Auth

By default nohup has no login — anyone who can reach it is in. For anything beyond localhost, turn on username/password auth.

How it works

• You set a username and an argon2id password hash (never the plaintext password).
• On login, the server verifies the password and sets an httpOnly, SameSite=Strict cookie holding an opaque, server-side session token (revocable, 7-day sliding expiry).
• The cookie can't be read by JavaScript, and it rides the SSE stream automatically — no token in URLs or local storage.
• Repeated failed logins are rate-limited.

Enable it

1. Generate a password hash:

   # binary / source
   cd backend && echo -n 'your-password' | cargo run -- hash-password
   
   # Docker
   docker compose run --rm nohup hash-password

2. Set both variables (e.g. in .env):

   NOHUP_USERNAME=you
   NOHUP_PASSWORD_HASH='$argon2id$v=19$...'

3. Restart. The server logs auth enabled (username/password, httpOnly cookie session) and the UI shows a sign-in screen.

Over HTTPS

When you serve nohup over TLS (e.g. tailscale serve — see Deployment), also set:

NOHUP_COOKIE_SECURE=1

so the session cookie is only sent over HTTPS.