fix: mobilde menülerin açılmama sorunu HTML details/summary yapısı ile kökten çözüldü

- console_log::init_with_level() now uses expect()
- web_sys::window() now uses expect() with helpful message
- window.document() now uses expect()
- document.body() now uses expect()

This provides meaningful error messages if WASM initialization fails.

.gitea/workflows/build-mips.yml

@@ -9,56 +9,39 @@ env:
 
 jobs:
   build:
-    runs-on: ubuntu-latest
+    runs-on: mips-builder
 
     steps:
-    - uses: actions/checkout@v4
+    - name: Checkout
-
+      env:
-    - name: Setup Rust
+        GIT_TOKEN: ${{ secrets.RELEASE_TOKEN }}
       run: |
-        rustup toolchain install nightly --profile minimal
+        rm -rf .git
-        rustup target add wasm32-unknown-unknown --toolchain nightly
+        git init .
-        rustup component add rust-src --toolchain nightly
+        git remote add origin https://admin:$\{GIT_TOKEN\}@git.karatatar.com/admin/vibetorrent.git
-        rustc +nightly --version
+        git fetch --depth=1 origin ${{ gitea.sha }}
-
+        git checkout FETCH_HEAD
-    - name: Install Trunk
-      run: |
-        if ! command -v trunk &> /dev/null; then
-          cargo install trunk --locked
-        fi
 
     - name: Build Frontend
       run: |
         cd frontend
         npm install
+        npx @tailwindcss/cli -i input.css -o public/tailwind.css
+        # Trunk'ın optimizasyonunu kapalı (0) tutuyoruz çünkü Cargo.toml'daki opt-level='z' zaten o işi yapıyor.
         trunk build --release
 
-    - name: Install Cross
-      run: |
-        if ! command -v cross &> /dev/null; then
-          cargo install cross --locked
-        fi
-
     - name: Build Backend (MIPS)
+      env:
+        # -s ve -w ile binary içindeki gereksiz tüm yükleri siliyoruz.
+        RUSTFLAGS: "-C target-feature=+crt-static -C link-self-contained=no -C link-arg=-msoft-float -C link-arg=-s -C link-arg=-w"
+        CFLAGS_mips_unknown_linux_musl: "-msoft-float"
       run: |
-        docker run --rm --platform linux/amd64 \
+        # Sadece gerekli özellikleri derliyoruz (Boyut tasarrufu için swagger kapalı)
-          -v "$PWD":/project \
+        cargo zigbuild -p backend --target mips-unknown-linux-musl --release -Z build-std=std,panic_abort --no-default-features --features push-notifications
-          -v cargo-cache:/usr/local/cargo/registry \
-          -w /project \
-          rust:latest \
-          bash -c '
-            rustup toolchain install nightly --component rust-src &&
-            apt-get update -qq && apt-get install -y -qq musl-tools wget >/dev/null 2>&1 &&
-            wget -qO- https://musl.cc/mips-linux-musl-cross.tgz | tar xz -C /opt/ &&
-            export PATH="/opt/mips-linux-musl-cross/bin:$PATH" &&
-            export CARGO_TARGET_MIPS_UNKNOWN_LINUX_MUSL_LINKER=mips-linux-musl-gcc &&
-            cd backend &&
-            cargo +nightly build --target mips-unknown-linux-musl --release -Z build-std=std,panic_abort &&
-            file /project/target/mips-unknown-linux-musl/release/backend
-          '
 
-    - name: Rename Binary
+    - name: Create Release Assets
-      run: mv target/mips-unknown-linux-musl/release/backend target/mips-unknown-linux-musl/release/vibetorrent-mips
+      run: |
+        mv target/mips-unknown-linux-musl/release/backend target/mips-unknown-linux-musl/release/vibetorrent-mips
 
     - name: Generate Release Tag
       id: tag
@@ -72,7 +55,6 @@ jobs:
         REPO="admin/vibetorrent"
         API_URL="${{ gitea.server_url }}/api/v1"
 
-        # Create release
         RELEASE_RESPONSE=$(curl -s -X POST "${API_URL}/repos/${REPO}/releases" \
           -H "Authorization: token ${RELEASE_TOKEN}" \
           -H "Content-Type: application/json" \
@@ -85,18 +67,9 @@ jobs:
           }")
 
         RELEASE_ID=$(echo "$RELEASE_RESPONSE" | jq -r '.id')
-        echo "Release ID: $RELEASE_ID"
+        if [ "$RELEASE_ID" = "null" ] || [ -z "$RELEASE_ID" ]; then exit 1; fi
 
-        if [ "$RELEASE_ID" = "null" ] || [ -z "$RELEASE_ID" ]; then
-          echo "Failed to create release:"
-          echo "$RELEASE_RESPONSE"
-          exit 1
-        fi
-
-        # Upload binary as release asset
         curl -s -X POST "${API_URL}/repos/${REPO}/releases/${RELEASE_ID}/assets?name=vibetorrent-mips" \
           -H "Authorization: token ${RELEASE_TOKEN}" \
           -H "Content-Type: application/octet-stream" \
           --data-binary @target/mips-unknown-linux-musl/release/vibetorrent-mips
-
-        echo "Release ${TAG} created with binary attached."

.github/workflows/build-mips.yml

@@ -1,80 +0,0 @@
-name: Build MIPS Binary
-
-on:
-  push:
-    branches: [ "main" ]
-  workflow_dispatch:
-
-permissions:
-  contents: write
-
-env:
-  CARGO_TERM_COLOR: always
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-
-    steps:
-    - uses: actions/checkout@v4
-
-    - name: Debug - List Files (Pre-Build)
-      run: ls -R
-
-    - name: Setup Node.js
-      uses: actions/setup-node@v4
-      with:
-        node-version: '20'
-
-    - name: Install Rust
-      uses: dtolnay/rust-toolchain@nightly
-      with:
-        targets: wasm32-unknown-unknown
-        components: rust-src
-
-    - name: Rust Cache
-      uses: Swatinem/rust-cache@v2
-
-    - name: Install Trunk
-      uses: jetli/trunk-action@v0.5.0
-      with:
-        version: 'latest'
-
-    - name: Build Frontend
-      run: |
-        cd frontend
-        npm install
-        trunk build --release
-
-    - name: Install Cross
-      run: cargo install cross
-
-    - name: Build Backend (MIPS)
-      env:
-        RUSTUP_TOOLCHAIN: nightly
-        CROSS_NO_WARNINGS: 0
-      run: |
-        cd backend
-        cross build --target mips-unknown-linux-musl --release -Z build-std=std,panic_abort
-
-    - name: Debug - List Files
-      run: |
-        echo "Listing target directory..."
-        find target -maxdepth 5 || true
-        ls -R target/mips-unknown-linux-musl/release || true
-
-    - name: Rename Binary
-      run: mv target/mips-unknown-linux-musl/release/backend target/mips-unknown-linux-musl/release/vibetorrent-mips
-
-    - name: Generate Tag
-      id: tag
-      run: echo "release_tag=release-$(date +'%Y%m%d-%H%M')" >> $GITHUB_OUTPUT
-
-    - name: Create Release
-      uses: softprops/action-gh-release@v1
-      with:
-        tag_name: ${{ steps.tag.outputs.release_tag }}
-        name: Release ${{ steps.tag.outputs.release_tag }}
-        files: target/mips-unknown-linux-musl/release/vibetorrent-mips
-        draft: false
-        prerelease: false

.gitignore

@@ -6,3 +6,5 @@ result.xml
 frontend/dist
 backend.log
 .runner
+.env
+backend/.env

Cargo.toml

@@ -2,13 +2,19 @@
 members = ["backend", "frontend", "shared"]
 resolver = "2"
 
-# Optimize for size (aggressive)
 [profile.release]
+# En küçük binary boyutu
 opt-level = "z"
-lto = true
+# En derin kod temizliği (dead code elimination)
+lto = "fat"
+# En iyi optimizasyon için tek birim derleme
 codegen-units = 1
+# Hata izleme kodlarını atarak yer kazan
 panic = "abort"
+# Sembolleri ve hata ayıklama bilgilerini kesin sil
 strip = true
+# Artık (incremental) build'i kapat ki optimizasyon tam olsun
+incremental = false
 
 [patch.crates-io]
 coarsetime = { path = "third_party/coarsetime" }

backend/.env.example

@@ -3,3 +3,12 @@ RTORRENT_SOCKET=/tmp/rtorrent.sock
 
 # Backend Listen Port
 PORT=3000
+
+# Database URL
+DATABASE_URL=sqlite:vibetorrent.db
+
+# VAPID Keys for Push Notifications
+# Generate new keys for production using: npx web-push generate-vapid-keys
+VAPID_PUBLIC_KEY=YOUR_PUBLIC_VAPID_KEY
+VAPID_PRIVATE_KEY=YOUR_PRIVATE_VAPID_KEY
+VAPID_EMAIL=mailto:your-email@example.com

backend/Cargo.toml

@@ -4,8 +4,9 @@ version = "0.1.0"
 edition = "2021"
 
 [features]
-default = ["push-notifications"]
+default = ["push-notifications", "swagger"]
 push-notifications = ["web-push", "openssl"]
+swagger = ["utoipa-swagger-ui"]
 
 [dependencies]
 axum = { version = "0.8", features = ["macros", "ws"] }
@@ -29,7 +30,15 @@ shared = { path = "../shared" }
 thiserror = "2.0.18"
 dotenvy = "0.15.7"
 utoipa = { version = "5.4.0", features = ["axum_extras"] }
-utoipa-swagger-ui = { version = "9.0.2", features = ["axum"] }
+utoipa-swagger-ui = { version = "9.0.2", features = ["axum"], optional = true }
 web-push = { version = "0.10", default-features = false, features = ["hyper-client"], optional = true }
 base64 = "0.22"
 openssl = { version = "0.10", features = ["vendored"], optional = true }
+sqlx = { version = "0.8", features = ["runtime-tokio", "sqlite"] }
+bcrypt = "0.17.0"
+axum-extra = { version = "0.10", features = ["cookie"] }
+rand = "0.8"
+anyhow = "1.0.101"
+time = { version = "0.3.47", features = ["serde", "formatting", "parsing"] }
+tower_governor = "0.8.0"
+governor = "0.10.4"

backend/migrations/001_init.sql

@@ -0,0 +1,16 @@
+-- 001_init.sql
+-- Initial schema for users and sessions
+
+CREATE TABLE IF NOT EXISTS users (
+    id INTEGER PRIMARY KEY,
+    username TEXT NOT NULL UNIQUE,
+    password_hash TEXT NOT NULL,
+    created_at DATETIME DEFAULT CURRENT_TIMESTAMP
+);
+
+CREATE TABLE IF NOT EXISTS sessions (
+    token TEXT PRIMARY KEY,
+    user_id INTEGER NOT NULL,
+    expires_at DATETIME NOT NULL,
+    FOREIGN KEY(user_id) REFERENCES users(id)
+);

backend/migrations/002_push_subscriptions.sql

@@ -0,0 +1,13 @@
+-- 002_push_subscriptions.sql
+-- Push notification subscriptions storage
+
+CREATE TABLE IF NOT EXISTS push_subscriptions (
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    endpoint TEXT NOT NULL UNIQUE,
+    p256dh TEXT NOT NULL,
+    auth TEXT NOT NULL,
+    created_at DATETIME DEFAULT CURRENT_TIMESTAMP
+);
+
+-- Index for faster lookups by endpoint
+CREATE INDEX IF NOT EXISTS idx_push_subscriptions_endpoint ON push_subscriptions(endpoint);

backend/src/db.rs

@@ -0,0 +1,148 @@
+use sqlx::{sqlite::SqlitePoolOptions, Pool, Sqlite, Row, sqlite::SqliteConnectOptions};
+use std::time::Duration;
+use anyhow::Result;
+use std::str::FromStr;
+
+#[derive(Clone)]
+pub struct Db {
+    pool: Pool<Sqlite>,
+}
+
+impl Db {
+    pub async fn new(db_url: &str) -> Result<Self> {
+        let options = SqliteConnectOptions::from_str(db_url)?
+            .create_if_missing(true)
+            .busy_timeout(Duration::from_secs(10)) // Bekleme süresini 10 saniyeye çıkardık
+            .journal_mode(sqlx::sqlite::SqliteJournalMode::Wal)
+            .synchronous(sqlx::sqlite::SqliteSynchronous::Normal);
+
+        let pool = SqlitePoolOptions::new()
+            .max_connections(5)
+            .acquire_timeout(Duration::from_secs(10))
+            .connect_with(options)
+            .await?;
+
+        let db = Self { pool };
+        db.run_migrations().await?;
+        Ok(db)
+    }
+
+    async fn run_migrations(&self) -> Result<()> {
+        sqlx::migrate!("./migrations").run(&self.pool).await?;
+        Ok(())
+    }
+
+    // --- User Operations ---
+
+    pub async fn create_user(&self, username: &str, password_hash: &str) -> Result<()> {
+        sqlx::query("INSERT INTO users (username, password_hash) VALUES (?, ?)")
+            .bind(username)
+            .bind(password_hash)
+            .execute(&self.pool)
+            .await?;
+        Ok(())
+    }
+
+    pub async fn get_user_by_username(&self, username: &str) -> Result<Option<(i64, String)>> {
+        let row = sqlx::query("SELECT id, password_hash FROM users WHERE username = ?")
+            .bind(username)
+            .fetch_optional(&self.pool)
+            .await?;
+
+        Ok(row.map(|r| (r.get(0), r.get(1))))
+    }
+
+    pub async fn get_username_by_id(&self, id: i64) -> Result<Option<String>> {
+        let row = sqlx::query("SELECT username FROM users WHERE id = ?")
+            .bind(id)
+            .fetch_optional(&self.pool)
+            .await?;
+
+        Ok(row.map(|r| r.get(0)))
+    }
+
+    pub async fn has_users(&self) -> Result<bool> {
+        let row: (i64,) = sqlx::query_as("SELECT COUNT(*) FROM users")
+            .fetch_one(&self.pool)
+            .await?;
+        Ok(row.0 > 0)
+    }
+
+    // --- Session Operations ---
+
+    pub async fn create_session(&self, user_id: i64, token: &str, expires_at: i64) -> Result<()> {
+        sqlx::query("INSERT INTO sessions (token, user_id, expires_at) VALUES (?, ?, datetime(?, 'unixepoch'))")
+            .bind(token)
+            .bind(user_id)
+            .bind(expires_at)
+            .execute(&self.pool)
+            .await?;
+        Ok(())
+    }
+
+    pub async fn get_session_user(&self, token: &str) -> Result<Option<i64>> {
+        let row = sqlx::query("SELECT user_id FROM sessions WHERE token = ? AND expires_at > datetime('now')")
+            .bind(token)
+            .fetch_optional(&self.pool)
+            .await?;
+
+        Ok(row.map(|r| r.get(0)))
+    }
+
+    pub async fn delete_session(&self, token: &str) -> Result<()> {
+        sqlx::query("DELETE FROM sessions WHERE token = ?")
+            .bind(token)
+            .execute(&self.pool)
+            .await?;
+        Ok(())
+    }
+
+    pub async fn update_password(&self, user_id: i64, password_hash: &str) -> Result<()> {
+        sqlx::query("UPDATE users SET password_hash = ? WHERE id = ?")
+            .bind(password_hash)
+            .bind(user_id)
+            .execute(&self.pool)
+            .await?;
+        Ok(())
+    }
+
+    pub async fn delete_all_sessions_for_user(&self, user_id: i64) -> Result<()> {
+        sqlx::query("DELETE FROM sessions WHERE user_id = ?")
+            .bind(user_id)
+            .execute(&self.pool)
+            .await?;
+        Ok(())
+    }
+
+    // --- Push Subscription Operations ---
+
+    pub async fn save_push_subscription(&self, endpoint: &str, p256dh: &str, auth: &str) -> Result<()> {
+        sqlx::query(
+            "INSERT INTO push_subscriptions (endpoint, p256dh, auth) VALUES (?, ?, ?)
+             ON CONFLICT(endpoint) DO UPDATE SET p256dh = EXCLUDED.p256dh, auth = EXCLUDED.auth"
+        )
+        .bind(endpoint)
+        .bind(p256dh)
+        .bind(auth)
+        .execute(&self.pool)
+        .await?;
+        Ok(())
+    }
+
+    pub async fn remove_push_subscription(&self, endpoint: &str) -> Result<()> {
+        sqlx::query("DELETE FROM push_subscriptions WHERE endpoint = ?")
+            .bind(endpoint)
+            .execute(&self.pool)
+            .await?;
+        Ok(())
+    }
+
+    pub async fn get_all_push_subscriptions(&self) -> Result<Vec<(String, String, String)>> {
+        let rows = sqlx::query_as::<_, (String, String, String)>(
+            "SELECT endpoint, p256dh, auth FROM push_subscriptions"
+        )
+        .fetch_all(&self.pool)
+        .await?;
+        Ok(rows)
+    }
+}

backend/src/diff.rs

@@ -1,3 +1,4 @@
+use std::collections::HashMap;
 use shared::{AppEvent, NotificationLevel, SystemNotification, Torrent, TorrentUpdate};
 
 #[derive(Debug)]
@@ -8,24 +9,32 @@ pub enum DiffResult {
 }
 
 pub fn diff_torrents(old: &[Torrent], new: &[Torrent]) -> DiffResult {
-    // 1. Structural Check (Length or Order changed)
+    // 1. Structural Check: Eğer torrent sayısı değişmişse (yeni eklenen veya silinen), 
+    // şimdilik basitlik adına FullUpdate gönderiyoruz.
     if old.len() != new.len() {
         return DiffResult::FullUpdate;
     }
 
-    for (i, t) in new.iter().enumerate() {
+    // 2. Hash Set Karşılaştırması: 
-        if old[i].hash != t.hash {
+    // Sıralama değişmiş olabilir ama torrentler aynı mı?
+    let old_map: HashMap<&str, &Torrent> = old.iter().map(|t| (t.hash.as_str(), t)).collect();
+    
+    // Eğer yeni listedeki bir hash eski listede yoksa, yapı değişmiş demektir.
+    for new_t in new {
+        if !old_map.contains_key(new_t.hash.as_str()) {
             return DiffResult::FullUpdate;
         }
     }
 
-    // 2. Field Updates
+    // 3. Alan Güncellemeleri (Partial Updates)
+    // Buraya geldiğimizde biliyoruz ki old ve new listelerindeki torrentler (hash olarak) aynı,
+    // sadece sıraları farklı olabilir veya içindeki veriler güncellenmiş olabilir.
     let mut events = Vec::new();
 
-    for (i, new_t) in new.iter().enumerate() {
+    for new_t in new {
-        let old_t = &old[i];
+        // old_map'ten ilgili torrente hash ile ulaşalım (sıradan bağımsız)
+        let old_t = old_map.get(new_t.hash.as_str()).unwrap();
 
-        // Initialize with all None
         let mut update = TorrentUpdate {
             hash: new_t.hash.clone(),
             name: None,
@@ -42,7 +51,7 @@ pub fn diff_torrents(old: &[Torrent], new: &[Torrent]) -> DiffResult {
 
         let mut has_changes = false;
 
-        // Compare fields
+        // Alanları karşılaştır
         if old_t.name != new_t.name {
             update.name = Some(new_t.name.clone());
             has_changes = true;
@@ -63,7 +72,7 @@ pub fn diff_torrents(old: &[Torrent], new: &[Torrent]) -> DiffResult {
             update.percent_complete = Some(new_t.percent_complete);
             has_changes = true;
 
-            // Check for torrent completion: reached 100%
+            // Torrent tamamlanma kontrolü
             if old_t.percent_complete < 100.0 && new_t.percent_complete >= 100.0 {
                 tracing::info!("Torrent completed: {} ({})", new_t.name, new_t.hash);
                 events.push(AppEvent::Notification(SystemNotification {
@@ -84,8 +93,7 @@ pub fn diff_torrents(old: &[Torrent], new: &[Torrent]) -> DiffResult {
             update.status = Some(new_t.status.clone());
             has_changes = true;
             
-            // Log status changes for debugging
+            tracing::debug!(
-            tracing::info!(
                 "Torrent status changed: {} ({}) {:?} -> {:?}",
                 new_t.name, new_t.hash, old_t.status, new_t.status
             );

backend/src/handlers/auth.rs

@@ -0,0 +1,154 @@
+use crate::AppState;
+use axum::{
+    extract::{State, Json},
+    http::StatusCode,
+    response::IntoResponse,
+};
+use serde::{Deserialize, Serialize};
+use utoipa::ToSchema;
+use axum_extra::extract::cookie::{Cookie, CookieJar, SameSite};
+use time::Duration;
+
+#[derive(Deserialize, ToSchema)]
+pub struct LoginRequest {
+    username: String,
+    password: String,
+    #[serde(default)]
+    remember_me: bool,
+}
+
+#[derive(Serialize, ToSchema)]
+pub struct UserResponse {
+    username: String,
+}
+
+#[utoipa::path(
+    post,
+    path = "/api/auth/login",
+    request_body = LoginRequest,
+    responses(
+        (status = 200, description = "Login successful"),
+        (status = 401, description = "Invalid credentials"),
+        (status = 500, description = "Internal server error")
+    )
+)]
+pub async fn login_handler(
+    State(state): State<AppState>,
+    jar: CookieJar,
+    Json(payload): Json<LoginRequest>,
+) -> impl IntoResponse {
+    tracing::info!("Login attempt for user: {}", payload.username);
+
+    let user = match state.db.get_user_by_username(&payload.username).await {
+        Ok(Some(u)) => u,
+        Ok(None) => {
+            tracing::warn!("Login failed: User not found for {}", payload.username);
+            return (StatusCode::UNAUTHORIZED, "Invalid credentials").into_response();
+        }
+        Err(e) => {
+            tracing::error!("DB error during login for {}: {}", payload.username, e);
+            return (StatusCode::INTERNAL_SERVER_ERROR, "Database error").into_response();
+        }
+    };
+
+    let (user_id, password_hash) = user;
+
+    match bcrypt::verify(&payload.password, &password_hash) {
+        Ok(true) => {
+            tracing::info!("Password verified for user: {}", payload.username);
+
+            // Create session
+            let token: String = (0..32).map(|_| {
+                use rand::{distributions::Alphanumeric, Rng};
+                rand::thread_rng().sample(Alphanumeric) as char
+            }).collect();
+
+            // Expiration: 30 days if remember_me is true, else 1 day
+            let expires_in = if payload.remember_me {
+                60 * 60 * 24 * 30
+            } else {
+                60 * 60 * 24
+            };
+
+            let expires_at = time::OffsetDateTime::now_utc().unix_timestamp() + expires_in;
+
+            if let Err(e) = state.db.create_session(user_id, &token, expires_at).await {
+                tracing::error!("Failed to create session for {}: {}", payload.username, e);
+                return (StatusCode::INTERNAL_SERVER_ERROR, "Failed to create session").into_response();
+            }
+
+            let mut cookie = Cookie::build(("auth_token", token))
+                .path("/")
+                .http_only(true)
+                .same_site(SameSite::Lax)
+                .build();
+
+            cookie.set_max_age(Duration::seconds(expires_in));
+
+            tracing::info!("Session created and cookie set for user: {}", payload.username);
+            (StatusCode::OK, jar.add(cookie), Json(UserResponse { username: payload.username })).into_response()
+        }
+        Ok(false) => {
+            tracing::warn!("Login failed: Invalid password for {}", payload.username);
+            (StatusCode::UNAUTHORIZED, "Invalid credentials").into_response()
+        }
+        Err(e) => {
+            tracing::error!("Bcrypt error for {}: {}", payload.username, e);
+            (StatusCode::INTERNAL_SERVER_ERROR, "Auth error").into_response()
+        }
+    }
+}
+
+#[utoipa::path(
+    post,
+    path = "/api/auth/logout",
+    responses(
+        (status = 200, description = "Logged out")
+    )
+)]
+pub async fn logout_handler(
+    State(state): State<AppState>,
+    jar: CookieJar,
+) -> impl IntoResponse {
+    if let Some(token) = jar.get("auth_token") {
+        let _ = state.db.delete_session(token.value()).await;
+    }
+
+    let cookie = Cookie::build(("auth_token", ""))
+        .path("/")
+        .http_only(true)
+        .max_age(Duration::seconds(-1)) // Expire immediately
+        .build();
+
+    (StatusCode::OK, jar.add(cookie), "Logged out").into_response()
+}
+
+#[utoipa::path(
+    get,
+    path = "/api/auth/check",
+    responses(
+        (status = 200, description = "Authenticated", body = UserResponse),
+        (status = 401, description = "Not authenticated")
+    )
+)]
+pub async fn check_auth_handler(
+    State(state): State<AppState>,
+    jar: CookieJar,
+) -> impl IntoResponse {
+    if let Some(token) = jar.get("auth_token") {
+        match state.db.get_session_user(token.value()).await {
+            Ok(Some(user_id)) => {
+                // Fetch username
+                // We need a helper in db.rs to get username by id, or we can use a direct query here if we don't want to change db.rs interface yet.
+                // But better to add `get_username_by_id` to db.rs
+                // For now let's query directly or via a new db method.
+                if let Ok(Some(username)) = state.db.get_username_by_id(user_id).await {
+                     return (StatusCode::OK, Json(UserResponse { username })).into_response();
+                }
+            },
+            _ => {} // Invalid session
+        }
+    }
+
+    StatusCode::UNAUTHORIZED.into_response()
+}

backend/src/handlers/mod.rs

@@ -18,6 +18,9 @@ use shared::{
 };
 use utoipa::ToSchema;
 
+pub mod auth;
+pub mod setup;
+
 #[derive(RustEmbed)]
 #[folder = "../frontend/dist"]
 pub struct Asset;
@@ -687,8 +690,10 @@ pub async fn handle_timeout_error(err: BoxError) -> (StatusCode, &'static str) {
         (status = 200, description = "VAPID public key", body = String)
     )
 )]
-pub async fn get_push_public_key_handler() -> impl IntoResponse {
+pub async fn get_push_public_key_handler(
-    let public_key = push::get_vapid_public_key();
+    State(state): State<AppState>,
+) -> impl IntoResponse {
+    let public_key = state.push_store.get_public_key();
     (StatusCode::OK, Json(serde_json::json!({ "publicKey": public_key }))).into_response()
 }
 

backend/src/handlers/setup.rs

@@ -0,0 +1,125 @@
+use crate::AppState;
+use axum::{
+    extract::{State, Json},
+    http::StatusCode,
+    response::IntoResponse,
+};
+use serde::{Deserialize, Serialize};
+use utoipa::ToSchema;
+use axum_extra::extract::cookie::{Cookie, CookieJar, SameSite};
+use time::Duration;
+
+#[derive(Deserialize, ToSchema)]
+pub struct SetupRequest {
+    username: String,
+    password: String,
+}
+
+#[derive(Serialize, ToSchema)]
+pub struct SetupStatusResponse {
+    completed: bool,
+}
+
+#[utoipa::path(
+    get,
+    path = "/api/setup/status",
+    responses(
+        (status = 200, description = "Setup status", body = SetupStatusResponse)
+    )
+)]
+pub async fn get_setup_status_handler(State(state): State<AppState>) -> impl IntoResponse {
+    let completed = match state.db.has_users().await {
+        Ok(has) => has,
+        Err(e) => {
+            tracing::error!("DB error checking users: {}", e);
+            false
+        }
+    };
+    Json(SetupStatusResponse { completed }).into_response()
+}
+
+#[utoipa::path(
+    post,
+    path = "/api/setup",
+    request_body = SetupRequest,
+    responses(
+        (status = 200, description = "Setup completed and logged in"),
+        (status = 400, description = "Invalid request"),
+        (status = 403, description = "Setup already completed"),
+        (status = 500, description = "Internal server error")
+    )
+)]
+pub async fn setup_handler(
+    State(state): State<AppState>,
+    jar: CookieJar,
+    Json(payload): Json<SetupRequest>,
+) -> impl IntoResponse {
+    // 1. Check if setup is already completed (i.e., users exist)
+    match state.db.has_users().await {
+        Ok(true) => return (StatusCode::FORBIDDEN, "Setup already completed").into_response(),
+        Err(e) => {
+            tracing::error!("DB error checking users: {}", e);
+            return (StatusCode::INTERNAL_SERVER_ERROR, "Database error").into_response();
+        }
+        Ok(false) => {} // Proceed
+    }
+
+    // 2. Validate input
+    if payload.username.len() < 3 || payload.password.len() < 6 {
+        return (StatusCode::BAD_REQUEST, "Username must be at least 3 chars, password at least 6").into_response();
+    }
+
+    // 3. Create User
+    // Lower cost for faster login on low-power devices (MIPS routers etc.)
+    let password_hash = match bcrypt::hash(&payload.password, 6) {
+        Ok(h) => h,
+        Err(e) => {
+            tracing::error!("Failed to hash password: {}", e);
+            return (StatusCode::INTERNAL_SERVER_ERROR, "Failed to process password").into_response();
+        }
+    };
+
+    if let Err(e) = state.db.create_user(&payload.username, &password_hash).await {
+        tracing::error!("Failed to create user: {}", e);
+        return (StatusCode::INTERNAL_SERVER_ERROR, "Failed to create user").into_response();
+    }
+
+    // 4. Auto-Login (Create Session)
+    // Get the created user's ID
+    let user = match state.db.get_user_by_username(&payload.username).await {
+        Ok(Some(u)) => u,
+        Ok(None) => return (StatusCode::INTERNAL_SERVER_ERROR, "User created but not found").into_response(),
+        Err(e) => {
+            tracing::error!("DB error fetching new user: {}", e);
+            return (StatusCode::INTERNAL_SERVER_ERROR, "Database error").into_response();
+        }
+    };
+    let (user_id, _) = user;
+
+    // Create session token
+    let token: String = (0..32).map(|_| {
+        use rand::{distributions::Alphanumeric, Rng};
+        rand::thread_rng().sample(Alphanumeric) as char
+    }).collect();
+
+    // Default expiration: 1 day (since it's not "remember me")
+    let expires_in = 60 * 60 * 24;
+    let expires_at = time::OffsetDateTime::now_utc().unix_timestamp() + expires_in;
+
+    if let Err(e) = state.db.create_session(user_id, &token, expires_at).await {
+        tracing::error!("Failed to create session for new user: {}", e);
+        // Even if session fails, setup is technically complete, but login failed.
+        // We return OK but user will have to login manually.
+        return (StatusCode::OK, "Setup completed, please login").into_response();
+    }
+
+    let mut cookie = Cookie::build(("auth_token", token))
+        .path("/")
+        .http_only(true)
+        .same_site(SameSite::Lax)
+        .build();
+
+    cookie.set_max_age(Duration::seconds(expires_in));
+
+    (StatusCode::OK, jar.add(cookie), "Setup completed and logged in").into_response()
+}

backend/src/main.rs

@@ -1,7 +1,9 @@
+mod db;
 mod diff;
 mod handlers;
 #[cfg(feature = "push-notifications")]
 mod push;
+mod rate_limit;
 mod scgi;
 mod sse;
 mod xmlrpc;
@@ -10,7 +12,12 @@ use axum::error_handling::HandleErrorLayer;
 use axum::{
     routing::{get, post},
     Router,
+    middleware::{self, Next},
+    response::Response,
+    http::{StatusCode, Request},
+    body::Body,
 };
+use axum_extra::extract::cookie::CookieJar;
 use clap::Parser;
 use dotenvy::dotenv;
 use shared::{AppEvent, Torrent};
@@ -19,12 +26,15 @@ use std::sync::Arc;
 use std::time::Duration;
 use tokio::sync::{broadcast, watch};
 use tower::ServiceBuilder;
+use tower_governor::GovernorLayer;
 use tower_http::{
     compression::{CompressionLayer, CompressionLevel},
     cors::CorsLayer,
     trace::TraceLayer,
 };
+#[cfg(feature = "swagger")]
 use utoipa::OpenApi;
+#[cfg(feature = "swagger")]
 use utoipa_swagger_ui::SwaggerUi;
 
 #[derive(Clone)]
@@ -32,10 +42,39 @@ pub struct AppState {
     pub tx: Arc<watch::Sender<Vec<Torrent>>>,
     pub event_bus: broadcast::Sender<AppEvent>,
     pub scgi_socket_path: String,
+    pub db: db::Db,
     #[cfg(feature = "push-notifications")]
     pub push_store: push::PushSubscriptionStore,
 }
 
+async fn auth_middleware(
+    state: axum::extract::State<AppState>,
+    jar: CookieJar,
+    request: Request<Body>,
+    next: Next,
+) -> Result<Response, StatusCode> {
+    // Skip auth for public paths
+    let path = request.uri().path();
+    if path.starts_with("/api/auth/login")
+       || path.starts_with("/api/auth/check") // Used by frontend to decide where to go
+       || path.starts_with("/api/setup")
+       || path.starts_with("/swagger-ui")
+       || path.starts_with("/api-docs")
+       || !path.starts_with("/api/") // Allow static files (frontend)
+    {
+        return Ok(next.run(request).await);
+    }
+
+    // Check token
+    if let Some(token) = jar.get("auth_token") {
+        match state.db.get_session_user(token.value()).await {
+            Ok(Some(_)) => return Ok(next.run(request).await),
+            _ => {} // Invalid
+        }
+    }
+
+    Err(StatusCode::UNAUTHORIZED)
+}
 #[derive(Parser, Debug)]
 #[command(author, version, about, long_about = None)]
 struct Args {
@@ -51,8 +90,17 @@ struct Args {
     /// Port to listen on
     #[arg(short, long, env = "PORT", default_value_t = 3000)]
     port: u16,
+
+    /// Database URL
+    #[arg(long, env = "DATABASE_URL", default_value = "sqlite:vibetorrent.db")]
+    db_url: String,
+
+    /// Reset password for the specified user
+    #[arg(long)]
+    reset_password: Option<String>,
 }
 
+#[cfg(feature = "swagger")]
 #[cfg(feature = "push-notifications")]
 #[derive(OpenApi)]
 #[openapi(
@@ -68,7 +116,12 @@ struct Args {
         handlers::get_global_limit_handler,
         handlers::set_global_limit_handler,
         handlers::get_push_public_key_handler,
-        handlers::subscribe_push_handler
+        handlers::subscribe_push_handler,
+        handlers::auth::login_handler,
+        handlers::auth::logout_handler,
+        handlers::auth::check_auth_handler,
+        handlers::setup::setup_handler,
+        handlers::setup::get_setup_status_handler
     ),
     components(
         schemas(
@@ -83,7 +136,11 @@ struct Args {
             shared::SetLabelRequest,
             shared::GlobalLimitRequest,
             push::PushSubscription,
-            push::PushKeys
+            push::PushKeys,
+            handlers::auth::LoginRequest,
+            handlers::setup::SetupRequest,
+            handlers::setup::SetupStatusResponse,
+            handlers::auth::UserResponse
         )
     ),
     tags(
@@ -92,6 +149,7 @@ struct Args {
 )]
 struct ApiDoc;
 
+#[cfg(feature = "swagger")]
 #[cfg(not(feature = "push-notifications"))]
 #[derive(OpenApi)]
 #[openapi(
@@ -105,7 +163,12 @@ struct ApiDoc;
         handlers::set_file_priority_handler,
         handlers::set_label_handler,
         handlers::get_global_limit_handler,
-        handlers::set_global_limit_handler
+        handlers::set_global_limit_handler,
+        handlers::auth::login_handler,
+        handlers::auth::logout_handler,
+        handlers::auth::check_auth_handler,
+        handlers::setup::setup_handler,
+        handlers::setup::get_setup_status_handler
     ),
     components(
         schemas(
@@ -118,7 +181,11 @@ struct ApiDoc;
             shared::TorrentTracker,
             shared::SetFilePriorityRequest,
             shared::SetLabelRequest,
-            shared::GlobalLimitRequest
+            shared::GlobalLimitRequest,
+            handlers::auth::LoginRequest,
+            handlers::setup::SetupRequest,
+            handlers::setup::SetupStatusResponse,
+            handlers::auth::UserResponse
         )
     ),
     tags(
@@ -142,10 +209,90 @@ async fn main() {
 
     // Parse CLI Args
     let args = Args::parse();
+
+    // Initialize Database
+    tracing::info!("Connecting to database: {}", args.db_url);
+    // Ensure the db file exists if it's sqlite
+    if args.db_url.starts_with("sqlite:") {
+        let path = args.db_url.trim_start_matches("sqlite:");
+        if !std::path::Path::new(path).exists() {
+            tracing::info!("Database file not found, creating: {}", path);
+            match std::fs::File::create(path) {
+                Ok(_) => tracing::info!("Created empty database file"),
+                Err(e) => tracing::error!("Failed to create database file: {}", e),
+            }
+        }
+    }
+
+    let db: db::Db = match db::Db::new(&args.db_url).await {
+        Ok(db) => db,
+        Err(e) => {
+            tracing::error!("Failed to connect to database: {}", e);
+            std::process::exit(1);
+        }
+    };
+    tracing::info!("Database connected successfully.");
+
+    // Handle Password Reset
+    if let Some(username) = args.reset_password {
+        tracing::info!("Resetting password for user: {}", username);
+
+        // Check if user exists
+        let user_result = db.get_user_by_username(&username).await;
+
+        match user_result {
+            Ok(Some((user_id, _))) => {
+                // Generate random password
+                use rand::{distributions::Alphanumeric, Rng};
+                let new_password: String = rand::thread_rng()
+                    .sample_iter(&Alphanumeric)
+                    .take(12)
+                    .map(char::from)
+                    .collect();
+
+                // Hash password (low cost for performance)
+                let password_hash = match bcrypt::hash(&new_password, 6) {
+                    Ok(h) => h,
+                    Err(e) => {
+                        tracing::error!("Failed to hash password: {}", e);
+                        std::process::exit(1);
+                    }
+                };
+
+                // Update in DB
+                if let Err(e) = db.update_password(user_id, &password_hash).await {
+                     tracing::error!("Failed to update password in DB: {}", e);
+                     std::process::exit(1);
+                }
+
+                println!("--------------------------------------------------");
+                println!("Password reset successfully for user: {}", username);
+                println!("New Password: {}", new_password);
+                println!("--------------------------------------------------");
+
+                // Invalidate existing sessions for security
+                if let Err(e) = db.delete_all_sessions_for_user(user_id).await {
+                    tracing::warn!("Failed to invalidate existing sessions: {}", e);
+                }
+
+                std::process::exit(0);
+            },
+            Ok(None) => {
+                tracing::error!("User '{}' not found.", username);
+                std::process::exit(1);
+            },
+            Err(e) => {
+                tracing::error!("Database error: {}", e);
+                std::process::exit(1);
+            }
+        }
+    }
+
     tracing::info!("Starting VibeTorrent Backend...");
     tracing::info!("Socket: {}", args.socket);
     tracing::info!("Port: {}", args.port);
 
+    // ... rest of the main function ...
     // Startup Health Check
     let socket_path = std::path::Path::new(&args.socket);
     if !socket_path.exists() {
@@ -177,12 +324,25 @@ async fn main() {
     // Channel for Events (Diffs)
     let (event_bus, _) = broadcast::channel::<AppEvent>(1024);
 
+    #[cfg(feature = "push-notifications")]
+    let push_store = match push::PushSubscriptionStore::with_db(&db).await {
+        Ok(store) => store,
+        Err(e) => {
+            tracing::error!("Failed to initialize push store: {}", e);
+            push::PushSubscriptionStore::new()
+        }
+    };
+
+    #[cfg(not(feature = "push-notifications"))]
+    let push_store = ();
+
     let app_state = AppState {
         tx: tx.clone(),
         event_bus: event_bus.clone(),
         scgi_socket_path: args.socket.clone(),
+        db: db.clone(),
         #[cfg(feature = "push-notifications")]
-        push_store: push::PushSubscriptionStore::new(),
+        push_store,
     };
 
     // Spawn background task to poll rTorrent
@@ -306,8 +466,24 @@ async fn main() {
         }
     });
 
-    let app = Router::new()
+    let app = Router::new();
-        .merge(SwaggerUi::new("/swagger-ui").url("/api-docs/openapi.json", ApiDoc::openapi()))
+
+    #[cfg(feature = "swagger")]
+    let app = app.merge(SwaggerUi::new("/swagger-ui").url("/api-docs/openapi.json", ApiDoc::openapi()));
+
+    // Setup & Auth Routes
+    let app = app
+        .route("/api/setup/status", get(handlers::setup::get_setup_status_handler))
+        .route("/api/setup", post(handlers::setup::setup_handler))
+        .route(
+            "/api/auth/login",
+            post(handlers::auth::login_handler).layer(GovernorLayer::new(Arc::new(
+                rate_limit::get_login_rate_limit_config(),
+            ))),
+        )
+        .route("/api/auth/logout", post(handlers::auth::logout_handler))
+        .route("/api/auth/check", get(handlers::auth::check_auth_handler))
+        // App Routes
         .route("/api/events", get(sse::sse_handler))
         .route("/api/torrents/add", post(handlers::add_torrent_handler))
         .route(
@@ -344,6 +520,7 @@ async fn main() {
         .route("/api/push/subscribe", post(handlers::subscribe_push_handler));
 
     let app = app
+        .layer(middleware::from_fn_with_state(app_state.clone(), auth_middleware))
         .layer(TraceLayer::new_for_http())
         .layer(
             CompressionLayer::new()
@@ -372,7 +549,12 @@ async fn main() {
         }
     };
     tracing::info!("Backend listening on {}", addr);
-    if let Err(e) = axum::serve(listener, app).await {
+    if let Err(e) = axum::serve(
+        listener,
+        app.into_make_service_with_connect_info::<SocketAddr>(),
+    )
+    .await
+    {
         tracing::error!("Server error: {}", e);
         std::process::exit(1);
     }

backend/src/push.rs

@@ -5,11 +5,9 @@ use utoipa::ToSchema;
 use web_push::{
     HyperWebPushClient, SubscriptionInfo, VapidSignatureBuilder, WebPushClient, WebPushMessageBuilder,
 };
+use futures::StreamExt;
 
-// VAPID keys - PRODUCTION'DA ENVIRONMENT VARIABLE'DAN ALINMALI!
+use crate::db::Db;
-const VAPID_PUBLIC_KEY: &str = "BEdPj6XQR7MGzM28Nev9wokF5upHoydNDahouJbQ9ZdBJpEFAN1iNfANSEvY0ItasNY5zcvvqN_tjUt64Rfd0gU";
-const VAPID_PRIVATE_KEY: &str = "aUcCYJ7kUd9UClCaWwad0IVgbYJ6svwl19MjSX7GH10";
-const VAPID_EMAIL: &str = "mailto:admin@vibetorrent.app";
 
 #[derive(Debug, Clone, Serialize, Deserialize, ToSchema)]
 pub struct PushSubscription {
@@ -23,39 +21,107 @@ pub struct PushKeys {
     pub auth: String,
 }
 
-/// In-memory store for push subscriptions
+#[derive(Clone)]
-/// TODO: Replace with database in production
+pub struct VapidConfig {
-#[derive(Default, Clone)]
+    pub private_key: String,
+    pub public_key: String,
+    pub email: String,
+}
+
+#[derive(Clone)]
 pub struct PushSubscriptionStore {
+    db: Option<Db>,
     subscriptions: Arc<RwLock<Vec<PushSubscription>>>,
+    vapid_config: VapidConfig,
 }
 
 impl PushSubscriptionStore {
     pub fn new() -> Self {
+        let private_key = std::env::var("VAPID_PRIVATE_KEY").expect("VAPID_PRIVATE_KEY must be set in .env");
+        let public_key = std::env::var("VAPID_PUBLIC_KEY").expect("VAPID_PUBLIC_KEY must be set in .env");
+        let email = std::env::var("VAPID_EMAIL").expect("VAPID_EMAIL must be set in .env");
+
         Self {
+            db: None,
             subscriptions: Arc::new(RwLock::new(Vec::new())),
+            vapid_config: VapidConfig {
+                private_key,
+                public_key,
+                email,
+            },
         }
     }
 
+    pub async fn with_db(db: &Db) -> Result<Self, Box<dyn std::error::Error>> {
+        let mut subscriptions_vec: Vec<PushSubscription> = Vec::new();
+
+        // Load existing subscriptions from DB
+        let subs = db.get_all_push_subscriptions().await?;
+        for (endpoint, p256dh, auth) in subs {
+            subscriptions_vec.push(PushSubscription {
+                endpoint,
+                keys: PushKeys { p256dh, auth },
+            });
+        }
+        tracing::info!("Loaded {} push subscriptions from database", subscriptions_vec.len());
+
+        let private_key = std::env::var("VAPID_PRIVATE_KEY").expect("VAPID_PRIVATE_KEY must be set in .env");
+        let public_key = std::env::var("VAPID_PUBLIC_KEY").expect("VAPID_PUBLIC_KEY must be set in .env");
+        let email = std::env::var("VAPID_EMAIL").expect("VAPID_EMAIL must be set in .env");
+
+        Ok(Self {
+            db: Some(db.clone()),
+            subscriptions: Arc::new(RwLock::new(subscriptions_vec)),
+            vapid_config: VapidConfig {
+                private_key,
+                public_key,
+                email,
+            },
+        })
+    }
+
     pub async fn add_subscription(&self, subscription: PushSubscription) {
+        // Add to memory
         let mut subs = self.subscriptions.write().await;
 
         // Remove duplicate endpoint if exists
         subs.retain(|s| s.endpoint != subscription.endpoint);
-        
+        subs.push(subscription.clone());
-        subs.push(subscription);
         tracing::info!("Added push subscription. Total: {}", subs.len());
+
+        // Save to DB if available
+        if let Some(db) = &self.db {
+            if let Err(e) = db.save_push_subscription(
+                &subscription.endpoint,
+                &subscription.keys.p256dh,
+                &subscription.keys.auth,
+            ).await {
+                tracing::error!("Failed to save push subscription to DB: {}", e);
+            }
+        }
     }
 
     pub async fn remove_subscription(&self, endpoint: &str) {
+        // Remove from memory
         let mut subs = self.subscriptions.write().await;
         subs.retain(|s| s.endpoint != endpoint);
         tracing::info!("Removed push subscription. Total: {}", subs.len());
+
+        // Remove from DB if available
+        if let Some(db) = &self.db {
+            if let Err(e) = db.remove_push_subscription(endpoint).await {
+                tracing::error!("Failed to remove push subscription from DB: {}", e);
+            }
+        }
     }
 
     pub async fn get_all_subscriptions(&self) -> Vec<PushSubscription> {
         self.subscriptions.read().await.clone()
     }
+
+    pub fn get_public_key(&self) -> &str {
+        &self.vapid_config.public_key
+    }
 }
 
 /// Send push notification to all subscribed clients
@@ -81,9 +147,18 @@ pub async fn send_push_notification(
         "tag": "vibetorrent"
     });
 
-    let client = HyperWebPushClient::new();
+    let client = Arc::new(HyperWebPushClient::new());
+    let vapid_config = store.vapid_config.clone();
+    let payload_str = payload.to_string();
 
-    for subscription in subscriptions {
+    // Send notifications concurrently
+    futures::stream::iter(subscriptions)
+        .for_each_concurrent(10, |subscription| {
+            let client = client.clone();
+            let vapid_config = vapid_config.clone();
+            let payload_str = payload_str.clone();
+
+            async move {
                 let subscription_info = SubscriptionInfo {
                     endpoint: subscription.endpoint.clone(),
                     keys: web_push::SubscriptionKeys {
@@ -92,36 +167,48 @@ pub async fn send_push_notification(
                     },
                 };
 
-        let mut sig_builder = VapidSignatureBuilder::from_base64(
+                let sig_res = VapidSignatureBuilder::from_base64(
-            VAPID_PRIVATE_KEY,
+                    &vapid_config.private_key,
                     web_push::URL_SAFE_NO_PAD,
                     &subscription_info,
-        )?;
+                );
 
-        sig_builder.add_claim("sub", VAPID_EMAIL);
+                match sig_res {
-        sig_builder.add_claim("aud", subscription.endpoint.clone());
+                    Ok(mut sig_builder) => {
-        let signature = sig_builder.build()?;
+                        sig_builder.add_claim("sub", vapid_config.email.as_str());
+                        sig_builder.add_claim("aud", subscription.endpoint.as_str());
                         
+                        match sig_builder.build() {
+                            Ok(signature) => {
                                 let mut builder = WebPushMessageBuilder::new(&subscription_info);
                                 builder.set_vapid_signature(signature);
-        
-        let payload_str = payload.to_string();
                                 builder.set_payload(web_push::ContentEncoding::Aes128Gcm, payload_str.as_bytes());
 
-        match client.send(builder.build()?).await {
+                                match builder.build() {
+                                    Ok(msg) => {
+                                        match client.send(msg).await {
                                             Ok(_) => {
                                                 tracing::debug!("Push notification sent to: {}", subscription.endpoint);
                                             }
                                             Err(e) => {
-                tracing::error!("Failed to send push notification: {}", e);
+                                                tracing::error!("Failed to send push notification to {}: {}", subscription.endpoint, e);
-                // TODO: Remove invalid subscriptions
                                             }
                                         }
                                     }
+                                    Err(e) => tracing::error!("Failed to build push message: {}", e),
+                                }
+                            }
+                            Err(e) => tracing::error!("Failed to build VAPID signature: {}", e),
+                        }
+                    }
+                    Err(e) => tracing::error!("Failed to create VAPID signature builder: {}", e),
+                }
+            }
+        })
+        .await;
 
         Ok(())
-}
 
-pub fn get_vapid_public_key() -> &'static str {
+    }
-    VAPID_PUBLIC_KEY
+
-}
+    

backend/src/rate_limit.rs

@@ -0,0 +1,16 @@
+use governor::clock::QuantaInstant;
+use governor::middleware::NoOpMiddleware;
+use tower_governor::governor::GovernorConfig;
+use tower_governor::governor::GovernorConfigBuilder;
+use tower_governor::key_extractor::SmartIpKeyExtractor;
+
+pub fn get_login_rate_limit_config() -> GovernorConfig<SmartIpKeyExtractor, NoOpMiddleware<QuantaInstant>> {
+    // 5 yanlış denemeden sonra bloklanır.
+    // Her yeni hak için 60 saniye (1 dakika) bekleme süresi.
+    GovernorConfigBuilder::default()
+        .key_extractor(SmartIpKeyExtractor)
+        .per_second(60) 
+        .burst_size(5)
+        .finish()
+        .unwrap()
+}

docker/runner/Dockerfile

@@ -0,0 +1,96 @@
+# Use a base image that supports multi-arch (x64 and arm64)
+# We use debian:bookworm-slim as base to install everything manually
+# and then install the act_runner binary.
+FROM debian:bookworm-slim
+
+ENV DEBIAN_FRONTEND=noninteractive
+ENV PATH="/root/.cargo/bin:/root/.node/bin:/root/zig:${PATH}"
+
+# 1. Install Basic Dependencies
+RUN apt-get update && apt-get install -y \
+    curl \
+    git \
+    build-essential \
+    ca-certificates \
+    wget \
+    xz-utils \
+    libssl-dev \
+    pkg-config \
+    file \
+    jq \
+    # Needed for some crate compilations
+    protobuf-compiler \
+    # Install binaryen to have wasm-opt available system-wide
+    binaryen \
+    && rm -rf /var/lib/apt/lists/*
+
+# 2. Install Node.js v20 (Manual install to support multi-arch cleanly)
+RUN ARCH=$(dpkg --print-architecture) && \
+    if [ "$ARCH" = "amd64" ]; then NODE_ARCH="x64"; \
+    elif [ "$ARCH" = "arm64" ]; then NODE_ARCH="arm64"; fi && \
+    NODE_VER="v20.11.1" && \
+    curl -fsSL "https://nodejs.org/dist/$NODE_VER/node-$NODE_VER-linux-$NODE_ARCH.tar.xz" -o node.tar.xz && \
+    mkdir -p /root/.node && \
+    tar -xJf node.tar.xz -C /root/.node --strip-components=1 && \
+    rm node.tar.xz
+
+# 3. Install Rust (Nightly) + Targets
+RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain nightly --profile minimal && \
+    . "$HOME/.cargo/env" && \
+    rustup target add wasm32-unknown-unknown && \
+    rustup component add rust-src
+
+# 4. Install Zig (for Cross Compilation)
+RUN ARCH=$(dpkg --print-architecture) && \
+    if [ "$ARCH" = "amd64" ]; then ZIG_ARCH="x86_64"; \
+    elif [ "$ARCH" = "arm64" ]; then ZIG_ARCH="aarch64"; fi && \
+    ZIG_VER="0.13.0" && \
+    curl -fsSL "https://ziglang.org/download/$ZIG_VER/zig-linux-$ZIG_ARCH-$ZIG_VER.tar.xz" -o zig.tar.xz && \
+    tar -xf zig.tar.xz && \
+    mv "zig-linux-$ZIG_ARCH-$ZIG_VER" /root/zig && \
+    rm zig.tar.xz
+
+# 5. Fix: Create libatomic.a with __atomic_is_lock_free for MIPS
+# MIPS musl static build misses __atomic_is_lock_free.
+# We provide it via pure assembly to avoid Clang builtin conflicts.
+RUN . "$HOME/.cargo/env" && \
+    printf '.text\n.globl __atomic_is_lock_free\n.type __atomic_is_lock_free, @function\n__atomic_is_lock_free:\n  sltiu $v0, $a0, 5\n  jr $ra\n  nop\n.size __atomic_is_lock_free, .-__atomic_is_lock_free\n' > atomic.s && \
+    /root/zig/zig cc -target mips-linux-musl -msoft-float -c -o atomic.o atomic.s && \
+    /root/zig/zig ar rcs libatomic.a atomic.o && \
+    RUST_SYSROOT=$(rustc --print sysroot) && \
+    TARGET_LIB_DIR="$RUST_SYSROOT/lib/rustlib/mips-unknown-linux-musl/lib" && \
+    mkdir -p "$TARGET_LIB_DIR" && \
+    cp libatomic.a "$TARGET_LIB_DIR/" && \
+    rm atomic.s atomic.o libatomic.a
+
+# 6. Install Tools (Trunk, cargo-zigbuild, wasm-bindgen protocol aligned)
+# We install trunk binary to save time, others via cargo
+RUN . "$HOME/.cargo/env" && \
+    # Install cargo-zigbuild
+    cargo install cargo-zigbuild && \
+    # Install trunk (Binary)
+    ARCH=$(dpkg --print-architecture) && \
+    if [ "$ARCH" = "amd64" ]; then TRUNK_ARCH="x86_64-unknown-linux-gnu"; \
+    elif [ "$ARCH" = "arm64" ]; then TRUNK_ARCH="aarch64-unknown-linux-gnu"; fi && \
+    wget -qO- "https://github.com/trunk-rs/trunk/releases/download/v0.21.14/trunk-$TRUNK_ARCH.tar.gz" | tar -xzf - -C /root/.cargo/bin/ && \
+    chmod +x /root/.cargo/bin/trunk && \
+    # Install wasm-bindgen-cli (Compiling from source to avoid glibc issues, doing it ONCE here)
+    cargo install wasm-bindgen-cli --version 0.2.108
+
+# 7. Install Gitea Act Runner Binary
+# We fetch the binary directly to run as the entrypoint
+RUN ARCH=$(dpkg --print-architecture) && \
+    VERSION="0.2.11" && \
+    curl -fsSL -o /usr/local/bin/act_runner "https://dl.gitea.com/act_runner/$VERSION/act_runner-$VERSION-linux-$ARCH" && \
+    chmod +x /usr/local/bin/act_runner
+
+# Create a volume for registration data
+VOLUME /data
+WORKDIR /data
+
+# Define entrypoint to run the registration or daemon
+# We will use a script to handle auto-registration if env vars are present
+COPY entrypoint.sh /entrypoint.sh
+RUN chmod +x /entrypoint.sh
+
+ENTRYPOINT ["/entrypoint.sh"]

docker/runner/entrypoint.sh

@@ -0,0 +1,23 @@
+#!/bin/bash
+set -e
+
+# If GITEA_INSTANCE_URL and GITEA_RUNNER_TOKEN are provided, try to register
+if [ -n "$GITEA_INSTANCE_URL" ] && [ -n "$GITEA_RUNNER_TOKEN" ]; then
+    if [ ! -f ".runner" ]; then
+        echo "Registering runner..."
+        # Register with label 'mips-builder' valid for host execution
+        # plus 'ubuntu-latest' mapped to host for convenience if needed
+        act_runner register \
+          --instance "$GITEA_INSTANCE_URL" \
+          --token "$GITEA_RUNNER_TOKEN" \
+          --name "vibetorrent-mips-runner-$(hostname)" \
+          --labels "mips-builder:host,ubuntu-latest:host" \
+          --no-interactive
+    else
+        echo "Runner already registered."
+    fi
+fi
+
+# Run the daemon
+echo "Starting act_runner daemon..."
+exec act_runner daemon

frontend/Cargo.toml

@@ -21,34 +21,12 @@ wasm-bindgen = "0.2"
 wasm-bindgen-futures = "0.4"
 uuid = { version = "1", features = ["v4", "js"] }
 futures = "0.3"
-chrono = { version = "0.4", features = ["serde"] }
+chrono = { version = "0.4", features = ["serde", "wasm-bindgen"] }
-web-sys = { version = "0.3", features = [
+web-sys = { version = "0.3", features = ["HtmlDivElement", "HtmlUListElement", "HtmlLiElement", "HtmlAnchorElement", "MouseEvent", "Event", "Window", "Document", "Element", "DomTokenList", "CssStyleDeclaration", "Storage", "TouchEvent", "TouchList", "Touch", "Navigator", "Notification", "NotificationOptions", "NotificationPermission", "ServiceWorkerContainer", "ServiceWorkerRegistration", "PushManager", "PushSubscription", "PushSubscriptionOptions", "PushSubscriptionOptionsInit", "HtmlDetailsElement"] }
-    "HtmlDivElement",
-    "HtmlUListElement",
-    "HtmlLiElement",
-    "HtmlAnchorElement",
-    "MouseEvent",
-    "Event",
-    "Window",
-    "Document",
-    "Element",
-    "DomTokenList",
-    "CssStyleDeclaration",
-    "Storage",
-    "TouchEvent",
-    "TouchList",
-    "Touch",
-    "Navigator",
-    "Notification",
-    "NotificationOptions",
-    "NotificationPermission",
-    "ServiceWorkerContainer",
-    "ServiceWorkerRegistration",
-    "PushManager",
-    "PushSubscription",
-    "PushSubscriptionOptions",
-    "PushSubscriptionOptionsInit"
-] }
 shared = { path = "../shared" }
 tailwind_fuse = "0.3.2"
 js-sys = "0.3.85"
+base64 = "0.22.1"
+serde-wasm-bindgen = "0.6.5"
+leptos-use = "0.13"
+codee = "0.2"

frontend/index.html

@@ -86,12 +86,15 @@
             id="app-loading"
             style="
                 display: flex;
+                flex-direction: column;
                 justify-content: center;
                 align-items: center;
                 height: 100vh;
+                font-family: sans-serif;
             "
         >
             <div
+                id="app-loading-spinner"
                 style="
                     width: 40px;
                     height: 40px;
@@ -102,6 +105,32 @@
                     opacity: 0.5;
                 "
             ></div>
+            <div
+                id="app-loading-error"
+                style="display: none; text-align: center; margin-top: 20px; padding: 0 20px"
+            >
+                <p style="color: #ef4444; font-weight: bold; margin-bottom: 8px">
+                    Uygulama yüklenemedi
+                </p>
+                <p style="font-size: 14px; opacity: 0.7">
+                    Bağlantınız yavaş olabilir veya bir sistem hatası oluşmuş olabilir.
+                </p>
+                <button
+                    onclick="location.reload()"
+                    style="
+                        margin-top: 16px;
+                        padding: 8px 16px;
+                        background: #3b82f6;
+                        color: white;
+                        border: none;
+                        border-radius: 6px;
+                        cursor: pointer;
+                        font-weight: 500;
+                    "
+                >
+                    Sayfayı Yenile
+                </button>
+            </div>
         </div>
         <style>
             @keyframes spin {
@@ -115,6 +144,34 @@
             }
         </style>
 
+        <script>
+            // App loading timeout handler
+            (function () {
+                var timeout = setTimeout(function () {
+                    if (!document.body.classList.contains("app-loaded")) {
+                        var spinner = document.getElementById("app-loading-spinner");
+                        var error = document.getElementById("app-loading-error");
+                        if (spinner) spinner.style.display = "none";
+                        if (error) error.style.display = "block";
+                    }
+                }, 15000); // 15 seconds timeout
+
+                // Clean up timeout if app loads
+                var observer = new MutationObserver(function (mutations) {
+                    mutations.forEach(function (mutation) {
+                        if (
+                            mutation.attributeName === "class" &&
+                            document.body.classList.contains("app-loaded")
+                        ) {
+                            clearTimeout(timeout);
+                            observer.disconnect();
+                        }
+                    });
+                });
+                observer.observe(document.body, { attributes: true });
+            })();
+        </script>
+        
         <!-- Service Worker Registration & PWA Setup -->
         <script>
             if ("serviceWorker" in navigator) {

frontend/src/app.rs

@@ -1,94 +1,148 @@
-use crate::components::layout::sidebar::Sidebar;
+use crate::components::layout::protected::Protected;
-use crate::components::layout::statusbar::StatusBar;
-use crate::components::layout::toolbar::Toolbar;
 use crate::components::toast::ToastContainer;
 use crate::components::torrent::table::TorrentTable;
+use crate::components::auth::login::Login;
+use crate::components::auth::setup::Setup;
 use leptos::*;
 use leptos_router::*;
+use serde::Deserialize;
+
+#[derive(Deserialize)]
+struct SetupStatus {
+    completed: bool,
+}
+
+#[derive(Deserialize)]
+struct UserResponse {
+    username: String,
+}
 
 #[component]
 pub fn App() -> impl IntoView {
     crate::store::provide_torrent_store();
 
-    // Initialize push notifications after user grants permission
+    // Auth State
+    let (is_loading, set_is_loading) = create_signal(true);
+    let (is_authenticated, set_is_authenticated) = create_signal(false);
+
+    // Check Auth & Setup Status on load
     create_effect(move |_| {
+        spawn_local(async move {
+            logging::log!("App initialization started...");
+
+            // 1. Check Setup Status
+            let setup_res = gloo_net::http::Request::get("/api/setup/status").send().await;
+
+            match setup_res {
+                Ok(resp) => {
+                    if resp.ok() {
+                        match resp.json::<SetupStatus>().await {
+                            Ok(status) => {
+                                if !status.completed {
+                                    logging::log!("Setup not completed, redirecting to /setup");
+                                    let navigate = use_navigate();
+                                    navigate("/setup", Default::default());
+                                    set_is_loading.set(false);
+                                    return;
+                                }
+                            }
+                            Err(e) => logging::error!("Failed to parse setup status: {}", e),
+                        }
+                    }
+                }
+                Err(e) => logging::error!("Network error checking setup status: {}", e),
+            }
+
+            // 2. Check Auth Status
+            let auth_res = gloo_net::http::Request::get("/api/auth/check").send().await;
+
+                        match auth_res {
+                            Ok(resp) => {
+                                if resp.status() == 200 {
+                                    logging::log!("Authenticated!");
+
+                                    // Parse user info
+                                    if let Ok(user_info) = resp.json::<UserResponse>().await {
+                                        if let Some(store) = use_context::<crate::store::TorrentStore>() {
+                                            store.user.set(Some(user_info.username));
+                                        }
+                                    }
+
+                                    set_is_authenticated.set(true);
+
+                                    // If user is already authenticated but on login/setup page, redirect to home
+                                    let pathname = window().location().pathname().unwrap_or_default();
+                                    if pathname == "/login" || pathname == "/setup" {
+                                        logging::log!("Already authenticated, redirecting to home");
+                                        let navigate = use_navigate();
+                                        navigate("/", Default::default());
+                                    }
+                                } else {
+                                    logging::log!("Not authenticated, redirecting to /login");
+                                    let navigate = use_navigate();
+                                    let pathname = window().location().pathname().unwrap_or_default();
+                                    if pathname != "/login" && pathname != "/setup" {
+                                         navigate("/login", Default::default());
+                                    }
+                                }
+                            }
+                            Err(e) => logging::error!("Network error checking auth status: {}", e),
+                        }
+            set_is_loading.set(false);
+        });
+    });
+    // Initialize push notifications (Only if authenticated)
+    create_effect(move |_| {
+        if is_authenticated.get() {
             spawn_local(async {
+                // ... (Push notification logic kept same, shortened for brevity in this replace)
                 // Wait a bit for service worker to be ready
                 gloo_timers::future::TimeoutFuture::new(2000).await;
 
-            // Check if running on iOS and not standalone
+                if crate::utils::platform::supports_push_notifications() && !crate::utils::platform::is_safari() {
-            if let Some(ios_message) = crate::utils::platform::get_ios_notification_info() {
-                log::warn!("iOS detected: {}", ios_message);
-                
-                // Show toast to inform user
-                if let Some(store) = use_context::<crate::store::TorrentStore>() {
-                    crate::store::show_toast_with_signal(
-                        store.notifications,
-                        shared::NotificationLevel::Info,
-                        ios_message,
-                    );
-                }
-                return;
-            }
-            
-            // Check if push notifications are supported
-            if !crate::utils::platform::supports_push_notifications() {
-                log::warn!("Push notifications not supported on this platform");
-                return;
-            }
-            
-            // Safari requires user gesture for notification permission
-            // Don't auto-request on Safari - user should click a button
-            if crate::utils::platform::is_safari() {
-                log::info!("Safari detected - notification permission requires user interaction");
-                if let Some(store) = use_context::<crate::store::TorrentStore>() {
-                    crate::store::show_toast_with_signal(
-                        store.notifications,
-                        shared::NotificationLevel::Info,
-                        "Bildirim izni için sağ alttaki ayarlar ⚙️ ikonuna basın.".to_string(),
-                    );
-                }
-                return;
-            }
-            
-            // For non-Safari browsers (Chrome, Firefox, Edge), attempt auto-subscribe
-            log::info!("Attempting to subscribe to push notifications...");
                      crate::store::subscribe_to_push_notifications().await;
+                }
             });
+        }
     });
 
     view! {
-        // Main app wrapper - ensures proper stacking context
         <div class="relative w-full h-screen" style="height: 100dvh;">
-            // Drawer layout
-            <div class="drawer lg:drawer-open h-full w-full">
-                <input id="my-drawer" type="checkbox" class="drawer-toggle" />
-
-                <div class="drawer-content flex flex-col h-full overflow-hidden bg-base-100 text-base-content text-sm select-none">
-                    <Toolbar />
-
-                    <main class="flex-1 flex flex-col min-w-0 bg-base-100 overflow-hidden pb-8">
             <Router>
                 <Routes>
-                                <Route path="/" view=move || view! { <TorrentTable /> } />
+                    <Route path="/login" view=move || view! { <Login /> } />
-                                <Route path="/settings" view=move || view! { <div class="p-4">"Settings Page (Coming Soon)"</div> } />
+                    <Route path="/setup" view=move || view! { <Setup /> } />
+
+                    <Route path="/" view=move || {
+                        view! {
+                            <Show when=move || !is_loading.get() fallback=|| view! {
+                                <div class="flex items-center justify-center h-screen bg-base-100">
+                                    <span class="loading loading-spinner loading-lg"></span>
+                                </div>
+                            }>
+                                <Show when=move || is_authenticated.get() fallback=|| ()>
+                                    <Protected>
+                                        <TorrentTable />
+                                    </Protected>
+                                </Show>
+                            </Show>
+                        }
+                    }/>
+
+                    <Route path="/settings" view=move || {
+                        view! {
+                            <Show when=move || !is_loading.get() fallback=|| ()>
+                                <Show when=move || is_authenticated.get() fallback=|| ()>
+                                    <Protected>
+                                        <div class="p-4">"Settings Page (Coming Soon)"</div>
+                                    </Protected>
+                                </Show>
+                            </Show>
+                        }
+                    }/>
                 </Routes>
             </Router>
-                    </main>
 
-                    // StatusBar is rendered via fixed positioning, just mount it here
-                    <StatusBar />
-                </div>
-
-                <div class="drawer-side z-40 transition-none duration-0">
-                    <label for="my-drawer" aria-label="close sidebar" class="drawer-overlay transition-none duration-0"></label>
-                    <div class="menu p-0 min-h-full bg-base-200 text-base-content border-r border-base-300 transition-none duration-0">
-                        <Sidebar />
-                    </div>
-                </div>
-            </div>
-            
-            // Toast container - fixed positioning relative to viewport
             <ToastContainer />
         </div>
     }

frontend/src/components/auth/login.rs

@@ -0,0 +1,133 @@
+use leptos::*;
+use serde::Serialize;
+
+#[derive(Serialize)]
+struct LoginRequest {
+    username: String,
+    password: String,
+    remember_me: bool,
+}
+
+#[component]
+pub fn Login() -> impl IntoView {
+    let (username, set_username) = create_signal(String::new());
+    let (password, set_password) = create_signal(String::new());
+    let (remember_me, set_remember_me) = create_signal(false);
+    let (error, set_error) = create_signal(Option::<String>::None);
+    let (loading, set_loading) = create_signal(false);
+
+    let handle_login = move |ev: web_sys::SubmitEvent| {
+        ev.prevent_default();
+        set_loading.set(true);
+        set_error.set(None);
+
+        logging::log!("Attempting login for user: {}", username.get());
+
+        spawn_local(async move {
+            let req = LoginRequest {
+                username: username.get(),
+                password: password.get(),
+                remember_me: remember_me.get(),
+            };
+
+            let client = gloo_net::http::Request::post("/api/auth/login")
+                .json(&req)
+                .expect("Failed to create request");
+
+            match client.send().await {
+                Ok(resp) => {
+                    logging::log!("Login response status: {}", resp.status());
+                    if resp.ok() {
+                        logging::log!("Login successful, redirecting...");
+                        // Force a full reload to re-run auth checks in App.rs
+                        let _ = window().location().set_href("/");
+                    } else if resp.status() == 429 {
+                        set_error.set(Some("Çok fazla başarısız deneme yaptınız. Lütfen bir süre bekleyip tekrar deneyin.".to_string()));
+                    } else {
+                        let text = resp.text().await.unwrap_or_default();
+                        logging::error!("Login failed: {}", text);
+                        set_error.set(Some("Kullanıcı adı veya şifre hatalı".to_string()));
+                    }
+                }
+                Err(e) => {
+                    logging::error!("Network error: {}", e);
+                    set_error.set(Some("Bağlantı hatası".to_string()));
+                }
+            }
+            set_loading.set(false);
+        });
+    };
+
+    view! {
+        <div class="flex items-center justify-center min-h-screen bg-base-200">
+            <div class="card w-full max-w-sm shadow-xl bg-base-100">
+                <div class="card-body">
+                    <h2 class="card-title justify-center mb-4">"VibeTorrent Giriş"</h2>
+
+                    <form on:submit=handle_login>
+                        <div class="form-control w-full">
+                            <label class="label">
+                                <span class="label-text">"Kullanıcı Adı"</span>
+                            </label>
+                            <input
+                                type="text"
+                                placeholder="Kullanıcı adınız"
+                                class="input input-bordered w-full"
+                                prop:value=username
+                                on:input=move |ev| set_username.set(event_target_value(&ev))
+                                disabled=move || loading.get()
+                            />
+                        </div>
+
+                        <div class="form-control w-full mt-4">
+                            <label class="label">
+                                <span class="label-text">"Şifre"</span>
+                            </label>
+                            <input
+                                type="password"
+                                placeholder="******"
+                                class="input input-bordered w-full"
+                                prop:value=password
+                                on:input=move |ev| set_password.set(event_target_value(&ev))
+                                disabled=move || loading.get()
+                            />
+                        </div>
+
+                        <div class="form-control mt-4">
+                            <label class="label cursor-pointer justify-start gap-3">
+                                <input
+                                    type="checkbox"
+                                    class="checkbox checkbox-primary checkbox-sm"
+                                    prop:checked=remember_me
+                                    on:change=move |ev| set_remember_me.set(event_target_checked(&ev))
+                                    disabled=move || loading.get()
+                                />
+                                <span class="label-text">"Beni Hatırla"</span>
+                            </label>
+                        </div>
+
+                        <Show when=move || error.get().is_some()>
+                            <div class="alert alert-error mt-4 text-sm py-2">
+                                <svg xmlns="http://www.w3.org/2000/svg" class="stroke-current shrink-0 h-6 w-6" fill="none" viewBox="0 0 24 24"><path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M10 14l2-2m0 0l2-2m-2 2l-2-2m2 2l2 2m7-2a9 9 0 11-18 0 9 9 0 0118 0z" /></svg>
+                                <span>{move || error.get()}</span>
+                            </div>
+                        </Show>
+
+                        <div class="card-actions justify-end mt-6">
+                            <button
+                                class="btn btn-primary w-full"
+                                type="submit"
+                                disabled=move || loading.get()
+                            >
+                                <Show when=move || loading.get() fallback=|| "Giriş Yap">
+                                    <span class="loading loading-spinner"></span>
+                                    "Giriş Yapılıyor..."
+                                </Show>
+                            </button>
+                        </div>
+                    </form>
+                </div>
+            </div>
+        </div>
+    }
+}

frontend/src/components/auth/mod.rs

@@ -0,0 +1,2 @@
+pub mod login;
+pub mod setup;

frontend/src/components/auth/setup.rs

@@ -0,0 +1,144 @@
+use leptos::*;
+use serde::Serialize;
+
+#[derive(Serialize)]
+struct SetupRequest {
+    username: String,
+    password: String,
+}
+
+#[component]
+pub fn Setup() -> impl IntoView {
+    let (username, set_username) = create_signal(String::new());
+    let (password, set_password) = create_signal(String::new());
+    let (confirm_password, set_confirm_password) = create_signal(String::new());
+    let (error, set_error) = create_signal(Option::<String>::None);
+    let (loading, set_loading) = create_signal(false);
+
+    let handle_setup = move |ev: web_sys::SubmitEvent| {
+        ev.prevent_default();
+        set_loading.set(true);
+        set_error.set(None);
+
+        let pass = password.get();
+        let confirm = confirm_password.get();
+
+        if pass != confirm {
+            set_error.set(Some("Şifreler eşleşmiyor".to_string()));
+            set_loading.set(false);
+            return;
+        }
+
+        if pass.len() < 6 {
+            set_error.set(Some("Şifre en az 6 karakter olmalıdır".to_string()));
+            set_loading.set(false);
+            return;
+        }
+
+        spawn_local(async move {
+            let req = SetupRequest {
+                username: username.get(),
+                password: pass,
+            };
+
+            let client = gloo_net::http::Request::post("/api/setup")
+                .json(&req)
+                .expect("Failed to create request");
+
+            match client.send().await {
+                Ok(resp) => {
+                    if resp.ok() {
+                        // Redirect to home after setup (auto-login handled by backend)
+                        // Full reload to ensure auth state is refreshed
+                        let _ = window().location().set_href("/");
+                    } else {
+                        let text = resp.text().await.unwrap_or_default();
+                        set_error.set(Some(format!("Hata: {}", text)));
+                    }
+                }
+                Err(_) => {
+                    set_error.set(Some("Bağlantı hatası".to_string()));
+                }
+            }
+            set_loading.set(false);
+        });
+    };
+
+    view! {
+        <div class="flex items-center justify-center min-h-screen bg-base-200">
+            <div class="card w-full max-w-md shadow-xl bg-base-100">
+                <div class="card-body">
+                    <h2 class="card-title justify-center mb-2">"VibeTorrent Kurulumu"</h2>
+                    <p class="text-center text-sm opacity-70 mb-4">"Yönetici hesabınızı oluşturun"</p>
+
+                    <form on:submit=handle_setup>
+                        <div class="form-control w-full">
+                            <label class="label">
+                                <span class="label-text">"Kullanıcı Adı"</span>
+                            </label>
+                            <input
+                                type="text"
+                                placeholder="admin"
+                                class="input input-bordered w-full"
+                                prop:value=username
+                                on:input=move |ev| set_username.set(event_target_value(&ev))
+                                disabled=move || loading.get()
+                                required
+                            />
+                        </div>
+
+                        <div class="form-control w-full mt-4">
+                            <label class="label">
+                                <span class="label-text">"Şifre"</span>
+                            </label>
+                            <input
+                                type="password"
+                                placeholder="******"
+                                class="input input-bordered w-full"
+                                prop:value=password
+                                on:input=move |ev| set_password.set(event_target_value(&ev))
+                                disabled=move || loading.get()
+                                required
+                            />
+                        </div>
+
+                        <div class="form-control w-full mt-4">
+                            <label class="label">
+                                <span class="label-text">"Şifre Tekrar"</span>
+                            </label>
+                            <input
+                                type="password"
+                                placeholder="******"
+                                class="input input-bordered w-full"
+                                prop:value=confirm_password
+                                on:input=move |ev| set_confirm_password.set(event_target_value(&ev))
+                                disabled=move || loading.get()
+                                required
+                            />
+                        </div>
+
+                        <Show when=move || error.get().is_some()>
+                            <div class="alert alert-error mt-4 text-sm py-2">
+                                <svg xmlns="http://www.w3.org/2000/svg" class="stroke-current shrink-0 h-6 w-6" fill="none" viewBox="0 0 24 24"><path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M10 14l2-2m0 0l2-2m-2 2l-2-2m2 2l2 2m7-2a9 9 0 11-18 0 9 9 0 0118 0z" /></svg>
+                                <span>{move || error.get()}</span>
+                            </div>
+                        </Show>
+
+                        <div class="card-actions justify-end mt-6">
+                            <button
+                                class="btn btn-primary w-full"
+                                type="submit"
+                                disabled=move || loading.get()
+                            >
+                                <Show when=move || loading.get() fallback=|| "Kurulumu Tamamla">
+                                    <span class="loading loading-spinner"></span>
+                                    "İşleniyor..."
+                                </Show>
+                            </button>
+                        </div>
+                    </form>
+                </div>
+            </div>
+        </div>
+    }
+}

frontend/src/components/context_menu.rs

@@ -1,4 +1,5 @@
 use leptos::*;
+use leptos_use::on_click_outside;
 
 #[component]
 pub fn ContextMenu(
@@ -8,6 +9,10 @@ pub fn ContextMenu(
     on_close: Callback<()>,
     on_action: Callback<(String, String)>, // (Action, Hash)
 ) -> impl IntoView {
+    let container_ref = create_node_ref::<html::Div>();
+    
+    let _ = on_click_outside(container_ref, move |_| on_close.call(()));
+
     let handle_action = move |action: &str| {
         let hash = torrent_hash.clone();
         let action_str = action.to_string();
@@ -22,16 +27,8 @@ pub fn ContextMenu(
     }
 
     view! {
-        // Backdrop to catch clicks outside
-        <div 
-            class="fixed inset-0 z-[99] cursor-default" 
-            role="button"
-            tabindex="-1"
-            on:click=move |_| on_close.call(())
-            on:contextmenu=move |e| e.prevent_default()
-        ></div>
-
         <div 
+            node_ref=container_ref
             class="fixed z-[100] min-w-[200px] animate-in fade-in zoom-in-95 duration-100"
             style=format!("left: {}px; top: {}px", position.0, position.1)
             on:contextmenu=move |e| e.prevent_default()

frontend/src/components/layout/mod.rs

@@ -1,3 +1,4 @@
 pub mod sidebar;
-pub mod toolbar;
 pub mod statusbar;
+pub mod toolbar;
+pub mod protected;

frontend/src/components/layout/protected.rs

@@ -0,0 +1,30 @@
+use leptos::*;
+use crate::components::layout::sidebar::Sidebar;
+use crate::components::layout::statusbar::StatusBar;
+use crate::components::layout::toolbar::Toolbar;
+
+#[component]
+pub fn Protected(children: Children) -> impl IntoView {
+    view! {
+        <div class="drawer lg:drawer-open h-full w-full">
+            <input id="my-drawer" type="checkbox" class="drawer-toggle" />
+
+            <div class="drawer-content flex flex-col h-full overflow-hidden bg-base-100 text-base-content text-sm select-none">
+                <Toolbar />
+
+                <main class="flex-1 flex flex-col min-w-0 bg-base-100 overflow-hidden pb-8">
+                    {children()}
+                </main>
+
+                <StatusBar />
+            </div>
+
+            <div class="drawer-side z-40 transition-none duration-0">
+                <label for="my-drawer" aria-label="close sidebar" class="drawer-overlay transition-none duration-0"></label>
+                <div class="menu p-0 min-h-full bg-base-200 text-base-content border-r border-base-300 transition-none duration-0">
+                    <Sidebar />
+                </div>
+            </div>
+        </div>
+    }
+}

frontend/src/components/layout/sidebar.rs

@@ -74,69 +74,202 @@ pub fn Sidebar() -> impl IntoView {
         }
     };
 
-    view! {
+    let handle_logout = move |_| {
-        <div class="w-64 h-full flex flex-col bg-base-200 border-r border-base-300" style="padding-top: env(safe-area-inset-top);">
+        spawn_local(async move {
-            <div class="p-2">
+            let client = gloo_net::http::Request::post("/api/auth/logout");
-                <ul class="menu w-full rounded-box gap-1">
+            if let Ok(resp) = client.send().await {
-                    <li class="menu-title text-primary uppercase font-bold px-4">"Filters"</li>
+                if resp.ok() {
-                    <li>
+                    // Force full reload to clear state
-                        <button class={move || format!("cursor-pointer {}", filter_class(crate::store::FilterStatus::All))} on:click=move |_| set_filter(crate::store::FilterStatus::All)>
+                    let _ = window().location().set_href("/login");
-                            <svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor" class="w-5 h-5">
-                                <path stroke-linecap="round" stroke-linejoin="round" d="M3.75 6.75h16.5M3.75 12h16.5m-16.5 5.25h16.5" />
-                            </svg>
-                            "All"
-                            <span class="badge badge-sm badge-ghost ml-auto">{total_count}</span>
-                        </button>
-                    </li>
-                    <li>
-                        <button class={move || format!("cursor-pointer {}", filter_class(crate::store::FilterStatus::Downloading))} on:click=move |_| set_filter(crate::store::FilterStatus::Downloading)>
-                            <svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor" class="w-5 h-5">
-                                <path stroke-linecap="round" stroke-linejoin="round" d="M3 16.5v2.25A2.25 2.25 0 005.25 21h13.5A2.25 2.25 0 0021 18.75V16.5M16.5 12L12 16.5m0 0L7.5 12m4.5 4.5V3" />
-                            </svg>
-                            "Downloading"
-                            <span class="badge badge-sm badge-ghost ml-auto">{downloading_count}</span>
-                        </button>
-                    </li>
-                    <li>
-                        <button class={move || format!("cursor-pointer {}", filter_class(crate::store::FilterStatus::Seeding))} on:click=move |_| set_filter(crate::store::FilterStatus::Seeding)>
-                            <svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor" class="w-5 h-5">
-                                <path stroke-linecap="round" stroke-linejoin="round" d="M3 16.5v2.25A2.25 2.25 0 005.25 21h13.5A2.25 2.25 0 0021 18.75V16.5m-13.5-9L12 3m0 0l4.5 4.5M12 3v13.5" />
-                            </svg>
-                            "Seeding"
-                            <span class="badge badge-sm badge-ghost ml-auto">{seeding_count}</span>
-                        </button>
-                    </li>
-                    <li>
-                        <button class={move || format!("cursor-pointer {}", filter_class(crate::store::FilterStatus::Completed))} on:click=move |_| set_filter(crate::store::FilterStatus::Completed)>
-                            <svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor" class="w-5 h-5">
-                                <path stroke-linecap="round" stroke-linejoin="round" d="M9 12.75L11.25 15 15 9.75M21 12a9 9 0 11-18 0 9 9 0 0118 0z" />
-                            </svg>
-                            "Completed"
-                            <span class="badge badge-sm badge-ghost ml-auto">{completed_count}</span>
-                        </button>
-                    </li>
-                    <li>
-                        <button class={move || format!("cursor-pointer {}", filter_class(crate::store::FilterStatus::Paused))} on:click=move |_| set_filter(crate::store::FilterStatus::Paused)>
-                            <svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor" class="w-5 h-5">
-                                <path stroke-linecap="round" stroke-linejoin="round" d="M15.75 5.25v13.5m-7.5-13.5v13.5" />
-                            </svg>
-                            "Paused"
-                            <span class="badge badge-sm badge-ghost ml-auto">{paused_count}</span>
-                        </button>
-                    </li>
-                    <li>
-                        <button class={move || format!("cursor-pointer {}", filter_class(crate::store::FilterStatus::Inactive))} on:click=move |_| set_filter(crate::store::FilterStatus::Inactive)>
-                            <svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor" class="w-5 h-5">
-                                <path stroke-linecap="round" stroke-linejoin="round" d="M18.364 18.364A9 9 0 005.636 5.636m12.728 12.728A9 9 0 015.636 5.636m12.728 12.728L5.636 5.636" />
-                            </svg>
-                            "Inactive"
-                             <span class="badge badge-sm badge-ghost ml-auto">{inactive_count}</span>
-                        </button>
-                    </li>
-                </ul>
-            </div>
-
-
-        </div>
                 }
-}
+            }
+        });
+    };
+
+                let username = move || {
+
+                    store.user.get().unwrap_or_else(|| "User".to_string())
+
+                };
+
+
+
+                let first_letter = move || {
+
+                    username().chars().next().unwrap_or('?').to_uppercase().to_string()
+
+                };
+
+
+
+                view! {
+
+                    <div class="w-64 min-h-[100dvh] flex flex-col bg-base-200 border-r border-base-300 pb-8" style="padding-top: env(safe-area-inset-top);">
+
+                        <div class="p-2 flex-1 overflow-y-auto">
+
+                            <ul class="menu w-full rounded-box gap-1">
+
+                                <li class="menu-title text-primary uppercase font-bold px-4">"Filters"</li>
+
+                                <li>
+
+                                    <button class={move || format!("cursor-pointer {}", filter_class(crate::store::FilterStatus::All))} on:click=move |_| set_filter(crate::store::FilterStatus::All)>
+
+                                        <svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor" class="w-5 h-5">
+
+                                            <path stroke-linecap="round" stroke-linejoin="round" d="M3.75 6.75h16.5M3.75 12h16.5m-16.5 5.25h16.5" />
+
+                                        </svg>
+
+                                        "All"
+
+                                        <span class="badge badge-sm badge-ghost ml-auto">{total_count}</span>
+
+                                    </button>
+
+                                </li>
+
+                                <li>
+
+                                    <button class={move || format!("cursor-pointer {}", filter_class(crate::store::FilterStatus::Downloading))} on:click=move |_| set_filter(crate::store::FilterStatus::Downloading)>
+
+                                        <svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor" class="w-5 h-5">
+
+                                            <path stroke-linecap="round" stroke-linejoin="round" d="M3 16.5v2.25A2.25 2.25 0 005.25 21h13.5A2.25 2.25 0 0021 18.75V16.5M16.5 12L12 16.5m0 0L7.5 12m4.5 4.5V3" />
+
+                                        </svg>
+
+                                        "Downloading"
+
+                                        <span class="badge badge-sm badge-ghost ml-auto">{downloading_count}</span>
+
+                                    </button>
+
+                                </li>
+
+                                <li>
+
+                                    <button class={move || format!("cursor-pointer {}", filter_class(crate::store::FilterStatus::Seeding))} on:click=move |_| set_filter(crate::store::FilterStatus::Seeding)>
+
+                                        <svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor" class="w-5 h-5">
+
+                                            <path stroke-linecap="round" stroke-linejoin="round" d="M3 16.5v2.25A2.25 2.25 0 005.25 21h13.5A2.25 2.25 0 0021 18.75V16.5m-13.5-9L12 3m0 0l4.5 4.5M12 3v13.5" />
+
+                                        </svg>
+
+                                        "Seeding"
+
+                                        <span class="badge badge-sm badge-ghost ml-auto">{seeding_count}</span>
+
+                                    </button>
+
+                                </li>
+
+                                <li>
+
+                                    <button class={move || format!("cursor-pointer {}", filter_class(crate::store::FilterStatus::Completed))} on:click=move |_| set_filter(crate::store::FilterStatus::Completed)>
+
+                                        <svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor" class="w-5 h-5">
+
+                                            <path stroke-linecap="round" stroke-linejoin="round" d="M9 12.75L11.25 15 15 9.75M21 12a9 9 0 11-18 0 9 9 0 0118 0z" />
+
+                                        </svg>
+
+                                        "Completed"
+
+                                        <span class="badge badge-sm badge-ghost ml-auto">{completed_count}</span>
+
+                                    </button>
+
+                                </li>
+
+                                <li>
+
+                                    <button class={move || format!("cursor-pointer {}", filter_class(crate::store::FilterStatus::Paused))} on:click=move |_| set_filter(crate::store::FilterStatus::Paused)>
+
+                                        <svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor" class="w-5 h-5">
+
+                                            <path stroke-linecap="round" stroke-linejoin="round" d="M15.75 5.25v13.5m-7.5-13.5v13.5" />
+
+                                        </svg>
+
+                                        "Paused"
+
+                                        <span class="badge badge-sm badge-ghost ml-auto">{paused_count}</span>
+
+                                    </button>
+
+                                </li>
+
+                                <li>
+
+                                    <button class={move || format!("cursor-pointer {}", filter_class(crate::store::FilterStatus::Inactive))} on:click=move |_| set_filter(crate::store::FilterStatus::Inactive)>
+
+                                        <svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor" class="w-5 h-5">
+
+                                            <path stroke-linecap="round" stroke-linejoin="round" d="M18.364 18.364A9 9 0 005.636 5.636m12.728 12.728A9 9 0 015.636 5.636m12.728 12.728L5.636 5.636" />
+
+                                        </svg>
+
+                                        "Inactive"
+
+                                         <span class="badge badge-sm badge-ghost ml-auto">{inactive_count}</span>
+
+                                    </button>
+
+                                </li>
+
+                            </ul>
+
+                        </div>
+
+
+
+                        <div class="p-4 border-t border-base-300 bg-base-200/50">
+
+                            <div class="flex items-center gap-3">
+
+                                <div class="avatar">
+
+                                    <div class="w-8 rounded-full bg-neutral text-neutral-content ring ring-primary ring-offset-base-100 ring-offset-1">
+
+                                        <span class="text-sm font-bold flex items-center justify-center h-full">{first_letter}</span>
+
+                                    </div>
+
+                                </div>
+
+                                <div class="flex-1 overflow-hidden">
+
+                                    <div class="font-bold text-sm truncate">{username}</div>
+
+                                    <div class="text-[10px] text-base-content/60 truncate">"Online"</div>
+
+                                </div>
+
+                                <button
+
+                                    class="btn btn-ghost btn-xs btn-square text-error hover:bg-error/10"
+
+                                    title="Logout"
+
+                                    on:click=handle_logout
+
+                                >
+
+                                    <svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor" class="w-4 h-4">
+
+                                        <path stroke-linecap="round" stroke-linejoin="round" d="M15.75 9V5.25A2.25 2.25 0 0013.5 3h-6a2.25 2.25 0 00-2.25 2.25v13.5A2.25 2.25 0 007.5 21h6a2.25 2.25 0 002.25-2.25V15M12 9l-3 3m0 0l3 3m-3-3h12.75" />
+
+                                    </svg>
+
+                                </button>
+
+                            </div>
+
+                        </div>
+
+                    </div>
+
+                }}

frontend/src/components/layout/statusbar.rs

@@ -1,4 +1,7 @@
 use leptos::*;
+use leptos_use::on_click_outside;
+use leptos_use::storage::use_local_storage;
+use codee::string::FromToStringCodec;
 use shared::GlobalLimitRequest;
 
 fn format_bytes(bytes: i64) -> String {
@@ -26,34 +29,19 @@ pub fn StatusBar() -> impl IntoView {
     let store = use_context::<crate::store::TorrentStore>().expect("store not provided");
     let stats = store.global_stats;
 
-    let initial_theme = if let Some(win) = web_sys::window() {
+    // Use leptos-use for reactive localStorage management
-        if let Some(doc) = win.document() {
+    let (current_theme, set_current_theme, _) = use_local_storage::<String, FromToStringCodec>("vibetorrent_theme");
-            doc.document_element()
+
-                .and_then(|el| el.get_attribute("data-theme"))
+    // Initialize with default if empty
-                .unwrap_or_else(|| "dark".to_string())
+    if current_theme.get_untracked().is_empty() {
-        } else {
+        set_current_theme.set("dark".to_string());
-            "dark".to_string()
     }
-    } else {
-        "dark".to_string()
-    };
-
-    let (current_theme, set_current_theme) = create_signal(initial_theme);
 
+    // Automatically sync theme to document attribute
     create_effect(move |_| {
-        if let Some(win) = web_sys::window() {
+        let theme = current_theme.get().to_lowercase();
-            if let Some(storage) = win.local_storage().ok().flatten() {
+        if let Some(doc) = document().document_element() {
-                if let Ok(Some(stored_theme)) = storage.get_item("vibetorrent_theme") {
+            let _ = doc.set_attribute("data-theme", &theme);
-                    let theme = stored_theme.to_lowercase();
-                    set_current_theme.set(theme.clone());
-                    if let Some(doc) = win.document() {
-                        let _ = doc
-                            .document_element()
-                            .unwrap()
-                            .set_attribute("data-theme", &theme);
-                    }
-                }
-            }
         }
     });
 
@@ -109,50 +97,28 @@ pub fn StatusBar() -> impl IntoView {
         });
     };
 
-    // Signal-based dropdown state: 0=none, 1=download, 2=upload, 3=theme
+        // Refs for click outside detection
-    let (active_dropdown, set_active_dropdown) = create_signal(0u8);
+        let down_details_ref = create_node_ref::<html::Details>();
-    // Guard to prevent global close from firing right after toggle opens
+        let up_details_ref = create_node_ref::<html::Details>();
-    let skip_next_close = store_value(false);
+        let theme_details_ref = create_node_ref::<html::Details>();
 
-    // Toggle a specific dropdown
+        // Helper to close a details element
-    let toggle = move |id: u8| {
+        let close_details = |node_ref: NodeRef<html::Details>| {
-        let current = active_dropdown.get_untracked();
+            if let Some(el) = node_ref.get_untracked() {
-        if current == id {
+                el.set_open(false);
-            set_active_dropdown.set(0);
-        } else {
-            set_active_dropdown.set(id);
-            // Mark that the next global close should be skipped
-            skip_next_close.set_value(true);
             }
         };
 
-    // Close all dropdowns
+        let _ = on_click_outside(down_details_ref, move |_| close_details(down_details_ref));
-    let close_all = move || {
+        let _ = on_click_outside(up_details_ref, move |_| close_details(up_details_ref));
-        set_active_dropdown.set(0);
+        let _ = on_click_outside(theme_details_ref, move |_| close_details(theme_details_ref));
-    };
-
-    // Close dropdowns when tapping outside — uses click (fires after pointerdown)
-    let _ = window_event_listener(ev::click, move |_| {
-        if skip_next_close.get_value() {
-            skip_next_close.set_value(false);
-            return;
-        }
-        set_active_dropdown.set(0);
-    });
 
         view! {
             <div class="fixed bottom-0 left-0 right-0 h-8 min-h-8 bg-base-200 border-t border-base-300 flex items-center px-4 text-xs gap-4 text-base-content/70 z-[99]">
 
                 // --- DOWNLOAD SPEED DROPDOWN ---
-            <div class="relative">
+                <details class="dropdown dropdown-top" node_ref=down_details_ref>
-                <div
+                    <summary class="flex items-center gap-2 cursor-pointer hover:text-primary transition-colors select-none list-none marker:hidden">
-                    class="flex items-center gap-2 cursor-pointer hover:text-primary transition-colors select-none"
-                    title="Global Download Speed - Click to Set Limit"
-                    on:pointerdown=move |e| {
-                        e.stop_propagation();
-                        toggle(1);
-                    }
-                >
                         <svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor" class="w-4 h-4">
                             <path stroke-linecap="round" stroke-linejoin="round" d="M19.5 13.5L12 21m0 0l-7.5-7.5M12 21V3" />
                         </svg>
@@ -162,13 +128,9 @@ pub fn StatusBar() -> impl IntoView {
                                 {move || format!("(Limit: {})", format_speed(stats.get().down_limit.unwrap_or(0)))}
                             </span>
                         </Show>
-                </div>
+                    </summary>
 
-                <ul
+                    <ul class="dropdown-content z-[100] menu p-2 shadow bg-base-200 rounded-box w-40 mb-2 border border-base-300">
-                    class="absolute bottom-full left-0 z-[100] menu p-2 shadow bg-base-200 rounded-box w-40 mb-2 border border-base-300"
-                    style=move || if active_dropdown.get() == 1 { "display: block" } else { "display: none" }
-                    on:pointerdown=move |e| e.stop_propagation()
-                >
                         {
                             limits.clone().into_iter().map(|(val, label)| {
                                 let is_active = move || {
@@ -179,10 +141,9 @@ pub fn StatusBar() -> impl IntoView {
                                     <li>
                                         <button
                                             class=move || if is_active() { "bg-primary/10 text-primary font-bold text-xs flex justify-between" } else { "text-xs flex justify-between" }
-                                        on:pointerdown=move |e| {
+                                            on:click=move |_| {
-                                            e.stop_propagation();
                                                 set_limit("down", val);
-                                            close_all();
+                                                close_details(down_details_ref);
                                             }
                                         >
                                             {label}
@@ -195,18 +156,11 @@ pub fn StatusBar() -> impl IntoView {
                             }).collect::<Vec<_>>()
                         }
                     </ul>
-            </div>
+                </details>
 
                 // --- UPLOAD SPEED DROPDOWN ---
-            <div class="relative">
+                <details class="dropdown dropdown-top" node_ref=up_details_ref>
-                <div
+                    <summary class="flex items-center gap-2 cursor-pointer hover:text-primary transition-colors select-none list-none marker:hidden">
-                    class="flex items-center gap-2 cursor-pointer hover:text-primary transition-colors select-none"
-                    title="Global Upload Speed - Click to Set Limit"
-                    on:pointerdown=move |e| {
-                        e.stop_propagation();
-                        toggle(2);
-                    }
-                >
                         <svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor" class="w-4 h-4">
                             <path stroke-linecap="round" stroke-linejoin="round" d="M4.5 10.5L12 3m0 0l7.5 7.5M12 3v18" />
                         </svg>
@@ -216,13 +170,9 @@ pub fn StatusBar() -> impl IntoView {
                                 {move || format!("(Limit: {})", format_speed(stats.get().up_limit.unwrap_or(0)))}
                             </span>
                         </Show>
-                </div>
+                    </summary>
 
-                <ul
+                    <ul class="dropdown-content z-[100] menu p-2 shadow bg-base-200 rounded-box w-40 mb-2 border border-base-300">
-                    class="absolute bottom-full left-0 z-[100] menu p-2 shadow bg-base-200 rounded-box w-40 mb-2 border border-base-300"
-                    style=move || if active_dropdown.get() == 2 { "display: block" } else { "display: none" }
-                    on:pointerdown=move |e| e.stop_propagation()
-                >
                         {
                             limits.clone().into_iter().map(|(val, label)| {
                                 let is_active = move || {
@@ -233,10 +183,9 @@ pub fn StatusBar() -> impl IntoView {
                                     <li>
                                         <button
                                             class=move || if is_active() { "bg-primary/10 text-primary font-bold text-xs flex justify-between" } else { "text-xs flex justify-between" }
-                                        on:pointerdown=move |e| {
+                                            on:click=move |_| {
-                                            e.stop_propagation();
                                                 set_limit("up", val);
-                                            close_all();
+                                                close_details(up_details_ref);
                                             }
                                         >
                                             {label}
@@ -249,28 +198,17 @@ pub fn StatusBar() -> impl IntoView {
                             }).collect::<Vec<_>>()
                         }
                     </ul>
-            </div>
+                </details>
 
                 <div class="ml-auto flex items-center gap-4">
-                <div class="relative">
+                    <details class="dropdown dropdown-top dropdown-end" node_ref=theme_details_ref>
-                    <div
+                        <summary class="btn btn-ghost btn-xs btn-square">
-                        class="btn btn-ghost btn-xs btn-square"
-                        title="Change Theme"
-                        on:pointerdown=move |e| {
-                            e.stop_propagation();
-                            toggle(3);
-                        }
-                    >
                             <svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor" class="w-4 h-4">
                                 <path stroke-linecap="round" stroke-linejoin="round" d="M9.53 16.122a3 3 0 0 0-5.78 1.128 2.25 2.25 0 0 1-2.4 2.245 4.5 4.5 0 0 0 8.4-2.245c0-.399-.078-.78-.22-1.128Zm0 0a15.998 15.998 0 0 0 3.388-1.62m-5.043-.025a15.994 15.994 0 0 1 1.622-3.395m3.42 3.42a15.995 15.995 0 0 0 4.764-4.648l3.876-5.814a1.151 1.151 0 0 0-1.597-1.597L14.146 6.32a15.996 15.996 0 0 0-4.649 4.763m3.42 3.42a6.776 6.776 0 0 0-3.42-3.42" />
                             </svg>
-                    </div>
+                        </summary>
 
-                    <ul
+                        <ul class="dropdown-content z-[100] menu p-2 shadow bg-base-200 rounded-box w-52 mb-2 border border-base-300 max-h-96 overflow-y-auto">
-                        class="absolute bottom-full right-0 z-[100] menu p-2 shadow bg-base-200 rounded-box w-52 mb-2 border border-base-300 max-h-96 overflow-y-auto"
-                        style=move || if active_dropdown.get() == 3 { "display: block" } else { "display: none" }
-                        on:pointerdown=move |e| e.stop_propagation()
-                    >
                             {
                                 let themes = vec![
                                     "light", "dark", "dim", "nord", "cupcake", "dracula", "cyberpunk", "emerald", "sunset", "abyss"
@@ -280,18 +218,9 @@ pub fn StatusBar() -> impl IntoView {
                                         <li>
                                             <button
                                                 class=move || if current_theme.get() == theme { "bg-primary/10 text-primary font-bold text-xs capitalize" } else { "text-xs capitalize" }
-                                            on:pointerdown=move |e| {
+                                                on:click=move |_| {
-                                                e.stop_propagation();
                                                     set_current_theme.set(theme.to_string());
-                                                if let Some(win) = web_sys::window() {
+                                                    close_details(theme_details_ref);
-                                                    if let Some(doc) = win.document() {
-                                                        let _ = doc.document_element().unwrap().set_attribute("data-theme", theme);
-                                                    }
-                                                    if let Some(storage) = win.local_storage().ok().flatten() {
-                                                        let _ = storage.set_item("vibetorrent_theme", theme);
-                                                    }
-                                                }
-                                                close_all();
                                                 }
                                             >
                                                 {theme}
@@ -301,8 +230,7 @@ pub fn StatusBar() -> impl IntoView {
                                 }).collect::<Vec<_>>()
                             }
                         </ul>
-                </div>
+                    </details>
-
                 <button
                     class="btn btn-ghost btn-xs btn-square"
                     title="Settings & Notification Permissions"

frontend/src/components/mod.rs

@@ -3,3 +3,4 @@ pub mod layout;
 pub mod modal;
 pub mod toast;
 pub mod torrent;
+pub mod auth;

frontend/src/components/torrent/table.rs

@@ -1,6 +1,5 @@
 use leptos::*;
-use wasm_bindgen::closure::Closure;
+use leptos_use::{on_click_outside, use_timeout_fn};
-use wasm_bindgen::JsCast;
 use crate::store::{get_action_messages, show_toast_with_signal};
 use shared::NotificationLevel;
 
@@ -45,6 +44,17 @@ fn format_duration(seconds: i64) -> String {
     }
 }
 
+fn format_date(timestamp: i64) -> String {
+    if timestamp <= 0 {
+        return "N/A".to_string();
+    }
+    let dt = chrono::DateTime::from_timestamp(timestamp, 0);
+    match dt {
+        Some(dt) => dt.format("%d/%m/%Y %H:%M").to_string(),
+        None => "N/A".to_string(),
+    }
+}
+
 #[derive(Clone, Copy, Debug, PartialEq, Eq)]
 enum SortColumn {
     Name,
@@ -54,6 +64,7 @@ enum SortColumn {
     DownSpeed,
     UpSpeed,
     ETA,
+    AddedDate,
 }
 
 #[derive(Clone, Copy, Debug, PartialEq, Eq)]
@@ -66,8 +77,8 @@ enum SortDirection {
 pub fn TorrentTable() -> impl IntoView {
     let store = use_context::<crate::store::TorrentStore>().expect("store not provided");
 
-    let sort_col = create_rw_signal(SortColumn::Name);
+    let sort_col = create_rw_signal(SortColumn::AddedDate);
-    let sort_dir = create_rw_signal(SortDirection::Ascending);
+    let sort_dir = create_rw_signal(SortDirection::Descending);
 
     let filtered_torrents = move || {
         let mut torrents = store
@@ -127,6 +138,7 @@ pub fn TorrentTable() -> impl IntoView {
                     let b_eta = if b.eta <= 0 { i64::MAX } else { b.eta };
                     a_eta.cmp(&b_eta)
                 }
+                SortColumn::AddedDate => a.added_date.cmp(&b.added_date),
             };
             if dir == SortDirection::Descending {
                 cmp.reverse()
@@ -154,14 +166,8 @@ pub fn TorrentTable() -> impl IntoView {
 
     // Signal-based sort dropdown for mobile
     let (sort_open, set_sort_open) = create_signal(false);
-    let sort_skip_close = store_value(false);
+    let sort_menu_ref = create_node_ref::<html::Div>();
-    let _ = window_event_listener(ev::click, move |_| {
+    let _ = on_click_outside(sort_menu_ref, move |_| set_sort_open.set(false));
-        if sort_skip_close.get_value() {
-            sort_skip_close.set_value(false);
-            return;
-        }
-        set_sort_open.set(false);
-    });
 
     let sort_arrow = move |col: SortColumn| {
         if sort_col.get() == col {
@@ -272,6 +278,9 @@ pub fn TorrentTable() -> impl IntoView {
                             <th class="w-24 cursor-pointer hover:bg-base-300 group select-none" on:click=move |_| handle_sort(SortColumn::ETA)>
                                  <div class="flex items-center">"ETA" {move || sort_arrow(SortColumn::ETA)}</div>
                             </th>
+                            <th class="w-32 cursor-pointer hover:bg-base-300 group select-none" on:click=move |_| handle_sort(SortColumn::AddedDate)>
+                                 <div class="flex items-center">"Date" {move || sort_arrow(SortColumn::AddedDate)}</div>
+                            </th>
                         </tr>
                     </thead>
                     <tbody>
@@ -325,6 +334,7 @@ pub fn TorrentTable() -> impl IntoView {
                                     <td class="text-right font-mono text-[11px] opacity-80 text-success">{format_speed(t.down_rate)}</td>
                                     <td class="text-right font-mono text-[11px] opacity-80 text-primary">{format_speed(t.up_rate)}</td>
                                     <td class="text-right font-mono text-[11px] opacity-80">{format_duration(t.eta)}</td>
+                                    <td class="text-right font-mono text-[11px] opacity-80 whitespace-nowrap">{format_date(t.added_date)}</td>
                                 </tr>
                             }
                         }).collect::<Vec<_>>()}
@@ -332,23 +342,17 @@ pub fn TorrentTable() -> impl IntoView {
                 </table>
             </div>
 
-            <div class="md:hidden flex flex-col h-full bg-base-200">
+                        <div class="md:hidden flex flex-col h-full bg-base-200 relative">
                             <div class="px-3 py-2 border-b border-base-200 flex justify-between items-center bg-base-100/95 backdrop-blur z-10 shrink-0">
                                 <span class="text-xs font-bold opacity-50 uppercase tracking-wider">"Torrents"</span>
 
-                    <div class="relative">
+                                <div class="relative" node_ref=sort_menu_ref>
                                     <div
                                         role="button"
                                         class="btn btn-ghost btn-xs gap-1 opacity-70 font-normal"
-                            on:pointerdown=move |e| {
+                                        on:click=move |_| {
-                                e.stop_propagation();
                                             let cur = sort_open.get_untracked();
-                                if cur {
+                                            set_sort_open.set(!cur);
-                                    set_sort_open.set(false);
-                                } else {
-                                    set_sort_open.set(true);
-                                    sort_skip_close.set_value(true);
-                                }
                                         }
                                     >
                                         <svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor" class="w-4 h-4">
@@ -359,7 +363,6 @@ pub fn TorrentTable() -> impl IntoView {
                                     <ul
                                         class="absolute top-full right-0 z-[100] menu p-2 shadow bg-base-100 rounded-box w-48 mt-1 border border-base-200 text-xs"
                                         style=move || if sort_open.get() { "display: block" } else { "display: none" }
-                            on:pointerdown=move |e| e.stop_propagation()
                                     >
                                          <li class="menu-title px-2 py-1 opacity-50 text-[10px] uppercase font-bold">"Sort By"</li>
                                          {
@@ -371,6 +374,7 @@ pub fn TorrentTable() -> impl IntoView {
                                                   (SortColumn::DownSpeed, "Down Speed"),
                                                   (SortColumn::UpSpeed, "Up Speed"),
                                                   (SortColumn::ETA, "ETA"),
+                                                  (SortColumn::AddedDate, "Date"),
                                               ];
 
                                               columns.into_iter().map(|(col, label)| {
@@ -380,9 +384,9 @@ pub fn TorrentTable() -> impl IntoView {
                                                   view! {
                                                       <li>
                                                           <button
+                                                              type="button"
                                                               class=move || if is_active() { "bg-primary/10 text-primary font-bold flex justify-between" } else { "flex justify-between" }
-                                                 on:pointerdown=move |e| {
+                                                              on:click=move |_| {
-                                                     e.stop_propagation();
                                                                   handle_sort(col);
                                                                   set_sort_open.set(false);
                                                               }
@@ -405,8 +409,7 @@ pub fn TorrentTable() -> impl IntoView {
                                 </div>
                             </div>
 
-                <div class="overflow-y-auto p-3 pb-20 flex-1 grid grid-cols-1 content-start gap-3">
+                            <div class="overflow-y-auto p-3 pb-20 flex-1 grid grid-cols-1 content-start gap-3">                {move || filtered_torrents().into_iter().map(|t| {
-                {move || filtered_torrents().into_iter().map(|t| {
                     let progress_class = if t.percent_complete >= 100.0 { "progress-success" } else { "progress-primary" };
                     let status_str = format!("{:?}", t.status);
                     let status_badge_class = match t.status {
@@ -419,58 +422,45 @@ pub fn TorrentTable() -> impl IntoView {
                     let _t_hash = t.hash.clone();
                     let t_hash_click = t.hash.clone();
 
-                    let (timer_id, set_timer_id) = create_signal(Option::<i32>::None);
                     let t_hash_long = t.hash.clone();
-
+                    let leptos_use::UseTimeoutFnReturn { start, stop, .. } = use_timeout_fn(
-                    let clear_timer = move || {
+                        move |pos: (i32, i32)| {
-                        if let Some(id) = timer_id.get_untracked() {
+                            set_menu_position.set(pos);
-                            window().clear_timeout_with_handle(id);
+                            set_selected_hash.set(Some(t_hash_long.clone()));
-                            set_timer_id.set(None);
-                        }
-                    };
-
-                    let handle_touchstart = {
-                         let t_hash = t_hash_long.clone();
-                         move |e: web_sys::TouchEvent| {
-                            clear_timer();
-                            if let Some(touch) = e.touches().get(0) {
-                                let x = touch.client_x();
-                                let y = touch.client_y();
-                                let hash = t_hash.clone();
-
-                                let closure = Closure::wrap(Box::new(move || {
-                                    set_menu_position.set((x, y));
-                                    set_selected_hash.set(Some(hash.clone()));
                             set_menu_visible.set(true);
 
-                                    // Haptic feedback (iOS Safari doesn't support vibrate)
+                            // Haptic feedback
                             let navigator = window().navigator();
-                                    if js_sys::Reflect::has(&navigator, &wasm_bindgen::JsValue::from_str("vibrate")).unwrap_or(false) {
+                            if let Ok(vibrate) = js_sys::Reflect::get(&navigator, &"vibrate".into()) {
+                                if vibrate.is_function() {
                                     let _ = navigator.vibrate_with_duration(50);
                                 }
-                                }) as Box<dyn Fn()>);
+                            }
+                        },
+                        600.0,
+                    );
 
-                                let id = window()
+                    let handle_touchstart = {
-                                    .set_timeout_with_callback_and_timeout_and_arguments_0(
+                        let start = start.clone();
-                                        closure.as_ref().unchecked_ref(),
+                        move |e: web_sys::TouchEvent| {
-                                        600
+                            if let Some(touch) = e.touches().get(0) {
-                                    )
+                                start((touch.client_x(), touch.client_y()));
-                                    .unwrap_or(0);
-
-                                closure.forget();
-                                set_timer_id.set(Some(id));
                             }
                         }
                     };
 
-                    let handle_touchmove = move |_| {
+                    let handle_touchmove = {
-                        clear_timer();
+                        let stop = stop.clone();
+                        move |_| stop()
                     };
 
-                    let handle_touchend = move |_| {
+                    let handle_touchend = {
-                        clear_timer();
+                        let stop = stop.clone();
+                        move |_| stop()
                     };
 
+                    let handle_touchcancel = move |_| stop();
+
                     view! {
                         <div
                             class=move || {
@@ -488,7 +478,7 @@ pub fn TorrentTable() -> impl IntoView {
                             on:touchstart=handle_touchstart
                             on:touchmove=handle_touchmove
                             on:touchend=handle_touchend
-                            on:touchcancel=handle_touchend
+                            on:touchcancel=handle_touchcancel
                         >
                             <div class="card-body gap-3">
                                 <div class="flex justify-between items-start gap-2">
@@ -506,7 +496,7 @@ pub fn TorrentTable() -> impl IntoView {
                                     <progress class={format!("progress w-full h-1.5 {}", progress_class)} value={t.percent_complete} max="100"></progress>
                                 </div>
 
-                                <div class="grid grid-cols-3 gap-2 text-[10px] font-mono opacity-80 pt-1 border-t border-base-200/50">
+                                <div class="grid grid-cols-4 gap-2 text-[10px] font-mono opacity-80 pt-1 border-t border-base-200/50">
                                     <div class="flex flex-col">
                                         <span class="text-[9px] opacity-60 uppercase">"Down"</span>
                                         <span class="text-success">{format_speed(t.down_rate)}</span>
@@ -515,10 +505,14 @@ pub fn TorrentTable() -> impl IntoView {
                                         <span class="text-[9px] opacity-60 uppercase">"Up"</span>
                                         <span class="text-primary">{format_speed(t.up_rate)}</span>
                                     </div>
-                                    <div class="flex flex-col text-right">
+                                    <div class="flex flex-col text-center border-r border-base-200/50">
                                         <span class="text-[9px] opacity-60 uppercase">"ETA"</span>
                                         <span>{format_duration(t.eta)}</span>
                                     </div>
+                                    <div class="flex flex-col text-right">
+                                        <span class="text-[9px] opacity-60 uppercase">"Date"</span>
+                                        <span>{format_date(t.added_date)}</span>
+                                    </div>
                                 </div>
                             </div>
                         </div>

frontend/src/lib.rs

@@ -11,11 +11,15 @@ use app::App;
 #[wasm_bindgen(start)]
 pub fn main() {
     console_error_panic_hook::set_once();
-    console_log::init_with_level(log::Level::Debug).unwrap();
+    console_log::init_with_level(log::Level::Debug)
+        .expect("Failed to initialize logging");
 
-    let window = web_sys::window().unwrap();
+    let window = web_sys::window()
-    let document = window.document().unwrap();
+        .expect("Failed to access window - browser may not be fully loaded");
-    let body = document.body().unwrap();
+    let document = window.document()
+        .expect("Failed to access document");
+    let body = document.body()
+        .expect("Failed to access document body");
     
     // Add app-loaded class to body to hide spinner via CSS
     let _ = body.class_list().add_1("app-loaded");

frontend/src/store.rs

@@ -120,6 +120,7 @@ pub struct TorrentStore {
     pub search_query: RwSignal<String>,
     pub global_stats: RwSignal<GlobalStats>,
     pub notifications: RwSignal<Vec<NotificationItem>>,
+    pub user: RwSignal<Option<String>>,
 }
 
 pub fn provide_torrent_store() {
@@ -128,6 +129,7 @@ pub fn provide_torrent_store() {
     let search_query = create_rw_signal(String::new());
     let global_stats = create_rw_signal(GlobalStats::default());
     let notifications = create_rw_signal(Vec::<NotificationItem>::new());
+    let user = create_rw_signal(Option::<String>::None);
 
     let store = TorrentStore {
         torrents,
@@ -135,11 +137,18 @@ pub fn provide_torrent_store() {
         search_query,
         global_stats,
         notifications,
+        user,
     };
     provide_context(store);
 
     // Initialize SSE connection with auto-reconnect
     create_effect(move |_| {
+        // Sadece kullanıcı giriş yapmışsa bağlantıyı başlat
+        if user.get().is_none() {
+            logging::log!("SSE: User not authenticated, skipping connection.");
+            return;
+        }
+
         spawn_local(async move {
             let mut backoff_ms: u32 = 1000; // Start with 1 second
             let max_backoff_ms: u32 = 30000; // Max 30 seconds
@@ -319,68 +328,47 @@ pub async fn subscribe_to_push_notifications() {
 
     // First, request notification permission if not already granted
     let window = web_sys::window().expect("window should exist");
-    let permission_granted = if let Ok(notification_class) = js_sys::Reflect::get(&window, &"Notification".into()) {
-        if notification_class.is_undefined() {
-            log::error!("Notification API not available");
-            return;
-        }
     
-        // Check current permission
+    // Notification.permission is a static property, but web_sys exposes it via the Notification class instance or we check it manually.
-        let current_permission = js_sys::Reflect::get(&notification_class, &"permission".into())
+    // Actually, Notification::permission() is a static method in web_sys.
-            .ok()
+    match web_sys::Notification::permission() {
-            .and_then(|p| p.as_string())
+        web_sys::NotificationPermission::Granted => {
-            .unwrap_or_default();
-        
-        if current_permission == "granted" {
             log::info!("Notification permission already granted");
-            true
+        }
-        } else if current_permission == "denied" {
+        web_sys::NotificationPermission::Denied => {
             log::warn!("Notification permission was denied");
             return;
-        } else {
-            // Permission is "default" - need to request
-            log::info!("Requesting notification permission...");
-            if let Ok(request_fn) = js_sys::Reflect::get(&notification_class, &"requestPermission".into()) {
-                if request_fn.is_function() {
-                    let request_fn_typed = js_sys::Function::from(request_fn);
-                    match request_fn_typed.call0(&notification_class) {
-                        Ok(promise_val) => {
-                            let request_future = wasm_bindgen_futures::JsFuture::from(
-                                js_sys::Promise::from(promise_val)
-                            );
-                            match request_future.await {
-                                Ok(result) => {
-                                    let result_str = result.as_string().unwrap_or_default();
-                                    log::info!("Permission request result: {}", result_str);
-                                    result_str == "granted"
         }
+        web_sys::NotificationPermission::Default => {
+            log::info!("Requesting notification permission...");
+            let permission_promise = match web_sys::Notification::request_permission() {
+                Ok(p) => p,
                 Err(e) => {
                     log::error!("Failed to request notification permission: {:?}", e);
-                                    false
-                                }
-                            }
-                        }
-                        Err(e) => {
-                            log::error!("Failed to call requestPermission: {:?}", e);
-                            false
-                        }
-                    }
-                } else {
-                    false
-                }
-            } else {
-                false
-            }
-        }
-    } else {
-        log::error!("Cannot access Notification class");
                     return;
+                }
             };
             
-    if !permission_granted {
+            match wasm_bindgen_futures::JsFuture::from(permission_promise).await {
-        log::warn!("Notification permission not granted, cannot subscribe to push");
+                Ok(val) => {
+                    let permission = val.as_string().unwrap_or_default();
+                    if permission != "granted" {
+                        log::warn!("Notification permission denied by user");
                         return;
                     }
+                    log::info!("Notification permission granted by user");
+                }
+                Err(e) => {
+                    log::error!("Failed to await notification permission: {:?}", e);
+                    return;
+                }
+            }
+        }
+        _ => {
+             log::warn!("Unknown notification permission status");
+             return;
+        }
+    }
 
     log::info!("Notification permission granted! Proceeding with push subscription...");
 
@@ -424,7 +412,6 @@ pub async fn subscribe_to_push_notifications() {
     };
 
     // Get service worker registration
-    let window = web_sys::window().expect("window should exist");
     let navigator = window.navigator();
     let service_worker = navigator.service_worker();
 
@@ -485,12 +472,14 @@ pub async fn subscribe_to_push_notifications() {
         .dyn_into::<web_sys::PushSubscription>()
         .expect("should be PushSubscription");
 
-    // Get subscription JSON using toJSON() method
+    // PushSubscription objects can be serialized directly via JSON.stringify which calls their toJSON method internally.
-    let json_result = match js_sys::Reflect::get(&push_subscription, &"toJSON".into()) {
+    // Or we can use Reflect to call toJSON if we want the object directly.
+    // Let's use the robust way: call toJSON via Reflect but handle it gracefully.
+    let json_val = match js_sys::Reflect::get(&push_subscription, &"toJSON".into()) {
         Ok(func) if func.is_function() => {
              let json_func = js_sys::Function::from(func);
              match json_func.call0(&push_subscription) {
-                Ok(result) => result,
+                 Ok(res) => res,
                  Err(e) => {
                      log::error!("Failed to call toJSON: {:?}", e);
                      return;
@@ -498,25 +487,30 @@ pub async fn subscribe_to_push_notifications() {
              }
         }
         _ => {
-            log::error!("toJSON method not found on PushSubscription");
+            // Fallback: try to stringify the object directly
-            return;
+            // log::warn!("toJSON not found, trying JSON.stringify");
-        }
+            let json_str = match js_sys::JSON::stringify(&push_subscription) {
-    };
+                Ok(s) => s,
-    
-    let json_value = match js_sys::JSON::stringify(&json_result) {
-        Ok(val) => val,
                 Err(e) => {
                     log::error!("Failed to stringify subscription: {:?}", e);
                     return;
                 }
             };
+            // Parse back to object to match our expected flow (slightly inefficient but safe)
+            match js_sys::JSON::parse(&String::from(json_str)) {
+                Ok(v) => v,
+                Err(e) => {
+                    log::error!("Failed to parse stringified subscription: {:?}", e);
+                    return;
+                }
+            }
+        }
+    };
     
-    let subscription_json_str = json_value.as_string().expect("should be string");
+    // Convert JsValue (JSON object) to PushSubscriptionJSON struct via serde
-    
+    // Note: web_sys::PushSubscriptionJSON is not a struct we can directly use with serde_json usually,
-    log::info!("Push subscription: {}", subscription_json_str);
+    // but we can use serde-wasm-bindgen to convert JsValue -> Rust Struct
-    
+    let subscription_data: PushSubscriptionData = match serde_wasm_bindgen::from_value(json_val) {
-    // Parse and send to backend
-    let subscription_data: serde_json::Value = match serde_json::from_str(&subscription_json_str) {
         Ok(data) => data,
         Err(e) => {
             log::error!("Failed to parse subscription JSON: {:?}", e);
@@ -524,37 +518,9 @@ pub async fn subscribe_to_push_notifications() {
         }
     };
 
-    // Extract endpoint and keys
+    // Send to backend (subscription_data is already the struct we need)
-    let endpoint = subscription_data
-        .get("endpoint")
-        .and_then(|v| v.as_str())
-        .expect("endpoint should exist")
-        .to_string();
-    
-    let keys_obj = subscription_data
-        .get("keys")
-        .expect("keys should exist");
-    
-    let p256dh = keys_obj
-        .get("p256dh")
-        .and_then(|v| v.as_str())
-        .expect("p256dh should exist")
-        .to_string();
-    
-    let auth = keys_obj
-        .get("auth")
-        .and_then(|v| v.as_str())
-        .expect("auth should exist")
-        .to_string();
-    
-    let push_data = PushSubscriptionData {
-        endpoint,
-        keys: PushKeys { p256dh, auth },
-    };
-    
-    // Send to backend
     let response = match Request::post("/api/push/subscribe")
-        .json(&push_data)
+        .json(&subscription_data)
         .expect("serialization should succeed")
         .send()
         .await
@@ -574,34 +540,15 @@ pub async fn subscribe_to_push_notifications() {
 }
 
 /// Helper to convert URL-safe base64 string to Uint8Array
-/// Uses JavaScript to properly decode binary data (avoids UTF-8 encoding issues)
+/// Uses pure Rust base64 crate for better safety and performance
 fn url_base64_to_uint8array(base64_string: &str) -> Result<js_sys::Uint8Array, JsValue> {
-    // Add padding
+    use base64::{engine::general_purpose, Engine as _};
-    let padding = (4 - (base64_string.len() % 4)) % 4;
-    let mut padded = base64_string.to_string();
-    padded.push_str(&"=".repeat(padding));
 
-    // Replace URL-safe characters
+    // VAPID keys are URL-safe base64. Try both NO_PAD and padded for robustness.
-    let standard_base64 = padded.replace('-', "+").replace('_', "/");
+    let bytes = general_purpose::URL_SAFE_NO_PAD
+        .decode(base64_string)
+        .or_else(|_| general_purpose::URL_SAFE.decode(base64_string))
+        .map_err(|e| JsValue::from_str(&format!("Base64 decode error: {}", e)))?;
 
-    // Decode using JavaScript to avoid UTF-8 encoding issues
+    Ok(js_sys::Uint8Array::from(&bytes[..]))
-    // Create a JavaScript function to decode the base64 and convert to Uint8Array
-    let js_code = format!(
-        r#"
-        (function() {{
-            const binaryString = atob('{}');
-            const bytes = new Uint8Array(binaryString.length);
-            for (let i = 0; i < binaryString.length; i++) {{
-                bytes[i] = binaryString.charCodeAt(i);
-            }}
-            return bytes;
-        }})()
-        "#,
-        standard_base64
-    );
-    
-    let result = js_sys::eval(&js_code)?;
-    let array = result.dyn_into::<js_sys::Uint8Array>()?;
-    
-    Ok(array)
 }

frontend/sw.js

@@ -1,69 +1,99 @@
-const CACHE_NAME = 'vibetorrent-v1';
+const CACHE_NAME = "vibetorrent-v2";
 const ASSETS_TO_CACHE = [
-    '/',
+  "/",
-    '/index.html',
+  "/index.html",
-    '/manifest.json',
+  "/manifest.json",
-    '/icon-192.png',
+  "/icon-192.png",
-    '/icon-512.png'
+  "/icon-512.png",
 ];
 
 // Install event - cache assets
-self.addEventListener('install', (event) => {
+self.addEventListener("install", (event) => {
-    console.log('[Service Worker] Installing...');
+  console.log("[Service Worker] Installing...");
   event.waitUntil(
-        caches.open(CACHE_NAME).then((cache) => {
+    caches
-            console.log('[Service Worker] Caching static assets');
+      .open(CACHE_NAME)
+      .then((cache) => {
+        console.log("[Service Worker] Caching static assets");
         return cache.addAll(ASSETS_TO_CACHE);
-        }).then(() => {
-            console.log('[Service Worker] Skip waiting');
-            return self.skipWaiting();
       })
+      .then(() => {
+        console.log("[Service Worker] Skip waiting");
+        return self.skipWaiting();
+      }),
   );
 });
 
 // Activate event - clean old caches
-self.addEventListener('activate', (event) => {
+self.addEventListener("activate", (event) => {
-    console.log('[Service Worker] Activating...');
+  console.log("[Service Worker] Activating...");
   event.waitUntil(
-        caches.keys().then((cacheNames) => {
+    caches
+      .keys()
+      .then((cacheNames) => {
         return Promise.all(
           cacheNames.map((key) => {
             if (key !== CACHE_NAME) {
-                        console.log('[Service Worker] Deleting old cache:', key);
+              console.log("[Service Worker] Deleting old cache:", key);
               return caches.delete(key);
             }
-                })
+          }),
         );
-        }).then(() => {
-            console.log('[Service Worker] Claiming clients');
-            return self.clients.claim();
       })
+      .then(() => {
+        console.log("[Service Worker] Claiming clients");
+        return self.clients.claim();
+      }),
   );
 });
 
-// Fetch event - network first, cache fallback for API calls
+// Fetch event - network first for HTML, cache fallback for API calls
-self.addEventListener('fetch', (event) => {
+self.addEventListener("fetch", (event) => {
   const url = new URL(event.request.url);
 
   // Network-first strategy for API calls
-    if (url.pathname.startsWith('/api/')) {
+  if (url.pathname.startsWith("/api/")) {
     event.respondWith(
-            fetch(event.request)
+      fetch(event.request).catch(() => {
-                .catch(() => {
         // Could return cached API response or offline page
-                    return new Response(
+        return new Response(JSON.stringify({ error: "Offline" }), {
-                        JSON.stringify({ error: 'Offline' }),
+          headers: { "Content-Type": "application/json" },
-                        { headers: { 'Content-Type': 'application/json' } }
+        });
-                    );
+      }),
-                })
     );
     return;
   }
 
-    // Cache-first strategy for static assets
+  // Network-first strategy for HTML pages (entry points)
+  // This ensures users always get the latest version of the app
+  if (
+    event.request.mode === "navigate" ||
+    url.pathname.endsWith("index.html") ||
+    url.pathname === "/"
+  ) {
+    event.respondWith(
+      fetch(event.request)
+        .then((response) => {
+          // Cache the latest version of the HTML
+          const responseToCache = response.clone();
+          caches.open(CACHE_NAME).then((cache) => {
+            cache.put(event.request, responseToCache);
+          });
+          return response;
+        })
+        .catch(() => {
+          return caches.match(event.request);
+        }),
+    );
+    return;
+  }
+
+  // Cache-first strategy for static assets (JS, CSS, Images)
   event.respondWith(
     caches.match(event.request).then((response) => {
-            return response || fetch(event.request).then((fetchResponse) => {
+      return (
+        response ||
+        fetch(event.request).then((fetchResponse) => {
           // Optionally cache new requests
           if (fetchResponse && fetchResponse.status === 200) {
             const responseToCache = fetchResponse.clone();
@@ -72,56 +102,57 @@ self.addEventListener('fetch', (event) => {
             });
           }
           return fetchResponse;
-            });
         })
       );
+    }),
+  );
 });
 
 // Notification click event - focus or open app
-self.addEventListener('notificationclick', (event) => {
+self.addEventListener("notificationclick", (event) => {
-    console.log('[Service Worker] Notification clicked:', event.notification.tag);
+  console.log("[Service Worker] Notification clicked:", event.notification.tag);
   event.notification.close();
 
   event.waitUntil(
-        clients.matchAll({ type: 'window', includeUncontrolled: true }).then((clientList) => {
+    clients
+      .matchAll({ type: "window", includeUncontrolled: true })
+      .then((clientList) => {
         // If app is already open, focus it
         for (let client of clientList) {
-                if (client.url === '/' && 'focus' in client) {
+          if (client.url === "/" && "focus" in client) {
             return client.focus();
           }
         }
         // Otherwise open new window
         if (clients.openWindow) {
-                return clients.openWindow('/');
+          return clients.openWindow("/");
         }
-        })
+      }),
   );
 });
 
 // Push notification event
-self.addEventListener('push', (event) => {
+self.addEventListener("push", (event) => {
-    console.log('[Service Worker] Push notification received');
+  console.log("[Service Worker] Push notification received");
   const data = event.data ? event.data.json() : {};
 
-    const title = data.title || 'VibeTorrent';
+  const title = data.title || "VibeTorrent";
   const options = {
-        body: data.body || 'New notification',
+    body: data.body || "New notification",
-        icon: data.icon || '/icon-192.png',
+    icon: data.icon || "/icon-192.png",
-        badge: data.badge || '/icon-192.png',
+    badge: data.badge || "/icon-192.png",
-        tag: data.tag || 'vibetorrent-notification',
+    tag: data.tag || "vibetorrent-notification",
     requireInteraction: false,
     // iOS-specific: vibrate pattern (if supported)
     vibrate: [200, 100, 200],
     // Add data for notification click handling
     data: {
-            url: data.url || '/',
+      url: data.url || "/",
-            timestamp: Date.now()
+      timestamp: Date.now(),
-        }
+    },
   };
 
-    console.log('[Service Worker] Showing notification:', title, options);
+  console.log("[Service Worker] Showing notification:", title, options);
 
-    event.waitUntil(
+  event.waitUntil(self.registration.showNotification(title, options));
-        self.registration.showNotification(title, options)
-    );
 });