security: remove hardcoded VAPID keys fallback

VAPID keys must now be set via environment variables or .env file.
This eliminates the security risk of having keys in source code.

backend/.env

@@ -0,0 +1,8 @@
+# Database
+DATABASE_URL=sqlite:vibetorrent.db
+
+# VAPID Keys for Push Notifications
+# Generate new keys for production using: cargo run --bin web-push --features web-push -- generate-vapid-keys
+VAPID_PUBLIC_KEY=BEdPj6XQR7MGzM28Nev9wokF5upHoydNDahouJbQ9ZdBJpEFAN1iNfANSEvY0ItasNY5zcvvqN_tjUt64Rfd0gU
+VAPID_PRIVATE_KEY=aUcCYJ7kUd9UClCaWwad0IVgbYJ6svwl19MjSX7GH10
+VAPID_EMAIL=mailto:admin@vibetorrent.app

backend/migrations/001_init.sql

@@ -0,0 +1,16 @@
+-- 001_init.sql
+-- Initial schema for users and sessions
+
+CREATE TABLE IF NOT EXISTS users (
+    id INTEGER PRIMARY KEY,
+    username TEXT NOT NULL UNIQUE,
+    password_hash TEXT NOT NULL,
+    created_at DATETIME DEFAULT CURRENT_TIMESTAMP
+);
+
+CREATE TABLE IF NOT EXISTS sessions (
+    token TEXT PRIMARY KEY,
+    user_id INTEGER NOT NULL,
+    expires_at DATETIME NOT NULL,
+    FOREIGN KEY(user_id) REFERENCES users(id)
+);

backend/migrations/002_push_subscriptions.sql

@@ -0,0 +1,13 @@
+-- 002_push_subscriptions.sql
+-- Push notification subscriptions storage
+
+CREATE TABLE IF NOT EXISTS push_subscriptions (
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    endpoint TEXT NOT NULL UNIQUE,
+    p256dh TEXT NOT NULL,
+    auth TEXT NOT NULL,
+    created_at DATETIME DEFAULT CURRENT_TIMESTAMP
+);
+
+-- Index for faster lookups by endpoint
+CREATE INDEX IF NOT EXISTS idx_push_subscriptions_endpoint ON push_subscriptions(endpoint);

backend/src/db.rs

@@ -16,35 +16,12 @@ impl Db {
             .await?;
 
         let db = Self { pool };
-        db.init().await?;
+        db.run_migrations().await?;
         Ok(db)
     }
 
-    async fn init(&self) -> Result<()> {
+    async fn run_migrations(&self) -> Result<()> {
-        // Create users table
+        sqlx::migrate!("./migrations").run(&self.pool).await?;
-        sqlx::query(
-            "CREATE TABLE IF NOT EXISTS users (
-                id INTEGER PRIMARY KEY,
-                username TEXT NOT NULL UNIQUE,
-                password_hash TEXT NOT NULL,
-                created_at DATETIME DEFAULT CURRENT_TIMESTAMP
-            )",
-        )
-        .execute(&self.pool)
-        .await?;
-
-        // Create sessions table
-        sqlx::query(
-            "CREATE TABLE IF NOT EXISTS sessions (
-                token TEXT PRIMARY KEY,
-                user_id INTEGER NOT NULL,
-                expires_at DATETIME NOT NULL,
-                FOREIGN KEY(user_id) REFERENCES users(id)
-            )",
-        )
-        .execute(&self.pool)
-        .await?;
-
         Ok(())
     }
 
@@ -76,6 +53,7 @@ impl Db {
 
         Ok(row.map(|r| r.get(0)))
     }
+
     pub async fn has_users(&self) -> Result<bool> {
         let row: (i64,) = sqlx::query_as("SELECT COUNT(*) FROM users")
             .fetch_one(&self.pool)
@@ -128,4 +106,36 @@ impl Db {
             .await?;
         Ok(())
     }
+
+    // --- Push Subscription Operations ---
+
+    pub async fn save_push_subscription(&self, endpoint: &str, p256dh: &str, auth: &str) -> Result<()> {
+        sqlx::query(
+            "INSERT INTO push_subscriptions (endpoint, p256dh, auth) VALUES (?, ?, ?)
+             ON CONFLICT(endpoint) DO UPDATE SET p256dh = EXCLUDED.p256dh, auth = EXCLUDED.auth"
+        )
+        .bind(endpoint)
+        .bind(p256dh)
+        .bind(auth)
+        .execute(&self.pool)
+        .await?;
+        Ok(())
+    }
+
+    pub async fn remove_push_subscription(&self, endpoint: &str) -> Result<()> {
+        sqlx::query("DELETE FROM push_subscriptions WHERE endpoint = ?")
+            .bind(endpoint)
+            .execute(&self.pool)
+            .await?;
+        Ok(())
+    }
+
+    pub async fn get_all_push_subscriptions(&self) -> Result<Vec<(String, String, String)>> {
+        let rows = sqlx::query_as::<_, (String, String, String)>(
+            "SELECT endpoint, p256dh, auth FROM push_subscriptions"
+        )
+        .fetch_all(&self.pool)
+        .await?;
+        Ok(rows)
+    }
 }

backend/src/handlers/setup.rs

@@ -6,6 +6,8 @@ use axum::{
 };
 use serde::{Deserialize, Serialize};
 use utoipa::ToSchema;
+use axum_extra::extract::cookie::{Cookie, CookieJar, SameSite};
+use time::Duration;
 
 #[derive(Deserialize, ToSchema)]
 pub struct SetupRequest {
@@ -41,7 +43,7 @@ pub async fn get_setup_status_handler(State(state): State<AppState>) -> impl Int
     path = "/api/setup",
     request_body = SetupRequest,
     responses(
-        (status = 200, description = "Setup completed"),
+        (status = 200, description = "Setup completed and logged in"),
         (status = 400, description = "Invalid request"),
         (status = 403, description = "Setup already completed"),
         (status = 500, description = "Internal server error")
@@ -49,6 +51,7 @@ pub async fn get_setup_status_handler(State(state): State<AppState>) -> impl Int
 )]
 pub async fn setup_handler(
     State(state): State<AppState>,
+    jar: CookieJar,
     Json(payload): Json<SetupRequest>,
 ) -> impl IntoResponse {
     // 1. Check if setup is already completed (i.e., users exist)
@@ -68,7 +71,6 @@ pub async fn setup_handler(
 
     // 3. Create User
     // Lower cost for faster login on low-power devices (MIPS routers etc.)
-    // Default is usually 12, which takes ~3s on slow CPUs. 6 should be much faster.
     let password_hash = match bcrypt::hash(&payload.password, 6) {
         Ok(h) => h,
         Err(e) => {
@@ -82,5 +84,42 @@ pub async fn setup_handler(
         return (StatusCode::INTERNAL_SERVER_ERROR, "Failed to create user").into_response();
     }
 
-    (StatusCode::OK, "Setup completed successfully").into_response()
+    // 4. Auto-Login (Create Session)
+    // Get the created user's ID
+    let user = match state.db.get_user_by_username(&payload.username).await {
+        Ok(Some(u)) => u,
+        Ok(None) => return (StatusCode::INTERNAL_SERVER_ERROR, "User created but not found").into_response(),
+        Err(e) => {
+            tracing::error!("DB error fetching new user: {}", e);
+            return (StatusCode::INTERNAL_SERVER_ERROR, "Database error").into_response();
+        }
+    };
+    let (user_id, _) = user;
+
+    // Create session token
+    let token: String = (0..32).map(|_| {
+        use rand::{distributions::Alphanumeric, Rng};
+        rand::thread_rng().sample(Alphanumeric) as char
+    }).collect();
+
+    // Default expiration: 1 day (since it's not "remember me")
+    let expires_in = 60 * 60 * 24;
+    let expires_at = time::OffsetDateTime::now_utc().unix_timestamp() + expires_in;
+
+    if let Err(e) = state.db.create_session(user_id, &token, expires_at).await {
+        tracing::error!("Failed to create session for new user: {}", e);
+        // Even if session fails, setup is technically complete, but login failed.
+        // We return OK but user will have to login manually.
+        return (StatusCode::OK, "Setup completed, please login").into_response();
+    }
+
+    let mut cookie = Cookie::build(("auth_token", token))
+        .path("/")
+        .http_only(true)
+        .same_site(SameSite::Lax)
+        .build();
+
+    cookie.set_max_age(Duration::seconds(expires_in));
+
+    (StatusCode::OK, jar.add(cookie), "Setup completed and logged in").into_response()
 }

backend/src/main.rs

@@ -320,13 +320,25 @@ async fn main() {
     // Channel for Events (Diffs)
     let (event_bus, _) = broadcast::channel::<AppEvent>(1024);
 
+    #[cfg(feature = "push-notifications")]
+    let push_store = match push::PushSubscriptionStore::with_db(&db).await {
+        Ok(store) => store,
+        Err(e) => {
+            tracing::error!("Failed to initialize push store: {}", e);
+            push::PushSubscriptionStore::new()
+        }
+    };
+
+    #[cfg(not(feature = "push-notifications"))]
+    let push_store = ();
+
     let app_state = AppState {
         tx: tx.clone(),
         event_bus: event_bus.clone(),
         scgi_socket_path: args.socket.clone(),
         db: db.clone(),
         #[cfg(feature = "push-notifications")]
-        push_store: push::PushSubscriptionStore::new(),
+        push_store,
     };
 
     // Spawn background task to poll rTorrent

backend/src/push.rs

@@ -6,10 +6,7 @@ use web_push::{
     HyperWebPushClient, SubscriptionInfo, VapidSignatureBuilder, WebPushClient, WebPushMessageBuilder,
 };
 
-// VAPID keys - PRODUCTION'DA ENVIRONMENT VARIABLE'DAN ALINMALI!
+use crate::db::Db;
-const VAPID_PUBLIC_KEY: &str = "BEdPj6XQR7MGzM28Nev9wokF5upHoydNDahouJbQ9ZdBJpEFAN1iNfANSEvY0ItasNY5zcvvqN_tjUt64Rfd0gU";
-const VAPID_PRIVATE_KEY: &str = "aUcCYJ7kUd9UClCaWwad0IVgbYJ6svwl19MjSX7GH10";
-const VAPID_EMAIL: &str = "mailto:admin@vibetorrent.app";
 
 #[derive(Debug, Clone, Serialize, Deserialize, ToSchema)]
 pub struct PushSubscription {
@@ -23,34 +20,72 @@ pub struct PushKeys {
     pub auth: String,
 }
 
-/// In-memory store for push subscriptions
+#[derive(Clone)]
-/// TODO: Replace with database in production
-#[derive(Default, Clone)]
 pub struct PushSubscriptionStore {
+    db: Option<Db>,
     subscriptions: Arc<RwLock<Vec<PushSubscription>>>,
 }
 
 impl PushSubscriptionStore {
     pub fn new() -> Self {
         Self {
+            db: None,
             subscriptions: Arc::new(RwLock::new(Vec::new())),
         }
     }
 
+    pub async fn with_db(db: &Db) -> Result<Self, Box<dyn std::error::Error>> {
+        let mut subscriptions_vec: Vec<PushSubscription> = Vec::new();
+
+        // Load existing subscriptions from DB
+        let subs = db.get_all_push_subscriptions().await?;
+        for (endpoint, p256dh, auth) in subs {
+            subscriptions_vec.push(PushSubscription {
+                endpoint,
+                keys: PushKeys { p256dh, auth },
+            });
+        }
+        tracing::info!("Loaded {} push subscriptions from database", subscriptions_vec.len());
+
+        Ok(Self {
+            db: Some(db.clone()),
+            subscriptions: Arc::new(RwLock::new(subscriptions_vec)),
+        })
+    }
+
     pub async fn add_subscription(&self, subscription: PushSubscription) {
+        // Add to memory
         let mut subs = self.subscriptions.write().await;
 
         // Remove duplicate endpoint if exists
         subs.retain(|s| s.endpoint != subscription.endpoint);
-        
+        subs.push(subscription.clone());
-        subs.push(subscription);
         tracing::info!("Added push subscription. Total: {}", subs.len());
+
+        // Save to DB if available
+        if let Some(db) = &self.db {
+            if let Err(e) = db.save_push_subscription(
+                &subscription.endpoint,
+                &subscription.keys.p256dh,
+                &subscription.keys.auth,
+            ).await {
+                tracing::error!("Failed to save push subscription to DB: {}", e);
+            }
+        }
     }
 
     pub async fn remove_subscription(&self, endpoint: &str) {
+        // Remove from memory
         let mut subs = self.subscriptions.write().await;
         subs.retain(|s| s.endpoint != endpoint);
         tracing::info!("Removed push subscription. Total: {}", subs.len());
+
+        // Remove from DB if available
+        if let Some(db) = &self.db {
+            if let Err(e) = db.remove_push_subscription(endpoint).await {
+                tracing::error!("Failed to remove push subscription from DB: {}", e);
+            }
+        }
     }
 
     pub async fn get_all_subscriptions(&self) -> Vec<PushSubscription> {
@@ -83,6 +118,9 @@ pub async fn send_push_notification(
 
     let client = HyperWebPushClient::new();
 
+    let vapid_private_key = std::env::var("VAPID_PRIVATE_KEY").expect("VAPID_PRIVATE_KEY must be set in .env");
+    let vapid_email = std::env::var("VAPID_EMAIL").expect("VAPID_EMAIL must be set in .env");
+
     for subscription in subscriptions {
         let subscription_info = SubscriptionInfo {
             endpoint: subscription.endpoint.clone(),
@@ -93,13 +131,13 @@ pub async fn send_push_notification(
         };
 
         let mut sig_builder = VapidSignatureBuilder::from_base64(
-            VAPID_PRIVATE_KEY,
+            &vapid_private_key,
             web_push::URL_SAFE_NO_PAD,
             &subscription_info,
         )?;
 
-        sig_builder.add_claim("sub", VAPID_EMAIL);
+        sig_builder.add_claim("sub", vapid_email.as_str());
-        sig_builder.add_claim("aud", subscription.endpoint.clone());
+        sig_builder.add_claim("aud", subscription.endpoint.as_str());
         let signature = sig_builder.build()?;
 
         let mut builder = WebPushMessageBuilder::new(&subscription_info);
@@ -122,6 +160,6 @@ pub async fn send_push_notification(
     Ok(())
 }
 
-pub fn get_vapid_public_key() -> &'static str {
+pub fn get_vapid_public_key() -> String {
-    VAPID_PUBLIC_KEY
+    std::env::var("VAPID_PUBLIC_KEY").expect("VAPID_PUBLIC_KEY must be set in .env")
 }

frontend/Cargo.toml

@@ -21,7 +21,7 @@ wasm-bindgen = "0.2"
 wasm-bindgen-futures = "0.4"
 uuid = { version = "1", features = ["v4", "js"] }
 futures = "0.3"
-chrono = { version = "0.4", features = ["serde"] }
+chrono = { version = "0.4", features = ["serde", "wasm-bindgen"] }
 web-sys = { version = "0.3", features = [
     "HtmlDivElement",
     "HtmlUListElement",

frontend/src/components/auth/setup.rs

@@ -48,8 +48,9 @@ pub fn Setup() -> impl IntoView {
             match client.send().await {
                 Ok(resp) => {
                     if resp.ok() {
-                        // Redirect to login after setup (full reload to be safe)
+                        // Redirect to home after setup (auto-login handled by backend)
-                        let _ = window().location().set_href("/login");
+                        // Full reload to ensure auth state is refreshed
+                        let _ = window().location().set_href("/");
                     } else {
                         let text = resp.text().await.unwrap_or_default();
                         set_error.set(Some(format!("Hata: {}", text)));

frontend/src/components/torrent/table.rs

@@ -45,6 +45,14 @@ fn format_duration(seconds: i64) -> String {
     }
 }
 
+fn format_date(timestamp: i64) -> String {
+    let dt = chrono::DateTime::from_timestamp(timestamp, 0);
+    match dt {
+        Some(dt) => dt.format("%d/%m/%Y %H:%M").to_string(),
+        None => "N/A".to_string(),
+    }
+}
+
 #[derive(Clone, Copy, Debug, PartialEq, Eq)]
 enum SortColumn {
     Name,
@@ -54,6 +62,7 @@ enum SortColumn {
     DownSpeed,
     UpSpeed,
     ETA,
+    AddedDate,
 }
 
 #[derive(Clone, Copy, Debug, PartialEq, Eq)]
@@ -66,8 +75,8 @@ enum SortDirection {
 pub fn TorrentTable() -> impl IntoView {
     let store = use_context::<crate::store::TorrentStore>().expect("store not provided");
 
-    let sort_col = create_rw_signal(SortColumn::Name);
+    let sort_col = create_rw_signal(SortColumn::AddedDate);
-    let sort_dir = create_rw_signal(SortDirection::Ascending);
+    let sort_dir = create_rw_signal(SortDirection::Descending);
 
     let filtered_torrents = move || {
         let mut torrents = store
@@ -127,6 +136,7 @@ pub fn TorrentTable() -> impl IntoView {
                     let b_eta = if b.eta <= 0 { i64::MAX } else { b.eta };
                     a_eta.cmp(&b_eta)
                 }
+                SortColumn::AddedDate => a.added_date.cmp(&b.added_date),
             };
             if dir == SortDirection::Descending {
                 cmp.reverse()
@@ -264,6 +274,9 @@ pub fn TorrentTable() -> impl IntoView {
                             <th class="w-24 cursor-pointer hover:bg-base-300 group select-none" on:click=move |_| handle_sort(SortColumn::ETA)>
                                  <div class="flex items-center">"ETA" {move || sort_arrow(SortColumn::ETA)}</div>
                             </th>
+                            <th class="w-32 cursor-pointer hover:bg-base-300 group select-none" on:click=move |_| handle_sort(SortColumn::AddedDate)>
+                                 <div class="flex items-center">"Date" {move || sort_arrow(SortColumn::AddedDate)}</div>
+                            </th>
                         </tr>
                     </thead>
                     <tbody>
@@ -317,6 +330,7 @@ pub fn TorrentTable() -> impl IntoView {
                                     <td class="text-right font-mono text-[11px] opacity-80 text-success">{format_speed(t.down_rate)}</td>
                                     <td class="text-right font-mono text-[11px] opacity-80 text-primary">{format_speed(t.up_rate)}</td>
                                     <td class="text-right font-mono text-[11px] opacity-80">{format_duration(t.eta)}</td>
+                                    <td class="text-right font-mono text-[11px] opacity-80 whitespace-nowrap">{format_date(t.added_date)}</td>
                                 </tr>
                             }
                         }).collect::<Vec<_>>()}
@@ -325,14 +339,6 @@ pub fn TorrentTable() -> impl IntoView {
             </div>
 
                         <div class="md:hidden flex flex-col h-full bg-base-200 relative">
-                            // Transparent overlay to close sort dropdown
-                            <Show when=move || sort_open.get()>
-                                <div
-                                    class="fixed inset-0 z-[98] cursor-default"
-                                    on:pointerdown=move |_| set_sort_open.set(false)
-                                ></div>
-                            </Show>
-
                             <div class="px-3 py-2 border-b border-base-200 flex justify-between items-center bg-base-100/95 backdrop-blur z-10 shrink-0">
                                 <span class="text-xs font-bold opacity-50 uppercase tracking-wider">"Torrents"</span>
 
@@ -354,7 +360,6 @@ pub fn TorrentTable() -> impl IntoView {
                                     <ul
                                         class="absolute top-full right-0 z-[100] menu p-2 shadow bg-base-100 rounded-box w-48 mt-1 border border-base-200 text-xs"
                                         style=move || if sort_open.get() { "display: block" } else { "display: none" }
-                                        on:pointerdown=move |e| e.stop_propagation()
                                     >
                                          <li class="menu-title px-2 py-1 opacity-50 text-[10px] uppercase font-bold">"Sort By"</li>
                                          {
@@ -366,6 +371,7 @@ pub fn TorrentTable() -> impl IntoView {
                                                   (SortColumn::DownSpeed, "Down Speed"),
                                                   (SortColumn::UpSpeed, "Up Speed"),
                                                   (SortColumn::ETA, "ETA"),
+                                                  (SortColumn::AddedDate, "Date"),
                                               ];
 
                                               columns.into_iter().map(|(col, label)| {
@@ -375,6 +381,7 @@ pub fn TorrentTable() -> impl IntoView {
                                                   view! {
                                                       <li>
                                                           <button
+                                                              type="button"
                                                               class=move || if is_active() { "bg-primary/10 text-primary font-bold flex justify-between" } else { "flex justify-between" }
                                                               on:pointerdown=move |e| {
                                                                   e.stop_propagation();
@@ -500,7 +507,7 @@ pub fn TorrentTable() -> impl IntoView {
                                     <progress class={format!("progress w-full h-1.5 {}", progress_class)} value={t.percent_complete} max="100"></progress>
                                 </div>
 
-                                <div class="grid grid-cols-3 gap-2 text-[10px] font-mono opacity-80 pt-1 border-t border-base-200/50">
+                                <div class="grid grid-cols-4 gap-2 text-[10px] font-mono opacity-80 pt-1 border-t border-base-200/50">
                                     <div class="flex flex-col">
                                         <span class="text-[9px] opacity-60 uppercase">"Down"</span>
                                         <span class="text-success">{format_speed(t.down_rate)}</span>
@@ -509,10 +516,14 @@ pub fn TorrentTable() -> impl IntoView {
                                         <span class="text-[9px] opacity-60 uppercase">"Up"</span>
                                         <span class="text-primary">{format_speed(t.up_rate)}</span>
                                     </div>
-                                    <div class="flex flex-col text-right">
+                                    <div class="flex flex-col text-center border-r border-base-200/50">
                                         <span class="text-[9px] opacity-60 uppercase">"ETA"</span>
                                         <span>{format_duration(t.eta)}</span>
                                     </div>
+                                    <div class="flex flex-col text-right">
+                                        <span class="text-[9px] opacity-60 uppercase">"Date"</span>
+                                        <span>{format_date(t.added_date)}</span>
+                                    </div>
                                 </div>
                             </div>
                         </div>