security: remove hardcoded VAPID keys fallback

VAPID keys must now be set via environment variables or .env file. This eliminates the security risk of having keys in source code.
chore: add DATABASE_URL to .env
2026-02-08 05:16:31 +03:00 · 2026-02-08 05:11:31 +03:00 · 2026-02-08 05:10:57 +03:00 · 2026-02-08 04:37:16 +03:00 · 2026-02-08 04:27:12 +03:00 · 2026-02-08 04:17:08 +03:00
17 changed files with 731 additions and 318 deletions
--- a/backend/.env
+++ b/backend/.env
@@ -0,0 +1,8 @@
 # Database
 DATABASE_URL=sqlite:vibetorrent.db
 # VAPID Keys for Push Notifications
 # Generate new keys for production using: cargo run --bin web-push --features web-push -- generate-vapid-keys
 VAPID_PUBLIC_KEY=BEdPj6XQR7MGzM28Nev9wokF5upHoydNDahouJbQ9ZdBJpEFAN1iNfANSEvY0ItasNY5zcvvqN_tjUt64Rfd0gU
 VAPID_PRIVATE_KEY=aUcCYJ7kUd9UClCaWwad0IVgbYJ6svwl19MjSX7GH10
 VAPID_EMAIL=mailto:admin@vibetorrent.app
--- a/backend/migrations/001_init.sql
+++ b/backend/migrations/001_init.sql
@@ -0,0 +1,16 @@
 -- 001_init.sql
 -- Initial schema for users and sessions
 CREATE TABLE IF NOT EXISTS users (
    id INTEGER PRIMARY KEY,
    username TEXT NOT NULL UNIQUE,
    password_hash TEXT NOT NULL,
    created_at DATETIME DEFAULT CURRENT_TIMESTAMP
 );
 CREATE TABLE IF NOT EXISTS sessions (
    token TEXT PRIMARY KEY,
    user_id INTEGER NOT NULL,
    expires_at DATETIME NOT NULL,
    FOREIGN KEY(user_id) REFERENCES users(id)
 );
--- a/backend/migrations/002_push_subscriptions.sql
+++ b/backend/migrations/002_push_subscriptions.sql
@@ -0,0 +1,13 @@
 -- 002_push_subscriptions.sql
 -- Push notification subscriptions storage
 CREATE TABLE IF NOT EXISTS push_subscriptions (
    id INTEGER PRIMARY KEY AUTOINCREMENT,
    endpoint TEXT NOT NULL UNIQUE,
    p256dh TEXT NOT NULL,
    auth TEXT NOT NULL,
    created_at DATETIME DEFAULT CURRENT_TIMESTAMP
 );
 -- Index for faster lookups by endpoint
 CREATE INDEX IF NOT EXISTS idx_push_subscriptions_endpoint ON push_subscriptions(endpoint);
--- a/backend/src/db.rs
+++ b/backend/src/db.rs
@@ -16,35 +16,12 @@ impl Db {
            .await?;
        let db = Self { pool };
-        db.init().await?;
+        db.run_migrations().await?;
        Ok(db)
    }
-    async fn init(&self) -> Result<()> {
+    async fn run_migrations(&self) -> Result<()> {
-        // Create users table
+        sqlx::migrate!("./migrations").run(&self.pool).await?;
        sqlx::query(
            "CREATE TABLE IF NOT EXISTS users (
                id INTEGER PRIMARY KEY,
                username TEXT NOT NULL UNIQUE,
                password_hash TEXT NOT NULL,
                created_at DATETIME DEFAULT CURRENT_TIMESTAMP
            )",
        )
        .execute(&self.pool)
        .await?;
        // Create sessions table
        sqlx::query(
            "CREATE TABLE IF NOT EXISTS sessions (
                token TEXT PRIMARY KEY,
                user_id INTEGER NOT NULL,
                expires_at DATETIME NOT NULL,
                FOREIGN KEY(user_id) REFERENCES users(id)
            )",
        )
        .execute(&self.pool)
        .await?;
        Ok(())
    }
@@ -68,6 +45,15 @@ impl Db {
        Ok(row.map(|r| (r.get(0), r.get(1))))
    }
    pub async fn get_username_by_id(&self, id: i64) -> Result<Option<String>> {
        let row = sqlx::query("SELECT username FROM users WHERE id = ?")
            .bind(id)
            .fetch_optional(&self.pool)
            .await?;
        Ok(row.map(|r| r.get(0)))
    }
    pub async fn has_users(&self) -> Result<bool> {
        let row: (i64,) = sqlx::query_as("SELECT COUNT(*) FROM users")
            .fetch_one(&self.pool)
@@ -103,4 +89,53 @@ impl Db {
            .await?;
        Ok(())
    }
    pub async fn update_password(&self, user_id: i64, password_hash: &str) -> Result<()> {
        sqlx::query("UPDATE users SET password_hash = ? WHERE id = ?")
            .bind(password_hash)
            .bind(user_id)
            .execute(&self.pool)
            .await?;
        Ok(())
    }
    pub async fn delete_all_sessions_for_user(&self, user_id: i64) -> Result<()> {
        sqlx::query("DELETE FROM sessions WHERE user_id = ?")
            .bind(user_id)
            .execute(&self.pool)
            .await?;
        Ok(())
    }
    // --- Push Subscription Operations ---
    pub async fn save_push_subscription(&self, endpoint: &str, p256dh: &str, auth: &str) -> Result<()> {
        sqlx::query(
            "INSERT INTO push_subscriptions (endpoint, p256dh, auth) VALUES (?, ?, ?)
             ON CONFLICT(endpoint) DO UPDATE SET p256dh = EXCLUDED.p256dh, auth = EXCLUDED.auth"
        )
        .bind(endpoint)
        .bind(p256dh)
        .bind(auth)
        .execute(&self.pool)
        .await?;
        Ok(())
    }
    pub async fn remove_push_subscription(&self, endpoint: &str) -> Result<()> {
        sqlx::query("DELETE FROM push_subscriptions WHERE endpoint = ?")
            .bind(endpoint)
            .execute(&self.pool)
            .await?;
        Ok(())
    }
    pub async fn get_all_push_subscriptions(&self) -> Result<Vec<(String, String, String)>> {
        let rows = sqlx::query_as::<_, (String, String, String)>(
            "SELECT endpoint, p256dh, auth FROM push_subscriptions"
        )
        .fetch_all(&self.pool)
        .await?;
        Ok(rows)
    }
 }
--- a/backend/src/handlers/auth.rs
+++ b/backend/src/handlers/auth.rs
@@ -13,9 +13,10 @@ use time::Duration;
 pub struct LoginRequest {
    username: String,
    password: String,
    #[serde(default)]
    remember_me: bool,
 }
 #[allow(dead_code)]
 #[derive(Serialize, ToSchema)]
 pub struct UserResponse {
    username: String,
@@ -62,8 +63,13 @@ pub async fn login_handler(
                rand::thread_rng().sample(Alphanumeric) as char
            }).collect();
-            // Expires in 30 days
+            // Expiration: 30 days if remember_me is true, else 1 day
-            let expires_in = 60 * 60 * 24 * 30;
+            let expires_in = if payload.remember_me {
                60 * 60 * 24 * 30
            } else {
                60 * 60 * 24
            };
            let expires_at = time::OffsetDateTime::now_utc().unix_timestamp() + expires_in;
            if let Err(e) = state.db.create_session(user_id, &token, expires_at).await {
@@ -71,15 +77,16 @@ pub async fn login_handler(
                return (StatusCode::INTERNAL_SERVER_ERROR, "Failed to create session").into_response();
            }
-            let cookie = Cookie::build(("auth_token", token))
+            let mut cookie = Cookie::build(("auth_token", token))
                .path("/")
                .http_only(true)
                .same_site(SameSite::Lax)
                .max_age(Duration::seconds(expires_in))
                .build();
            cookie.set_max_age(Duration::seconds(expires_in));
            tracing::info!("Session created and cookie set for user: {}", payload.username);
-            (StatusCode::OK, jar.add(cookie), "Login successful").into_response()
+            (StatusCode::OK, jar.add(cookie), Json(UserResponse { username: payload.username })).into_response()
        }
        Ok(false) => {
            tracing::warn!("Login failed: Invalid password for {}", payload.username);
@@ -120,7 +127,7 @@ pub async fn logout_handler(
    get,
    path = "/api/auth/check",
    responses(
-        (status = 200, description = "Authenticated"),
+        (status = 200, description = "Authenticated", body = UserResponse),
        (status = 401, description = "Not authenticated")
    )
 )]
@@ -130,7 +137,15 @@ pub async fn check_auth_handler(
 ) -> impl IntoResponse {
    if let Some(token) = jar.get("auth_token") {
        match state.db.get_session_user(token.value()).await {
-            Ok(Some(_)) => return StatusCode::OK.into_response(),
+            Ok(Some(user_id)) => {
                // Fetch username
                // We need a helper in db.rs to get username by id, or we can use a direct query here if we don't want to change db.rs interface yet.
                // But better to add `get_username_by_id` to db.rs
                // For now let's query directly or via a new db method.
                if let Ok(Some(username)) = state.db.get_username_by_id(user_id).await {
                     return (StatusCode::OK, Json(UserResponse { username })).into_response();
                }
            },
            _ => {} // Invalid session
        }
    }
--- a/backend/src/handlers/setup.rs
+++ b/backend/src/handlers/setup.rs
@@ -6,6 +6,8 @@ use axum::{
 };
 use serde::{Deserialize, Serialize};
 use utoipa::ToSchema;
 use axum_extra::extract::cookie::{Cookie, CookieJar, SameSite};
 use time::Duration;
 #[derive(Deserialize, ToSchema)]
 pub struct SetupRequest {
@@ -41,7 +43,7 @@ pub async fn get_setup_status_handler(State(state): State<AppState>) -> impl Int
    path = "/api/setup",
    request_body = SetupRequest,
    responses(
-        (status = 200, description = "Setup completed"),
+        (status = 200, description = "Setup completed and logged in"),
        (status = 400, description = "Invalid request"),
        (status = 403, description = "Setup already completed"),
        (status = 500, description = "Internal server error")
@@ -49,6 +51,7 @@ pub async fn get_setup_status_handler(State(state): State<AppState>) -> impl Int
 )]
 pub async fn setup_handler(
    State(state): State<AppState>,
    jar: CookieJar,
    Json(payload): Json<SetupRequest>,
 ) -> impl IntoResponse {
    // 1. Check if setup is already completed (i.e., users exist)
@@ -67,7 +70,8 @@ pub async fn setup_handler(
    }
    // 3. Create User
-    let password_hash = match bcrypt::hash(&payload.password, bcrypt::DEFAULT_COST) {
+    // Lower cost for faster login on low-power devices (MIPS routers etc.)
    let password_hash = match bcrypt::hash(&payload.password, 6) {
        Ok(h) => h,
        Err(e) => {
            tracing::error!("Failed to hash password: {}", e);
@@ -80,5 +84,42 @@ pub async fn setup_handler(
        return (StatusCode::INTERNAL_SERVER_ERROR, "Failed to create user").into_response();
    }
-    (StatusCode::OK, "Setup completed successfully").into_response()
+    // 4. Auto-Login (Create Session)
    // Get the created user's ID
    let user = match state.db.get_user_by_username(&payload.username).await {
        Ok(Some(u)) => u,
        Ok(None) => return (StatusCode::INTERNAL_SERVER_ERROR, "User created but not found").into_response(),
        Err(e) => {
            tracing::error!("DB error fetching new user: {}", e);
            return (StatusCode::INTERNAL_SERVER_ERROR, "Database error").into_response();
        }
    };
    let (user_id, _) = user;
    // Create session token
    let token: String = (0..32).map(|_| {
        use rand::{distributions::Alphanumeric, Rng};
        rand::thread_rng().sample(Alphanumeric) as char
    }).collect();
    // Default expiration: 1 day (since it's not "remember me")
    let expires_in = 60 * 60 * 24;
    let expires_at = time::OffsetDateTime::now_utc().unix_timestamp() + expires_in;
    if let Err(e) = state.db.create_session(user_id, &token, expires_at).await {
        tracing::error!("Failed to create session for new user: {}", e);
        // Even if session fails, setup is technically complete, but login failed.
        // We return OK but user will have to login manually.
        return (StatusCode::OK, "Setup completed, please login").into_response();
    }
    let mut cookie = Cookie::build(("auth_token", token))
        .path("/")
        .http_only(true)
        .same_site(SameSite::Lax)
        .build();
    cookie.set_max_age(Duration::seconds(expires_in));
    (StatusCode::OK, jar.add(cookie), "Setup completed and logged in").into_response()
 }
--- a/backend/src/main.rs
+++ b/backend/src/main.rs
@@ -90,6 +90,10 @@ struct Args {
    /// Database URL
    #[arg(long, env = "DATABASE_URL", default_value = "sqlite:vibetorrent.db")]
    db_url: String,
    /// Reset password for the specified user
    #[arg(long)]
    reset_password: Option<String>,
 }
 #[cfg(feature = "push-notifications")]
@@ -130,7 +134,8 @@ struct Args {
            push::PushKeys,
            handlers::auth::LoginRequest,
            handlers::setup::SetupRequest,
-            handlers::setup::SetupStatusResponse
+            handlers::setup::SetupStatusResponse,
            handlers::auth::UserResponse
        )
    ),
    tags(
@@ -173,7 +178,8 @@ struct ApiDoc;
            shared::GlobalLimitRequest,
            handlers::auth::LoginRequest,
            handlers::setup::SetupRequest,
-            handlers::setup::SetupStatusResponse
+            handlers::setup::SetupStatusResponse,
            handlers::auth::UserResponse
        )
    ),
    tags(
@@ -197,9 +203,6 @@ async fn main() {
    // Parse CLI Args
    let args = Args::parse();
    tracing::info!("Starting VibeTorrent Backend...");
    tracing::info!("Socket: {}", args.socket);
    tracing::info!("Port: {}", args.port);
    // Initialize Database
    tracing::info!("Connecting to database: {}", args.db_url);
@@ -224,6 +227,68 @@ async fn main() {
    };
    tracing::info!("Database connected successfully.");
    // Handle Password Reset
    if let Some(username) = args.reset_password {
        tracing::info!("Resetting password for user: {}", username);
        // Check if user exists
        let user_result = db.get_user_by_username(&username).await;
        match user_result {
            Ok(Some((user_id, _))) => {
                // Generate random password
                use rand::{distributions::Alphanumeric, Rng};
                let new_password: String = rand::thread_rng()
                    .sample_iter(&Alphanumeric)
                    .take(12)
                    .map(char::from)
                    .collect();
                // Hash password (low cost for performance)
                let password_hash = match bcrypt::hash(&new_password, 6) {
                    Ok(h) => h,
                    Err(e) => {
                        tracing::error!("Failed to hash password: {}", e);
                        std::process::exit(1);
                    }
                };
                // Update in DB (using a direct query since db.rs doesn't have update_password yet)
                // We should add `update_password` to db.rs for cleaner code, but for now direct query is fine or we can extend Db.
                // Let's extend Db.rs first to be clean.
                if let Err(e) = db.update_password(user_id, &password_hash).await {
                     tracing::error!("Failed to update password in DB: {}", e);
                     std::process::exit(1);
                }
                println!("--------------------------------------------------");
                println!("Password reset successfully for user: {}", username);
                println!("New Password: {}", new_password);
                println!("--------------------------------------------------");
                // Invalidate existing sessions for security
                if let Err(e) = db.delete_all_sessions_for_user(user_id).await {
                    tracing::warn!("Failed to invalidate existing sessions: {}", e);
                }
                std::process::exit(0);
            },
            Ok(None) => {
                tracing::error!("User '{}' not found.", username);
                std::process::exit(1);
            },
            Err(e) => {
                tracing::error!("Database error: {}", e);
                std::process::exit(1);
            }
        }
    }
    tracing::info!("Starting VibeTorrent Backend...");
    tracing::info!("Socket: {}", args.socket);
    tracing::info!("Port: {}", args.port);
    // ... rest of the main function ...
    // Startup Health Check
    let socket_path = std::path::Path::new(&args.socket);
    if !socket_path.exists() {
@@ -255,13 +320,25 @@ async fn main() {
    // Channel for Events (Diffs)
    let (event_bus, _) = broadcast::channel::<AppEvent>(1024);
    #[cfg(feature = "push-notifications")]
    let push_store = match push::PushSubscriptionStore::with_db(&db).await {
        Ok(store) => store,
        Err(e) => {
            tracing::error!("Failed to initialize push store: {}", e);
            push::PushSubscriptionStore::new()
        }
    };
    #[cfg(not(feature = "push-notifications"))]
    let push_store = ();
    let app_state = AppState {
        tx: tx.clone(),
        event_bus: event_bus.clone(),
        scgi_socket_path: args.socket.clone(),
        db: db.clone(),
        #[cfg(feature = "push-notifications")]
-        push_store: push::PushSubscriptionStore::new(),
+        push_store,
    };
    // Spawn background task to poll rTorrent
--- a/backend/src/push.rs
+++ b/backend/src/push.rs
@@ -6,10 +6,7 @@ use web_push::{
    HyperWebPushClient, SubscriptionInfo, VapidSignatureBuilder, WebPushClient, WebPushMessageBuilder,
 };
-// VAPID keys - PRODUCTION'DA ENVIRONMENT VARIABLE'DAN ALINMALI!
+use crate::db::Db;
 const VAPID_PUBLIC_KEY: &str = "BEdPj6XQR7MGzM28Nev9wokF5upHoydNDahouJbQ9ZdBJpEFAN1iNfANSEvY0ItasNY5zcvvqN_tjUt64Rfd0gU";
 const VAPID_PRIVATE_KEY: &str = "aUcCYJ7kUd9UClCaWwad0IVgbYJ6svwl19MjSX7GH10";
 const VAPID_EMAIL: &str = "mailto:admin@vibetorrent.app";
 #[derive(Debug, Clone, Serialize, Deserialize, ToSchema)]
 pub struct PushSubscription {
@@ -23,34 +20,72 @@ pub struct PushKeys {
    pub auth: String,
 }
-/// In-memory store for push subscriptions
+#[derive(Clone)]
 /// TODO: Replace with database in production
 #[derive(Default, Clone)]
 pub struct PushSubscriptionStore {
    db: Option<Db>,
    subscriptions: Arc<RwLock<Vec<PushSubscription>>>,
 }
 impl PushSubscriptionStore {
    pub fn new() -> Self {
        Self {
            db: None,
            subscriptions: Arc::new(RwLock::new(Vec::new())),
        }
    }
    pub async fn with_db(db: &Db) -> Result<Self, Box<dyn std::error::Error>> {
        let mut subscriptions_vec: Vec<PushSubscription> = Vec::new();
        // Load existing subscriptions from DB
        let subs = db.get_all_push_subscriptions().await?;
        for (endpoint, p256dh, auth) in subs {
            subscriptions_vec.push(PushSubscription {
                endpoint,
                keys: PushKeys { p256dh, auth },
            });
        }
        tracing::info!("Loaded {} push subscriptions from database", subscriptions_vec.len());
        Ok(Self {
            db: Some(db.clone()),
            subscriptions: Arc::new(RwLock::new(subscriptions_vec)),
        })
    }
    pub async fn add_subscription(&self, subscription: PushSubscription) {
        // Add to memory
        let mut subs = self.subscriptions.write().await;
        // Remove duplicate endpoint if exists
        subs.retain(|s| s.endpoint != subscription.endpoint);
-        
+        subs.push(subscription.clone());
        subs.push(subscription);
        tracing::info!("Added push subscription. Total: {}", subs.len());
        // Save to DB if available
        if let Some(db) = &self.db {
            if let Err(e) = db.save_push_subscription(
                &subscription.endpoint,
                &subscription.keys.p256dh,
                &subscription.keys.auth,
            ).await {
                tracing::error!("Failed to save push subscription to DB: {}", e);
            }
        }
    }
    pub async fn remove_subscription(&self, endpoint: &str) {
        // Remove from memory
        let mut subs = self.subscriptions.write().await;
        subs.retain(|s| s.endpoint != endpoint);
        tracing::info!("Removed push subscription. Total: {}", subs.len());
        // Remove from DB if available
        if let Some(db) = &self.db {
            if let Err(e) = db.remove_push_subscription(endpoint).await {
                tracing::error!("Failed to remove push subscription from DB: {}", e);
            }
        }
    }
    pub async fn get_all_subscriptions(&self) -> Vec<PushSubscription> {
@@ -83,6 +118,9 @@ pub async fn send_push_notification(
    let client = HyperWebPushClient::new();
    let vapid_private_key = std::env::var("VAPID_PRIVATE_KEY").expect("VAPID_PRIVATE_KEY must be set in .env");
    let vapid_email = std::env::var("VAPID_EMAIL").expect("VAPID_EMAIL must be set in .env");
    for subscription in subscriptions {
        let subscription_info = SubscriptionInfo {
            endpoint: subscription.endpoint.clone(),
@@ -93,13 +131,13 @@ pub async fn send_push_notification(
        };
        let mut sig_builder = VapidSignatureBuilder::from_base64(
-            VAPID_PRIVATE_KEY,
+            &vapid_private_key,
            web_push::URL_SAFE_NO_PAD,
            &subscription_info,
        )?;
-        sig_builder.add_claim("sub", VAPID_EMAIL);
+        sig_builder.add_claim("sub", vapid_email.as_str());
-        sig_builder.add_claim("aud", subscription.endpoint.clone());
+        sig_builder.add_claim("aud", subscription.endpoint.as_str());
        let signature = sig_builder.build()?;
        let mut builder = WebPushMessageBuilder::new(&subscription_info);
@@ -122,6 +160,6 @@ pub async fn send_push_notification(
    Ok(())
 }
-pub fn get_vapid_public_key() -> &'static str {
+pub fn get_vapid_public_key() -> String {
-    VAPID_PUBLIC_KEY
+    std::env::var("VAPID_PUBLIC_KEY").expect("VAPID_PUBLIC_KEY must be set in .env")
 }
--- a/frontend/Cargo.toml
+++ b/frontend/Cargo.toml
@@ -21,7 +21,7 @@ wasm-bindgen = "0.2"
 wasm-bindgen-futures = "0.4"
 uuid = { version = "1", features = ["v4", "js"] }
 futures = "0.3"
-chrono = { version = "0.4", features = ["serde"] }
+chrono = { version = "0.4", features = ["serde", "wasm-bindgen"] }
 web-sys = { version = "0.3", features = [
    "HtmlDivElement",
    "HtmlUListElement",
--- a/frontend/src/app.rs
+++ b/frontend/src/app.rs
@@ -1,6 +1,4 @@
-use crate::components::layout::sidebar::Sidebar;
+use crate::components::layout::protected::Protected;
 use crate::components::layout::statusbar::StatusBar;
 use crate::components::layout::toolbar::Toolbar;
 use crate::components::toast::ToastContainer;
 use crate::components::torrent::table::TorrentTable;
 use crate::components::auth::login::Login;
@@ -14,6 +12,11 @@ struct SetupStatus {
    completed: bool,
 }
 #[derive(Deserialize)]
 struct UserResponse {
    username: String,
 }
 #[component]
 pub fn App() -> impl IntoView {
    crate::store::provide_torrent_store();
@@ -28,7 +31,6 @@ pub fn App() -> impl IntoView {
            logging::log!("App initialization started...");
            // 1. Check Setup Status
                logging::log!("Checking setup status...");
            let setup_res = gloo_net::http::Request::get("/api/setup/status").send().await;
            match setup_res {
@@ -36,7 +38,6 @@ pub fn App() -> impl IntoView {
                    if resp.ok() {
                        match resp.json::<SetupStatus>().await {
                            Ok(status) => {
                                    logging::log!("Setup status: completed={}", status.completed);
                                if !status.completed {
                                    logging::log!("Setup not completed, redirecting to /setup");
                                    let navigate = use_navigate();
@@ -47,25 +48,37 @@ pub fn App() -> impl IntoView {
                            }
                            Err(e) => logging::error!("Failed to parse setup status: {}", e),
                        }
                        } else {
                            logging::error!("Setup status request failed: {}", resp.status());
                    }
                }
                Err(e) => logging::error!("Network error checking setup status: {}", e),
            }
            // 2. Check Auth Status
                logging::log!("Checking auth status...");
            let auth_res = gloo_net::http::Request::get("/api/auth/check").send().await;
                        match auth_res {
                            Ok(resp) => {
                        logging::log!("Auth check status: {}", resp.status());
                                if resp.status() == 200 {
                                    logging::log!("Authenticated!");
                                    // Parse user info
                                    if let Ok(user_info) = resp.json::<UserResponse>().await {
                                        if let Some(store) = use_context::<crate::store::TorrentStore>() {
                                            store.user.set(Some(user_info.username));
                                        }
                                    }
                                    set_is_authenticated.set(true);
                                    // If user is already authenticated but on login/setup page, redirect to home
                                    let pathname = window().location().pathname().unwrap_or_default();
                                    if pathname == "/login" || pathname == "/setup" {
                                        logging::log!("Already authenticated, redirecting to home");
                                        let navigate = use_navigate();
                                        navigate("/", Default::default());
                                    }
                                } else {
-                            logging::log!("Not authenticated, checking if redirect needed");
+                                    logging::log!("Not authenticated, redirecting to /login");
                                    let navigate = use_navigate();
                                    let pathname = window().location().pathname().unwrap_or_default();
                                    if pathname != "/login" && pathname != "/setup" {
@@ -75,47 +88,20 @@ pub fn App() -> impl IntoView {
                            }
                            Err(e) => logging::error!("Network error checking auth status: {}", e),
                        }
                logging::log!("App initialization finished, disabling loader.");
            set_is_loading.set(false);
        });
    });
-    // Initialize push notifications after user grants permission (Only if authenticated)
+    // Initialize push notifications (Only if authenticated)
    create_effect(move |_| {
        if is_authenticated.get() {
            spawn_local(async {
                // ... (Push notification logic kept same, shortened for brevity in this replace)
                // Wait a bit for service worker to be ready
                gloo_timers::future::TimeoutFuture::new(2000).await;
-                // Check if running on iOS and not standalone
+                if crate::utils::platform::supports_push_notifications() && !crate::utils::platform::is_safari() {
                if let Some(ios_message) = crate::utils::platform::get_ios_notification_info() {
                    log::warn!("iOS detected: {}", ios_message);
                    if let Some(store) = use_context::<crate::store::TorrentStore>() {
                        crate::store::show_toast_with_signal(
                            store.notifications,
                            shared::NotificationLevel::Info,
                            ios_message,
                        );
                    }
                    return;
                }
                if !crate::utils::platform::supports_push_notifications() {
                    return;
                }
                if crate::utils::platform::is_safari() {
                    if let Some(store) = use_context::<crate::store::TorrentStore>() {
                        crate::store::show_toast_with_signal(
                            store.notifications,
                            shared::NotificationLevel::Info,
                            "Bildirim izni için sağ alttaki ayarlar ⚙️ ikonuna basın.".to_string(),
                        );
                    }
                    return;
                }
                     crate::store::subscribe_to_push_notifications().await;
                }
            });
        }
    });
@@ -127,38 +113,29 @@ pub fn App() -> impl IntoView {
                    <Route path="/login" view=move || view! { <Login /> } />
                    <Route path="/setup" view=move || view! { <Setup /> } />
-                    <Route path="/*" view=move || {
+                    <Route path="/" view=move || {
                        view! {
                            <Show when=move || !is_loading.get() fallback=|| view! {
                                <div class="flex items-center justify-center h-screen bg-base-100">
                                    <span class="loading loading-spinner loading-lg"></span>
                                </div>
                            }>
-                                <Show when=move || is_authenticated.get() fallback=|| view! { <Login /> }>
+                                <Show when=move || is_authenticated.get() fallback=|| ()>
-                                    // Protected Layout
+                                    <Protected>
-                                    <div class="drawer lg:drawer-open h-full w-full">
+                                        <TorrentTable />
-                                        <input id="my-drawer" type="checkbox" class="drawer-toggle" />
+                                    </Protected>
                                </Show>
                            </Show>
                        }
                    }/>
-                                        <div class="drawer-content flex flex-col h-full overflow-hidden bg-base-100 text-base-content text-sm select-none">
+                    <Route path="/settings" view=move || {
-                                            <Toolbar />
+                        view! {
-
+                            <Show when=move || !is_loading.get() fallback=|| ()>
-                                            <main class="flex-1 flex flex-col min-w-0 bg-base-100 overflow-hidden pb-8">
+                                <Show when=move || is_authenticated.get() fallback=|| ()>
-                                                <Routes>
+                                    <Protected>
-                                                    <Route path="/" view=move || view! { <TorrentTable /> } />
+                                        <div class="p-4">"Settings Page (Coming Soon)"</div>
-                                                    <Route path="/settings" view=move || view! { <div class="p-4">"Settings Page (Coming Soon)"</div> } />
+                                    </Protected>
                                                </Routes>
                                            </main>
                                            <StatusBar />
                                        </div>
                                        <div class="drawer-side z-40 transition-none duration-0">
                                            <label for="my-drawer" aria-label="close sidebar" class="drawer-overlay transition-none duration-0"></label>
                                            <div class="menu p-0 min-h-full bg-base-200 text-base-content border-r border-base-300 transition-none duration-0">
                                                <Sidebar />
                                            </div>
                                        </div>
                                    </div>
                                </Show>
                            </Show>
                        }
--- a/frontend/src/components/auth/login.rs
+++ b/frontend/src/components/auth/login.rs
@@ -1,17 +1,18 @@
 use leptos::*;
 use leptos_router::*;
 use serde::Serialize;
 #[derive(Serialize)]
 struct LoginRequest {
    username: String,
    password: String,
    remember_me: bool,
 }
 #[component]
 pub fn Login() -> impl IntoView {
    let (username, set_username) = create_signal(String::new());
    let (password, set_password) = create_signal(String::new());
    let (remember_me, set_remember_me) = create_signal(false);
    let (error, set_error) = create_signal(Option::<String>::None);
    let (loading, set_loading) = create_signal(false);
@@ -26,6 +27,7 @@ pub fn Login() -> impl IntoView {
            let req = LoginRequest {
                username: username.get(),
                password: password.get(),
                remember_me: remember_me.get(),
            };
            let client = gloo_net::http::Request::post("/api/auth/login")
@@ -89,6 +91,19 @@ pub fn Login() -> impl IntoView {
                            />
                        </div>
                        <div class="form-control mt-4">
                            <label class="label cursor-pointer justify-start gap-3">
                                <input
                                    type="checkbox"
                                    class="checkbox checkbox-primary checkbox-sm"
                                    prop:checked=remember_me
                                    on:change=move |ev| set_remember_me.set(event_target_checked(&ev))
                                    disabled=move || loading.get()
                                />
                                <span class="label-text">"Beni Hatırla"</span>
                            </label>
                        </div>
                        <Show when=move || error.get().is_some()>
                            <div class="alert alert-error mt-4 text-sm py-2">
                                <svg xmlns="http://www.w3.org/2000/svg" class="stroke-current shrink-0 h-6 w-6" fill="none" viewBox="0 0 24 24"><path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M10 14l2-2m0 0l2-2m-2 2l-2-2m2 2l2 2m7-2a9 9 0 11-18 0 9 9 0 0118 0z" /></svg>
--- a/frontend/src/components/auth/setup.rs
+++ b/frontend/src/components/auth/setup.rs
@@ -1,5 +1,4 @@
 use leptos::*;
 use leptos_router::*;
 use serde::Serialize;
 #[derive(Serialize)]
@@ -49,8 +48,9 @@ pub fn Setup() -> impl IntoView {
            match client.send().await {
                Ok(resp) => {
                    if resp.ok() {
-                        // Redirect to login after setup (full reload to be safe)
+                        // Redirect to home after setup (auto-login handled by backend)
-                        let _ = window().location().set_href("/login");
+                        // Full reload to ensure auth state is refreshed
                        let _ = window().location().set_href("/");
                    } else {
                        let text = resp.text().await.unwrap_or_default();
                        set_error.set(Some(format!("Hata: {}", text)));
--- a/frontend/src/components/layout/mod.rs
+++ b/frontend/src/components/layout/mod.rs
@@ -1,3 +1,4 @@
 pub mod sidebar;
 pub mod toolbar;
 pub mod statusbar;
 pub mod toolbar;
 pub mod protected;
--- a/frontend/src/components/layout/protected.rs
+++ b/frontend/src/components/layout/protected.rs
@@ -0,0 +1,30 @@
 use leptos::*;
 use crate::components::layout::sidebar::Sidebar;
 use crate::components::layout::statusbar::StatusBar;
 use crate::components::layout::toolbar::Toolbar;
 #[component]
 pub fn Protected(children: Children) -> impl IntoView {
    view! {
        <div class="drawer lg:drawer-open h-full w-full">
            <input id="my-drawer" type="checkbox" class="drawer-toggle" />
            <div class="drawer-content flex flex-col h-full overflow-hidden bg-base-100 text-base-content text-sm select-none">
                <Toolbar />
                <main class="flex-1 flex flex-col min-w-0 bg-base-100 overflow-hidden pb-8">
                    {children()}
                </main>
                <StatusBar />
            </div>
            <div class="drawer-side z-40 transition-none duration-0">
                <label for="my-drawer" aria-label="close sidebar" class="drawer-overlay transition-none duration-0"></label>
                <div class="menu p-0 min-h-full bg-base-200 text-base-content border-r border-base-300 transition-none duration-0">
                    <Sidebar />
                </div>
            </div>
        </div>
    }
 }
--- a/frontend/src/components/layout/sidebar.rs
+++ b/frontend/src/components/layout/sidebar.rs
@@ -74,69 +74,202 @@ pub fn Sidebar() -> impl IntoView {
        }
    };
-    view! {
+    let handle_logout = move |_| {
-        <div class="w-64 h-full flex flex-col bg-base-200 border-r border-base-300" style="padding-top: env(safe-area-inset-top);">
+        spawn_local(async move {
-            <div class="p-2">
+            let client = gloo_net::http::Request::post("/api/auth/logout");
-                <ul class="menu w-full rounded-box gap-1">
+            if let Ok(resp) = client.send().await {
-                    <li class="menu-title text-primary uppercase font-bold px-4">"Filters"</li>
+                if resp.ok() {
-                    <li>
+                    // Force full reload to clear state
-                        <button class={move || format!("cursor-pointer {}", filter_class(crate::store::FilterStatus::All))} on:click=move |_| set_filter(crate::store::FilterStatus::All)>
+                    let _ = window().location().set_href("/login");
                            <svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor" class="w-5 h-5">
                                <path stroke-linecap="round" stroke-linejoin="round" d="M3.75 6.75h16.5M3.75 12h16.5m-16.5 5.25h16.5" />
                            </svg>
                            "All"
                            <span class="badge badge-sm badge-ghost ml-auto">{total_count}</span>
                        </button>
                    </li>
                    <li>
                        <button class={move || format!("cursor-pointer {}", filter_class(crate::store::FilterStatus::Downloading))} on:click=move |_| set_filter(crate::store::FilterStatus::Downloading)>
                            <svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor" class="w-5 h-5">
                                <path stroke-linecap="round" stroke-linejoin="round" d="M3 16.5v2.25A2.25 2.25 0 005.25 21h13.5A2.25 2.25 0 0021 18.75V16.5M16.5 12L12 16.5m0 0L7.5 12m4.5 4.5V3" />
                            </svg>
                            "Downloading"
                            <span class="badge badge-sm badge-ghost ml-auto">{downloading_count}</span>
                        </button>
                    </li>
                    <li>
                        <button class={move || format!("cursor-pointer {}", filter_class(crate::store::FilterStatus::Seeding))} on:click=move |_| set_filter(crate::store::FilterStatus::Seeding)>
                            <svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor" class="w-5 h-5">
                                <path stroke-linecap="round" stroke-linejoin="round" d="M3 16.5v2.25A2.25 2.25 0 005.25 21h13.5A2.25 2.25 0 0021 18.75V16.5m-13.5-9L12 3m0 0l4.5 4.5M12 3v13.5" />
                            </svg>
                            "Seeding"
                            <span class="badge badge-sm badge-ghost ml-auto">{seeding_count}</span>
                        </button>
                    </li>
                    <li>
                        <button class={move || format!("cursor-pointer {}", filter_class(crate::store::FilterStatus::Completed))} on:click=move |_| set_filter(crate::store::FilterStatus::Completed)>
                            <svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor" class="w-5 h-5">
                                <path stroke-linecap="round" stroke-linejoin="round" d="M9 12.75L11.25 15 15 9.75M21 12a9 9 0 11-18 0 9 9 0 0118 0z" />
                            </svg>
                            "Completed"
                            <span class="badge badge-sm badge-ghost ml-auto">{completed_count}</span>
                        </button>
                    </li>
                    <li>
                        <button class={move || format!("cursor-pointer {}", filter_class(crate::store::FilterStatus::Paused))} on:click=move |_| set_filter(crate::store::FilterStatus::Paused)>
                            <svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor" class="w-5 h-5">
                                <path stroke-linecap="round" stroke-linejoin="round" d="M15.75 5.25v13.5m-7.5-13.5v13.5" />
                            </svg>
                            "Paused"
                            <span class="badge badge-sm badge-ghost ml-auto">{paused_count}</span>
                        </button>
                    </li>
                    <li>
                        <button class={move || format!("cursor-pointer {}", filter_class(crate::store::FilterStatus::Inactive))} on:click=move |_| set_filter(crate::store::FilterStatus::Inactive)>
                            <svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor" class="w-5 h-5">
                                <path stroke-linecap="round" stroke-linejoin="round" d="M18.364 18.364A9 9 0 005.636 5.636m12.728 12.728A9 9 0 015.636 5.636m12.728 12.728L5.636 5.636" />
                            </svg>
                            "Inactive"
                             <span class="badge badge-sm badge-ghost ml-auto">{inactive_count}</span>
                        </button>
                    </li>
                </ul>
            </div>
        </div>
                }
-}
+            }
        });
    };
                let username = move || {
                    store.user.get().unwrap_or_else(|| "User".to_string())
                };
                let first_letter = move || {
                    username().chars().next().unwrap_or('?').to_uppercase().to_string()
                };
                view! {
                    <div class="w-64 min-h-[100dvh] flex flex-col bg-base-200 border-r border-base-300 pb-8" style="padding-top: env(safe-area-inset-top);">
                        <div class="p-2 flex-1 overflow-y-auto">
                            <ul class="menu w-full rounded-box gap-1">
                                <li class="menu-title text-primary uppercase font-bold px-4">"Filters"</li>
                                <li>
                                    <button class={move || format!("cursor-pointer {}", filter_class(crate::store::FilterStatus::All))} on:click=move |_| set_filter(crate::store::FilterStatus::All)>
                                        <svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor" class="w-5 h-5">
                                            <path stroke-linecap="round" stroke-linejoin="round" d="M3.75 6.75h16.5M3.75 12h16.5m-16.5 5.25h16.5" />
                                        </svg>
                                        "All"
                                        <span class="badge badge-sm badge-ghost ml-auto">{total_count}</span>
                                    </button>
                                </li>
                                <li>
                                    <button class={move || format!("cursor-pointer {}", filter_class(crate::store::FilterStatus::Downloading))} on:click=move |_| set_filter(crate::store::FilterStatus::Downloading)>
                                        <svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor" class="w-5 h-5">
                                            <path stroke-linecap="round" stroke-linejoin="round" d="M3 16.5v2.25A2.25 2.25 0 005.25 21h13.5A2.25 2.25 0 0021 18.75V16.5M16.5 12L12 16.5m0 0L7.5 12m4.5 4.5V3" />
                                        </svg>
                                        "Downloading"
                                        <span class="badge badge-sm badge-ghost ml-auto">{downloading_count}</span>
                                    </button>
                                </li>
                                <li>
                                    <button class={move || format!("cursor-pointer {}", filter_class(crate::store::FilterStatus::Seeding))} on:click=move |_| set_filter(crate::store::FilterStatus::Seeding)>
                                        <svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor" class="w-5 h-5">
                                            <path stroke-linecap="round" stroke-linejoin="round" d="M3 16.5v2.25A2.25 2.25 0 005.25 21h13.5A2.25 2.25 0 0021 18.75V16.5m-13.5-9L12 3m0 0l4.5 4.5M12 3v13.5" />
                                        </svg>
                                        "Seeding"
                                        <span class="badge badge-sm badge-ghost ml-auto">{seeding_count}</span>
                                    </button>
                                </li>
                                <li>
                                    <button class={move || format!("cursor-pointer {}", filter_class(crate::store::FilterStatus::Completed))} on:click=move |_| set_filter(crate::store::FilterStatus::Completed)>
                                        <svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor" class="w-5 h-5">
                                            <path stroke-linecap="round" stroke-linejoin="round" d="M9 12.75L11.25 15 15 9.75M21 12a9 9 0 11-18 0 9 9 0 0118 0z" />
                                        </svg>
                                        "Completed"
                                        <span class="badge badge-sm badge-ghost ml-auto">{completed_count}</span>
                                    </button>
                                </li>
                                <li>
                                    <button class={move || format!("cursor-pointer {}", filter_class(crate::store::FilterStatus::Paused))} on:click=move |_| set_filter(crate::store::FilterStatus::Paused)>
                                        <svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor" class="w-5 h-5">
                                            <path stroke-linecap="round" stroke-linejoin="round" d="M15.75 5.25v13.5m-7.5-13.5v13.5" />
                                        </svg>
                                        "Paused"
                                        <span class="badge badge-sm badge-ghost ml-auto">{paused_count}</span>
                                    </button>
                                </li>
                                <li>
                                    <button class={move || format!("cursor-pointer {}", filter_class(crate::store::FilterStatus::Inactive))} on:click=move |_| set_filter(crate::store::FilterStatus::Inactive)>
                                        <svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor" class="w-5 h-5">
                                            <path stroke-linecap="round" stroke-linejoin="round" d="M18.364 18.364A9 9 0 005.636 5.636m12.728 12.728A9 9 0 015.636 5.636m12.728 12.728L5.636 5.636" />
                                        </svg>
                                        "Inactive"
                                         <span class="badge badge-sm badge-ghost ml-auto">{inactive_count}</span>
                                    </button>
                                </li>
                            </ul>
                        </div>
                        <div class="p-4 border-t border-base-300 bg-base-200/50">
                            <div class="flex items-center gap-3">
                                <div class="avatar">
                                    <div class="w-8 rounded-full bg-neutral text-neutral-content ring ring-primary ring-offset-base-100 ring-offset-1">
                                        <span class="text-sm font-bold flex items-center justify-center h-full">{first_letter}</span>
                                    </div>
                                </div>
                                <div class="flex-1 overflow-hidden">
                                    <div class="font-bold text-sm truncate">{username}</div>
                                    <div class="text-[10px] text-base-content/60 truncate">"Online"</div>
                                </div>
                                <button
                                    class="btn btn-ghost btn-xs btn-square text-error hover:bg-error/10"
                                    title="Logout"
                                    on:click=handle_logout
                                >
                                    <svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor" class="w-4 h-4">
                                        <path stroke-linecap="round" stroke-linejoin="round" d="M15.75 9V5.25A2.25 2.25 0 0013.5 3h-6a2.25 2.25 0 00-2.25 2.25v13.5A2.25 2.25 0 007.5 21h6a2.25 2.25 0 002.25-2.25V15M12 9l-3 3m0 0l3 3m-3-3h12.75" />
                                    </svg>
                                </button>
                            </div>
                        </div>
                    </div>
                }}
--- a/frontend/src/components/torrent/table.rs
+++ b/frontend/src/components/torrent/table.rs
@@ -45,6 +45,14 @@ fn format_duration(seconds: i64) -> String {
    }
 }
 fn format_date(timestamp: i64) -> String {
    let dt = chrono::DateTime::from_timestamp(timestamp, 0);
    match dt {
        Some(dt) => dt.format("%d/%m/%Y %H:%M").to_string(),
        None => "N/A".to_string(),
    }
 }
 #[derive(Clone, Copy, Debug, PartialEq, Eq)]
 enum SortColumn {
    Name,
@@ -54,6 +62,7 @@ enum SortColumn {
    DownSpeed,
    UpSpeed,
    ETA,
    AddedDate,
 }
 #[derive(Clone, Copy, Debug, PartialEq, Eq)]
@@ -66,8 +75,8 @@ enum SortDirection {
 pub fn TorrentTable() -> impl IntoView {
    let store = use_context::<crate::store::TorrentStore>().expect("store not provided");
-    let sort_col = create_rw_signal(SortColumn::Name);
+    let sort_col = create_rw_signal(SortColumn::AddedDate);
-    let sort_dir = create_rw_signal(SortDirection::Ascending);
+    let sort_dir = create_rw_signal(SortDirection::Descending);
    let filtered_torrents = move || {
        let mut torrents = store
@@ -127,6 +136,7 @@ pub fn TorrentTable() -> impl IntoView {
                    let b_eta = if b.eta <= 0 { i64::MAX } else { b.eta };
                    a_eta.cmp(&b_eta)
                }
                SortColumn::AddedDate => a.added_date.cmp(&b.added_date),
            };
            if dir == SortDirection::Descending {
                cmp.reverse()
@@ -264,6 +274,9 @@ pub fn TorrentTable() -> impl IntoView {
                            <th class="w-24 cursor-pointer hover:bg-base-300 group select-none" on:click=move |_| handle_sort(SortColumn::ETA)>
                                 <div class="flex items-center">"ETA" {move || sort_arrow(SortColumn::ETA)}</div>
                            </th>
                            <th class="w-32 cursor-pointer hover:bg-base-300 group select-none" on:click=move |_| handle_sort(SortColumn::AddedDate)>
                                 <div class="flex items-center">"Date" {move || sort_arrow(SortColumn::AddedDate)}</div>
                            </th>
                        </tr>
                    </thead>
                    <tbody>
@@ -317,6 +330,7 @@ pub fn TorrentTable() -> impl IntoView {
                                    <td class="text-right font-mono text-[11px] opacity-80 text-success">{format_speed(t.down_rate)}</td>
                                    <td class="text-right font-mono text-[11px] opacity-80 text-primary">{format_speed(t.up_rate)}</td>
                                    <td class="text-right font-mono text-[11px] opacity-80">{format_duration(t.eta)}</td>
                                    <td class="text-right font-mono text-[11px] opacity-80 whitespace-nowrap">{format_date(t.added_date)}</td>
                                </tr>
                            }
                        }).collect::<Vec<_>>()}
@@ -325,14 +339,6 @@ pub fn TorrentTable() -> impl IntoView {
            </div>
                        <div class="md:hidden flex flex-col h-full bg-base-200 relative">
                            // Transparent overlay to close sort dropdown
                            <Show when=move || sort_open.get()>
                                <div
                                    class="fixed inset-0 z-[98] cursor-default"
                                    on:pointerdown=move |_| set_sort_open.set(false)
                                ></div>
                            </Show>
                            <div class="px-3 py-2 border-b border-base-200 flex justify-between items-center bg-base-100/95 backdrop-blur z-10 shrink-0">
                                <span class="text-xs font-bold opacity-50 uppercase tracking-wider">"Torrents"</span>
@@ -354,7 +360,6 @@ pub fn TorrentTable() -> impl IntoView {
                                    <ul
                                        class="absolute top-full right-0 z-[100] menu p-2 shadow bg-base-100 rounded-box w-48 mt-1 border border-base-200 text-xs"
                                        style=move || if sort_open.get() { "display: block" } else { "display: none" }
                                        on:pointerdown=move |e| e.stop_propagation()
                                    >
                                         <li class="menu-title px-2 py-1 opacity-50 text-[10px] uppercase font-bold">"Sort By"</li>
                                         {
@@ -366,6 +371,7 @@ pub fn TorrentTable() -> impl IntoView {
                                                  (SortColumn::DownSpeed, "Down Speed"),
                                                  (SortColumn::UpSpeed, "Up Speed"),
                                                  (SortColumn::ETA, "ETA"),
                                                  (SortColumn::AddedDate, "Date"),
                                              ];
                                              columns.into_iter().map(|(col, label)| {
@@ -375,6 +381,7 @@ pub fn TorrentTable() -> impl IntoView {
                                                  view! {
                                                      <li>
                                                          <button
                                                              type="button"
                                                              class=move || if is_active() { "bg-primary/10 text-primary font-bold flex justify-between" } else { "flex justify-between" }
                                                              on:pointerdown=move |e| {
                                                                  e.stop_propagation();
@@ -500,7 +507,7 @@ pub fn TorrentTable() -> impl IntoView {
                                    <progress class={format!("progress w-full h-1.5 {}", progress_class)} value={t.percent_complete} max="100"></progress>
                                </div>
-                                <div class="grid grid-cols-3 gap-2 text-[10px] font-mono opacity-80 pt-1 border-t border-base-200/50">
+                                <div class="grid grid-cols-4 gap-2 text-[10px] font-mono opacity-80 pt-1 border-t border-base-200/50">
                                    <div class="flex flex-col">
                                        <span class="text-[9px] opacity-60 uppercase">"Down"</span>
                                        <span class="text-success">{format_speed(t.down_rate)}</span>
@@ -509,10 +516,14 @@ pub fn TorrentTable() -> impl IntoView {
                                        <span class="text-[9px] opacity-60 uppercase">"Up"</span>
                                        <span class="text-primary">{format_speed(t.up_rate)}</span>
                                    </div>
-                                    <div class="flex flex-col text-right">
+                                    <div class="flex flex-col text-center border-r border-base-200/50">
                                        <span class="text-[9px] opacity-60 uppercase">"ETA"</span>
                                        <span>{format_duration(t.eta)}</span>
                                    </div>
                                    <div class="flex flex-col text-right">
                                        <span class="text-[9px] opacity-60 uppercase">"Date"</span>
                                        <span>{format_date(t.added_date)}</span>
                                    </div>
                                </div>
                            </div>
                        </div>
--- a/frontend/src/store.rs
+++ b/frontend/src/store.rs
@@ -120,6 +120,7 @@ pub struct TorrentStore {
    pub search_query: RwSignal<String>,
    pub global_stats: RwSignal<GlobalStats>,
    pub notifications: RwSignal<Vec<NotificationItem>>,
    pub user: RwSignal<Option<String>>,
 }
 pub fn provide_torrent_store() {
@@ -128,6 +129,7 @@ pub fn provide_torrent_store() {
    let search_query = create_rw_signal(String::new());
    let global_stats = create_rw_signal(GlobalStats::default());
    let notifications = create_rw_signal(Vec::<NotificationItem>::new());
    let user = create_rw_signal(Option::<String>::None);
    let store = TorrentStore {
        torrents,
@@ -135,6 +137,7 @@ pub fn provide_torrent_store() {
        search_query,
        global_stats,
        notifications,
        user,
    };
    provide_context(store);
Author	SHA1	Message	Date
spinline	619951fa1c	security: remove hardcoded VAPID keys fallback All checks were successful Build MIPS Binary / build (push) Successful in 4m14s Details VAPID keys must now be set via environment variables or .env file. This eliminates the security risk of having keys in source code.	2026-02-08 05:16:31 +03:00
spinline	6d45e6773f	chore: add DATABASE_URL to .env All checks were successful Build MIPS Binary / build (push) Successful in 4m14s Details	2026-02-08 05:11:31 +03:00
spinline	2c8a2d5956	feat(db): add migrations system and push subscriptions persistence Some checks failed Build MIPS Binary / build (push) Has been cancelled Details - Add sqlx migration system with migrations/ directory - Create 001_init.sql and 002_push_subscriptions.sql migration files - Move from manual CREATE TABLE to version-controlled migrations - Add push_subscriptions table with DB persistence - PushSubscriptionStore now loads from DB on startup - Add save/remove/get methods for push subscriptions in db.rs - Move VAPID keys to .env file (with fallback to hardcoded values) - Delete old vibetorrent.db and recreate with migrations	2026-02-08 05:10:57 +03:00
spinline	6acb299fbe	fix(mobile): add type=button and remove overlay All checks were successful Build MIPS Binary / build (push) Successful in 4m11s Details	2026-02-08 04:37:16 +03:00
spinline	ab49c2ded5	fix(mobile): use pointerdown like statusbar All checks were successful Build MIPS Binary / build (push) Successful in 4m15s Details	2026-02-08 04:27:12 +03:00
spinline	e4957e930d	fix(mobile): fix sort dropdown button events All checks were successful Build MIPS Binary / build (push) Successful in 4m14s Details	2026-02-08 04:17:08 +03:00
spinline	ad2c6dc56e	feat(torrent): add date sorting and display All checks were successful Build MIPS Binary / build (push) Successful in 4m15s Details - Sort torrents by added date (newest first) by default - Add Date column to desktop table (after ETA) - Add Date to mobile card view (grid-cols-3 -> grid-cols-4) - Add Date option to mobile sort dropdown - Display dates in DD/MM/YYYY HH:mm format - Add chrono wasm-bindgen feature	2026-02-08 04:10:02 +03:00
spinline	9f009bc18b	Auto-login user after setup and redirect to dashboard All checks were successful Build MIPS Binary / build (push) Successful in 4m14s Details	2026-02-07 19:54:14 +03:00
spinline	643b83ac21	Remove unused leptos_router imports from login and setup components All checks were successful Build MIPS Binary / build (push) Successful in 4m8s Details	2026-02-07 19:49:58 +03:00
spinline	90b65240b2	Restore required utoipa::OpenApi import Some checks failed Build MIPS Binary / build (push) Has been cancelled Details	2026-02-07 19:47:06 +03:00
spinline	69243a5590	Redirect authenticated users away from login/setup pages Some checks failed Build MIPS Binary / build (push) Failing after 3m27s Details	2026-02-07 19:39:53 +03:00
spinline	10262142fc	Fix unused OpenApi import warning Some checks failed Build MIPS Binary / build (push) Failing after 3m25s Details	2026-02-07 19:34:41 +03:00
spinline	858a1c9b63	Fix compilation errors: Restore missing delete_session method and ApiDoc struct All checks were successful Build MIPS Binary / build (push) Successful in 4m7s Details	2026-02-07 19:28:47 +03:00
spinline	edfb7458f8	Add CLI password reset feature: --reset-password <USERNAME> Some checks failed Build MIPS Binary / build (push) Failing after 3m24s Details	2026-02-07 19:18:10 +03:00
spinline	575cfa4b38	Add 'Remember Me' feature to login (extends session to 30 days) All checks were successful Build MIPS Binary / build (push) Successful in 4m7s Details	2026-02-07 19:05:52 +03:00
spinline	9b18b97c49	Fetch and display actual username in sidebar profile section All checks were successful Build MIPS Binary / build (push) Successful in 4m8s Details	2026-02-07 17:17:16 +03:00
spinline	88723352fd	Fix sidebar overlap: Add bottom padding to account for fixed status bar All checks were successful Build MIPS Binary / build (push) Successful in 4m12s Details	2026-02-07 17:07:30 +03:00
spinline	4231e0b3a7	Adjust sidebar layout to push profile section to the bottom and reduce avatar size All checks were successful Build MIPS Binary / build (push) Successful in 4m7s Details	2026-02-07 16:59:31 +03:00
spinline	1177412c87	Add user profile and logout button to sidebar footer All checks were successful Build MIPS Binary / build (push) Successful in 4m7s Details	2026-02-07 16:40:55 +03:00
spinline	aed753c64f	Lower bcrypt cost to 6 to improve login speed on low-end hardware All checks were successful Build MIPS Binary / build (push) Successful in 4m8s Details	2026-02-07 16:24:06 +03:00
spinline	9d0eb11f16	Refactor App routing to fix infinite recursion and stack overflow errors All checks were successful Build MIPS Binary / build (push) Successful in 4m8s Details	2026-02-07 16:10:06 +03:00