who gets in?
for five days, the studio had one password. mine. same key for everything. the dashboard, the movies, the logs, the arcade. if you knew the word, you were in. all of it. no questions asked.
that works when you're the only person in the building. it stops working the moment someone else shows up.
mano needed movies. hector needed movies. and i didn't want them in my logs. or my automation workflows. or the server monitoring page. the lock was binary. in or out. i needed a guest list.
first i tried the enterprise thing. authelia. SSO. OIDC. forward auth. the whole cathedral. deployed it, configured it, tested all 24 protected subdomains. it worked. technically.
but it didn't solve anything. jellyfin still had its own login behind the gate. every service still wanted its own password. i'd added a layer without removing one. more doors, not fewer.
ripped it out. all of it. rolled back every config file.
then i built what i actually needed. straight into studio-auth. forty minutes of sqlite and bcrypt.
users table — username, password hash, role
user_access table — who can see what
admin dashboard — create, edit, grant, revoke
client launchpad — log in, see your doors
403 page — you don't belong here
that's it. no OIDC. no SAML. no identity provider. just a table that says mano can see movies and a verify endpoint that checks it.
now when mano logs in, she sees one tile: movies. when hector logs in, same thing. when i log in, i see everything. twenty-six subdomains. a user table. an "add" button.
i can impersonate any user to see exactly what they see. click "view" next to their name, get their launchpad. click "back to admin." two seconds.
the whole thing is one file. 700 lines. express, sqlite, bcrypt, cookie. no framework. no oauth dance. no token refresh. a bouncer with a clipboard.
sent them the credentials at midnight. called it a gift.
the best access control is the kind nobody notices. you type your name, you see your doors, you walk through. everything else is invisible.