX2TVeB7ZppI+IKv
+TXYurWPYsQ==
+-----END CERTIFICATE-----
--- a/server/testdata/test_cert_encrypted.pem
+++ b/server/testdata/test_cert_encrypted.pem
@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDpzCCAo+gAwIBAgIUEa7gEJYwJqYEJjTY7otQ+oUyELwwDQYJKoZIhvcNAQEL
+BQAwYjELMAkGA1UEBhMCVVMxDTALBgNVBAgMBFRlc3QxDTALBgNVBAcMBFRlc3Qx
+EjAQBgNVBAoMCU5hdmlkcm9tZTENMAsGA1UECwwEVGVzdDESMBAGA1UEAwwJbG9j
+YWxob3N0MCAXDTI1MTEyODE5NTI0OVoYDzIxMjUxMTA0MTk1MjQ5WjBiMQswCQYD
+VQQGEwJVUzENMAsGA1UECAwEVGVzdDENMAsGA1UEBwwEVGVzdDESMBAGA1UECgwJ
+TmF2aWRyb21lMQ0wCwYDVQQLDARUZXN0MRIwEAYDVQQDDAlsb2NhbGhvc3QwggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDBHgqJ1d9EnNxqoSZ6xXrIz/mV
+Y0nWJW16/qIAvCdovSeTZhG9iqG8dUqcuu2BdD9MMHndJ2oFn3iD8EJR92dH8KBA
+8xOmtZ0BEEWgXPBivywZVd1ChIflEWj6m5wwLNjb57SPpUiwaLxBQB8ByEaAAZE/
+bLqvHI3vW/4s5apky17SPIqmkmqEYlRcg97tlRXsPuwoAVM9cvLMMEqtIR1CB/72
+gboY2Gi2r/plLF/Rg3Dom6QljMWi57XXWJFwGYSXaZuM0gvn04e3oLu+1E+WMoq/
+9rExWij2DlsmXd/RiScliFp6R4H84wQUyqrAUNytvgRO+oVnRjEA0l3oCYdRAgMB
+AAGjUzBRMB0GA1UdDgQWBBQQKpB1UaKm98FnBdl8uKdRscrVTzAfBgNVHSMEGDAW
+gBQQKpB1UaKm98FnBdl8uKdRscrVTzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3
+DQEBCwUAA4IBAQBP07l+2LmpFtcxqMGmsiNYwFuHpQCxJd4YRZHjLX7O+oJExMgR
+2yP4mpMKurgKOv7unTDLwvjQRa6ZTYJCsYtvC6hbyqlGc7AfNTu6DKz8r35/2/V5
+hPsG5lNb91HhvHE839mLAvpi02LoFH2Sr8BR7s6qxfNKYcP8PUOJQXltJ6yAa8YJ
+syeXQQ3RIyGsJANeaC06S3UdkBM5H5BLfIHnHu3GybJjwL51va4WCdHe8QV6GI0g
+RDiThDVkBSXAr136vnMdlrYCxMoxY56itJ0zbYg2ELQKU9o1w/ZJQo9uvmy9jCoZ
+Hy1L5a2vUDbsdONdvRkYZRHqMpG4bdD8D3j2
+-----END CERTIFICATE-----
--- a/server/testdata/test_key.pem
+++ b/server/testdata/test_key.pem
@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCkB/TQgl5ei5KR
+SHt5OJim8rKSMzRlkK4BjSEM4D9ESbebdpEVjX48QuBYACrCvgvVp7mQGF5anl8H
+m89trvd8ooVQx9IPQQ6gRKM+4gLrt9FHvFGGzZQS8UTQXN5oBi11E+8/Vs47HLUN
+XC2TRtRLCMyKLYXQIXbhdp9anImlt+IHUxIQUchK6Zkld/gCm56X1bbzN/Zq91PQ
+Lpx2FZ0eZTjNKaNgztLa+K/BDnTuk3iTTs9GEp6VCvqQE/6fk/UN/tkk2dLwKIFv
+PVR/YeAhVdz/OHC4L3B36QN3+VQ2yDjsp1PVAPX07UnzXO3Oj7uGYnMQxwprGMEu
+bm3nADDxAgMBAAECggEABqJFvesP2v4FEvgd+kSWM+ZL34rPmy3zQ5/MDuPA20ep
+89EjQ/5hdRl1TknPcOnTu7PZVuENa9fM2xdrl7GEU9eU0bQLJE/KwiOUgJYObS8V
+eTO+DlghHXUBhfXDjux1CS+htOuTUqOyFNS+CR9Lta8o6ou1xjmcP7kW78i17mxF
+TuH5SZlS8W9PFLXHCInbMtqGFaT2ss09kvoPk2FDvHfxEdy6M9tKkguz02g+4bqI
+aAMp2N7AOfmRpC0HvVa1ZfZo5Z8/KMoNcIm3pV9DEVM369J9EzhnMNpkGben90aT
+FqO2JNsy52wmXFZUc9xe8uPdfDahALCkBGncLyLNmQKBgQDZREjocjdzOoPSlCdx
+mRNe9suHz2FpUpsHCPOCotG63hFVKpah/ZvpHSsQx5rXs/mawDTmzGY9GQiBrSvg
+OhfHIyT3NOhVaNcMxTqJX7rs7OG8D0MBacD9ASSeZ89MUn8q1EHZr5qxLtXl5Ikw
+mHtiGRdiKGFFrG9H0zncbGhy7QKBgQDBRhQ9RAasTdmUiNQly9GVFkXto4T/9UHx
+rVU44htCI2IVZUMTGlNfclfxpByDrzyA56rMzN9SAkiIp4nPpMDs5hayXaaPoojs
+CPzV7r2OjemZ6CTeQ1ODImRL8L/E3jJSgWd6YYoHSQ5hjEX4yT6ft0u0tZUfdMKd
+VENWIJ/hlQKBgQCo2hXjeOi5R8+tN3EUKwhP9HOnX7dv+D/9jqpZa5qdpPpJeyjI
+SmYCHKYci1Q+sWOaLiiu+km20B65UVFZGSzjmd+fs+GghzMifKGKo/iNK2ggFKhZ
+j8vplRrVdQ45XZ/xNDbdLEmHzEN2QE+Skd7KFYADzCgU0vdFFdbRBPuD3QKBgGIq
+fQctMRJ9LCE0akSURGwr9vKflmMHKCpfdqTAu0WZgS0K1Mm0GlqlUiPKzizYaauz
+f14sRNV7kWnPZsDPlqn8p9SKmpnj3RW97uWeMCtiyx6/+VHm8ljts/GaY1zT2s1r
+KqrPNfNDWQmU3MljNeqbh9lOTWK/xEVy0gzB31MNAoGAQNWrZvVdAbL95XW6STUu
+JmQlqJTlluuqS0Rrd/uVEQwW0Vd1dZjRQcFAFiSiCQWTbtId5gFZd6hiIQl53Xz0
+5cd+9mcyA/TaoCJYbMOFYsKbZMCBhefsovJlVQXedqJrIY6BdeGlet4GTAH5Qyl0
+ytEIUnvn5YmmbI7PDz80XpU=
+-----END PRIVATE KEY-----
--- a/server/testdata/test_key_encrypted.pem
+++ b/server/testdata/test_key_encrypted.pem
@ -0,0 +1,30 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFNTBfBgkqhkiG9w0BBQ0wUjAxBgkqhkiG9w0BBQwwJAQQPH9PYzryCI3smm81
+J8rm+QICCAAwDAYIKoZIhvcNAgkFADAdBglghkgBZQMEASoEEI+9XxNfKSiMYIVB
+UfcGfncEggTQVw7tPslGy3mlofCNnhBSnMViv9kj6M11smD6Y8vHG0k9Kq+6g+Dx
+mQE9ILrSZBzM0uS3y484u+vkdqlT4KehhjIx0IiezurOcM45UdTAwLFLPzeEDlHI
+lOWQ3gOTB3J5AxiUQOa6QsDIM7AZilidQG0BxQYWyRBA5B8evJwJoAvdzzA9wGSm
+2YdNm3tA6rU5U8cVG+qTJP9pjbtRx0medC/CBZdxGkrWBQH+aySfahJdU8X1JI2e
+SY4WJRw1rLCow+DnHjZS/IVHFJivJSRYvnvw8fwjOMVtkf+dAVctKlb1Fj9X+RdG
+T1sq3i6zwFLE/RRz4qM4DKZ6UaD9wRFLow8FmNWVuJJiPgCLx2rrNMe32quS/kQP
+iOsXAUeA/Yg1fdMCJORxl0nWDmLYcNtBghCmS1lyk+t+AKWwJudrds5tQQe8ha2t
+Q41is+tDKwGDC1wt4WXJvBhgAJzuqFtr30H0M1eBhwwDdaDd9v0Zr3r8V49WZM2c
+i3qkwPPYkQD+pOcR12xBV8ptvDxaUl7RGlVqnEWHagT51BaIaXQ9teUrG6UPt8o2
+LELJXF6CiwkbN6Y9sYx5XiKrIGxVhlQSZ1nB3XSFRHbu6e7VHPjnVwUeeg87J2Am
+MEwqDzPU5sjKRn84+M91Y4uFAIeinaOJAQ0/tZVrf1iSeCMQyMUhW/8m7JPfG19F
+NbJSPRXQuKmYKbWfXcMW2UFbp0zDs7s7p4zzbfde9IbVdq/o2nv3ZrNbrLak6O7y
+FVt9q/xG4Tty6hSK6xtqtNZWcmfiMcTlk1Qcz2STvScbXtqgcgR6WUZfkLuzi09I
+EDYFnzU5JNSY3U3VTv2hAPeU4xjTNM6kjF7L9JFGvdjH8Ko9UdxG9RZMd8xhBM/n
+hxdzdVba4bDDz2z+0A2blSObrPrNsKr/3ZbnfuUiSs5NmqmUOifZ1t1PqGGO2Y5S
+/cDKtrPk226hGomsUBfHtiIJPG1VRl4UaZiduqK3GGhtF491KU1mAfYzueok3TPq
+JhLtLDIvEaFgmOmitFzROI/ifm6s4ssUvcvtbjwJumbjkU38OxYZFwbhwbe268G2
+vgspJamlEGJNdGDzrCFQlA2+A9kazCttztikfh5QGV6WFfkc3Bt1XTPL51vtliQy
+MS2gUnJUY2fuYCfz8rxLH1kQmyYsHQz5rUYyBkeDffrG9MzarmzSJXR63FRzVMf1
+LQ7BSzei7dF6+J4KVCxjbGWF3GUGmGeOP5g5vJ3xb3YPJNJLT4Vai103pay59TGP
+tESM2Vn0gJEvYApi707noFH5uFTW1cp7lloF41ddIUkL/QO7j+sjvBww+4DqBB7J
+BmvLMnswa23yw9egYRG5jOXyCgIr+1rnNcph1HGJsvxvgJ2gwwo5NKCG8SC6LcZQ
+fbDjX+ssmobLE3ktN03FZPMp32/ciexzuZoamfyiPXh7xE++ckifNEKJlNhx+kCG
+mSR2wh+UGigQkgp/JxOzl6C4fhUbrEZr17oBqGim2p8h+GE0zD5JSHcn1rP86gGU
+8JG/ilG4I8uMxUwhGj7amrWXUlJBd1by7e1EAL+utCo14/Tx3otB9/JtqY+lm9Ey
+1ptPhMRQxvDNWrCmYM2kyrGghdNfEMir6GKDWI6PY9cwAFv/PLOxr1c=
+-----END ENCRYPTED PRIVATE KEY-----
--- a/server/testdata/test_key_encrypted_legacy.pem
+++ b/server/testdata/test_key_encrypted_legacy.pem
@ -0,0 +1,30 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: AES-256-CBC,3C969050EAB73F121B7F0E6B75C42525
+
+V6pSaAsrn9CQNo4p88QshJLbg8zkQJEom81dPbYSVqQSZa9YlPtpLZ9YtuLj/Ay0
+TScEKIj/gzQ32wNl6nhcSNIL9yy+X11r5gNv1kIHkecf+EbDW20VOiJsfD+6LUyW
+hA96AIbPOwc76iCuvsKHPKU9MlEmjGipmk/C2RQLHCZJ3WkiDRgCM8KQ7vKhfACT
+w908yj4cB1e/P0JPq8t/3F7kPJ+6SVM1vMEffHl0otQR3rAyrK8QikwJ0K9qX62d
+cqchTVlEyyZBYovR8DrRRUDbsXS5j1ZmX3NQpvTSTFowr+33fMrY+4Oz8sdR4yx1
+CQc0A0sHHxSEIr2xu4KzczwOYVJN8PVdU0pgvFj9KEm66N6EY5CSFIBHyO/ycOt9
+U+wpkRjf3zS6ZaUU0NKdOcop4YX33i99/tZF2RNR1i7ETLYph+/LCf09286Bi3u/
+UCCuWedyECPdz0c6j0s27Fdfc/HEK90OEzeWh/fc+H2gJZhqJYK9V47HPTQNNMnB
+U1a6FsJlrKE3E6nfSnTLxrSx9m/XTV7HV+HkgX+q8VhN7Q2VHUqkPzE7ZOPYpZ+A
+dQzsm1TmEMxym6osYqFzQScXR1NZasrV2MTQ2J16dUgCdGAM2YMUD9JaoJR+u77M
+WAjYzDiRg84rLr/KbJPAwHbsfo2KpiapJGSBBEDhz4W1/LOrFhsjaqIMSy4yZDGm
+1KqXGHIlqmuHI7v4fD8vuzhj7GUujRx85HSZWakE/uc6s5WrhkSeVKYJWPfpsxTv
+dT3oLOGJ+nRzWxM3aFtuJghX0nIGdKxT4EAUNXz0/vLT3OP1QCZR+oELrriFzmtj
+O30bGH2SAFZEQJ/uTQg6celoNh89IzH4DJkcn67hqpX6mUiU9CrIr/eR9C/en8Q
+smTbbC1C1pDUaCwR26Z+zgM90amh4yfOFKK2geO2Kj+TmwFHUvi6ZnSzMzCvty3t
+wdIrUtf55Lw51JCpLGl70mg4b/zBj5hqBkU2YvAAnz/htjfH/wrD6ZAF1TCdlRO
+gyODrJjGRnLd/v0XLk0wp+RkAjBcSlRlkUvZY5BtugL7dIdwiNGGQPcOni9IVeG0
+6vDUEQnDOLYDj4d/JcckTLuHdrP+SW+0RQl2HK5+/w1hScGXN4O48gccu7yR/MN8
+DmpCg5rD/nq8sxJosmSt07GrN36KppYt8LCXQbSg3NG2Ad715caS2C+0Qtdm5MPD
+rM1UyTXQYSJXgUN9yZS/pmzlguCywnnvsBPU6j3ljZwcoD41QJ/1OU09/W6sIMQR
+IAiM35JHiLJiccFgxSE1qx5F1UZqX4P47jF0Wzi/sE/DYXg5qw2DoauqXNzqnumH
+71UDGK1V6wQIV7UCZDa0WUfFzu470XpuFb8VmMOuHSQxkZESc9cz8k/ueAuO438Q
+jnlkF1Ge2EEPuaK2zeaTj/lGyYA1AUfHRRgt/EMUQSBntmhlpnwVPYTVvYtHO2N5
+wp7/y39KirnlTl99i3XiOJ4WF4gIU2IaSlqMo4+e/A32h2JFi9QfNyfItXe6Fm1X
+d0j2XGHzwMfHEFKdWyrgtVZwc38/1d6xWYAhs02b2basV/0AQhFTaKf5Z268eBNJ
+-----END RSA PRIVATE KEY-----
--- a/ui/src/themes/amusic.css.js
+++ b/ui/src/themes/amusic.css.js
@ -47,17 +47,15 @@ const stylesheet = `
 .react-jinke-music-player-main .music-player-panel,
 .react-jinke-music-player-mobile,
 .ril__outer{
-    background-color: #1f1f1f;
+    background-color: #1a1a1a;
 	border: 1px solid #fff1;
 }
-.ril__toolbar{
-    background-color: #1d1d1d
-}
 .ril__toolbarItem{
 	font-size: 100%;
 	color: #eee
 }
-.audio-lists-panel{
+.audio-lists-panel,
+.ril__toolbar{
    background-color: #1f1f1f;
 	border: 1px solid #fff1;
 	border-radius: 6px 6px 0 0;
--- a/ui/src/themes/amusic.js
+++ b/ui/src/themes/amusic.js
@ -137,22 +137,19 @@ export default {
      albumName: {
        color: '#eee',
      },
-      albumSubtitle: {
-        color: '#ccc',
-      },
      albumPlayButton: {
-        color: '#ff4e6b !important',
+        color: '#ff4e6b',
      },
      albumArtistName: {
-        color: '#ff4e6b !important',
+        color: '#ccc',
      },
      cover: {
-        borderRadius: '10px !important',
+        borderRadius: '6px',
      },
    },
    NDLogin: {
      systemNameLink: {
-        color: '#D60017',
+        color: '#ff4e6b',
      },
      welcome: {
        color: '#eee',
@ -161,6 +158,9 @@ export default {
        minWidth: 300,
        backgroundColor: '#1d1d1d',
      },
+      icon: {
+        filter: 'hue-rotate(115deg)',
+      },
    },
    MuiPaper: {
      elevation1: {
@ -169,6 +169,9 @@ export default {
      root: {
        color: '#eee',
      },
+      rounded: {
+        borderRadius: '6px',
+      },
    },
    NDMobileArtistDetails: {
      bgContainer: {
@ -189,6 +192,30 @@ export default {
        paddingBottom: '1rem',
      },
    },
+    RaDeleteWithConfirmButton: {
+      deleteButton: {
+        color: 'unset',
+      },
+    },
+    RaPaginationActions: {
+      currentPageButton: {
+        border: '2px solid #D60017',
+        background: 'transparent',
+      },
+      button: {
+        border: '2px solid #D60017',
+      },
+      actions: {
+        '@global': {
+          '.next-page': {
+            border: '0 none',
+          },
+          '.previous-page': {
+            border: '0 none',
+          },
+        },
+      },
+    },
  },
  player: {
    theme: 'dark',
Author	SHA1	Message	Date
Nova	42890bc526	Merge bbe8fe164df8ba915d1cba17da9871c2fe435a53 into e36fef869278ec75f7a8b5e9c51ac02ab600de71	2025-11-29 12:57:20 +08:00
Deluan Quintão	e36fef8692	fix: retry insights collection when no admin user available (#4746 ) Previously, the insights collector would only try to get an admin user once at startup. If no admin user existed (e.g., fresh database before first user registration), insights collection would silently fail forever. This change moves the admin context creation inside the collection loop so it retries on each interval. It also updates log messages in WithAdminUser to remove the Scanner prefix since this function is now used by other components. Signed-off-by: Deluan <deluan@navidrome.org>	2025-11-28 19:38:28 -05:00
Deluan Quintão	9913235542	fix(server): improve error message for encrypted TLS private keys (#4742 ) Added TLS certificate validation that detects encrypted (password-protected) private keys and provides a clear error message with instructions on how to decrypt them using openssl. This addresses user confusion when Go's standard library fails with the cryptic 'tls: failed to parse private key' error. Changes: - Added validateTLSCertificates function to validate certs before server start - Added isEncryptedPEM helper to detect both PKCS#8 and legacy encrypted keys - Added comprehensive tests for TLS validation including encrypted key detection - Added integration test that starts server with TLS and verifies HTTPS works - Added test certificates (valid for 100 years) with SAN for localhost Signed-off-by: Deluan <deluan@navidrome.org>	2025-11-28 17:08:34 -05:00
Deluan	a87b6a50a6	test: use unique library name and path in tests Avoid UNIQUE constraint conflicts on library.name and library.path when running tests in parallel. Both playlist_repository_test.go and tag_library_filtering_test.go now generate timestamp-based unique suffixes for library names and paths to ensure test isolation. Signed-off-by: Deluan <deluan@navidrome.org>	2025-11-28 16:11:13 -05:00
Stephan Wahlen	2b30ed1520	fix(ui): Amusic theme improvements (#4731 ) * fix low contrast in "delete missing files" button * make login screen a bit nicer * style modal similar to rest of ui * Add custom styles for Ra Pagination * Refactor styles in amusic.js Removed albumSubtitle color and updated styles for albumPlayButton and albumArtistName * Add NDDeleteLibraryButton and NDDeleteUserButton styles low contrast * low contrast text on delete buttons * playbutton color back to pink without background	2025-11-28 08:52:26 -05:00
Deluan Quintão	1024d61a5e	fix: apply library filter to smart playlist track generation (#4739 ) Smart playlists were including tracks from all libraries regardless of the user's library access permissions. This resulted in ghost tracks that users could not see or play, while the playlist showed incorrect song counts. Added applyLibraryFilter to the refreshSmartPlaylist function to ensure only tracks from libraries the user has access to are included when populating smart playlist tracks. Added regression test to verify the fix. Closes #4738	2025-11-27 07:58:39 -05:00
Nova	bbe8fe164d	Fix typos Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>	2025-10-28 20:43:02 +00:00
zero	72969711d2	Refactor selectTranscodingOptions and add findTargetTranscodingOptions	2025-10-28 21:34:46 +01:00