feat(subsonic): MD5 token auth via API keys; update changelog and readme for v1.5.5

Author: Your Name

CHANGELOG.md

@@ -9,21 +9,27 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Added
 
-- **OpenSubsonic / Subsonic API**: Native client support for Symfonium, DSub, Ultrasonic, Finamp, and any other Subsonic-compatible app
+- **OpenSubsonic / Subsonic API**: Native client support for Amperfy, Symfonium, DSub, Ultrasonic, Finamp, and any other Subsonic-compatible app
   - Full Subsonic REST API v1.16.1 compatibility, with OpenSubsonic extensions declared
+  - **MD5 token auth** — standard Subsonic auth now supported; enter your Kima API token as the password in your client app; the server verifies `md5(token + salt)` against stored API keys, avoiding any need to store plaintext login passwords
   - **OpenSubsonic `apiKey` auth** — generate per-client tokens in Settings > Native Apps; tokens can be named and revoked individually
   - **Endpoints implemented**: `ping`, `getArtists`, `getIndexes`, `getArtist`, `getAlbum`, `getSong`, `getAlbumList2`, `getAlbumList`, `getGenres`, `search3`, `search2`, `getRandomSongs`, `stream`, `download`, `getCoverArt`, `scrobble`, `getPlaylists`, `getPlaylist`, `createPlaylist`, `updatePlaylist`, `deletePlaylist`, `getUser`, `getStarred`, `getStarred2`, `star`, `unstar`, `getArtistInfo2`
   - **Enrichment-aware genres** — genre fields on albums, songs, and search results are sourced from Last.fm-enriched artist tags rather than static file tags; `getGenres` aggregates across the enriched artist catalogue
   - **Enrichment-aware biographies** — `getArtistInfo2` returns the user-edited summary when present, otherwise the Last.fm biography
   - **HTTP 206 range support** on `stream.view` for seek-capable clients and Firefox/Safari
   - Scrobbles recorded as `SUBSONIC` listen source
   - DISCOVER-location albums are excluded from all library views
-  - MD5 token auth intentionally rejected (error 41) — OpenSubsonic `apiKey` is the preferred auth method
-- **Named API tokens** — Settings > Native Apps token generator now accepts a client name (e.g., "Symfonium", "DSub"); previously all tokens were named "Subsonic"
+- **Named API tokens** — Settings > Native Apps token generator now accepts a client name (e.g., "Amperfy", "Symfonium"); previously all tokens were named "Subsonic"
+- **Public server URL setting** — admins can pin a persistent server URL in Settings > Storage; the Native Apps panel reads this URL and falls back to the browser origin when unset
 
 ### Fixed
 
+- **Subsonic `contentType` and `suffix` wrong for FLAC/MP3**: The library scanner stores codec names (`FLAC`, `MPEG 1 Layer 3`) rather than MIME types. Added `normalizeMime()` to translate codec names to proper MIME types before surfacing them to clients — fixes clients that refused to play tracks due to unrecognised content types
+- **`createPlaylist` returned empty response**: Per OpenSubsonic spec (since 1.14.0), `createPlaylist` must return the full playlist object. Now returns the same shape as `getPlaylist`
+- **DISCOVER albums leaking into search and random**: `getRandomSongs` raw SQL and the `search3`/`search2` shared service had no location filter, allowing DISCOVER-only albums to appear in results. Both are now filtered to `LIBRARY` location only
+- **PWA icons**: Replaced placeholder icons with the Kima brand — amber diagonal gradient with radial bloom; solid black background for maskable variants; `apple-touch-icon` added; MediaSession fallback artwork wired up
 - **Frontend lint errors** (pre-existing): `let sectionIndex` changed to `const` in three pages; `setPreviewLoadState` moved inside the async function to avoid calling setState synchronously in a `useEffect`
+- **Vibe orphaned-completed tracks**: Tracks where `vibeAnalysisStatus = 'completed'` but no embedding row exists (left over from the `reduce_embedding_dimension` migration) are now detected and reset each enrichment cycle so they re-enter the CLAP queue
 
 ## [1.5.4] - 2026-02-21
 

README.md

@@ -147,6 +147,7 @@ Import playlists from Spotify and Deezer, or browse and discover new music direc
 ### Native Apps
 
 -   **OpenSubsonic API** - Use any Subsonic-compatible client (Symfonium, DSub, Ultrasonic, Finamp, etc.) to stream your Kima library
+-   **Standard Subsonic auth** - MD5 token auth supported; enter your API token as the password — works with Amperfy, Symfonium, DSub, and any standard Subsonic client
 -   **Per-client tokens** - Generate named API tokens in Settings > Native Apps; revoke them individually when a device is lost or replaced
 -   **Enrichment-aware** - Genres and artist biographies exposed to clients come from Last.fm enrichment, not just file tags
 
@@ -654,22 +655,22 @@ You can also configure Soulseek as a download source for playlist imports. In Se
 
 Kima implements the [OpenSubsonic](https://opensubsonic.netlify.app/) REST API, making it compatible with any Subsonic client.
 
-**Tested clients:** Symfonium, DSub, Ultrasonic, Finamp
+**Tested clients:** Amperfy (iOS), Symfonium, DSub, Ultrasonic, Finamp
 
 **Setup:**
 
 1. Go to Settings > Native Apps in Kima
-2. Enter a client name (e.g. "Symfonium on Pixel 9") and click **Generate Token**
+2. Enter a client name (e.g. "Amperfy on iPhone") and click **Generate Token**
 3. Copy and save the token — it is only shown once
 4. In your client app, configure:
    - **Server URL** — your Kima server address (e.g. `http://192.168.1.10:3030`)
    - **Username** — your Kima username
-   - **Password / API key** — the token you just generated
+   - **Password** — the token you just generated
 
 **Notes:**
 
+- Standard MD5 token auth is supported — clients that hash their password automatically will work correctly when you enter an API token as the password
 - Each client should have its own token so you can revoke access per device
-- MD5 token authentication is intentionally rejected; use the plaintext `p=` or OpenSubsonic `apiKey` parameter
 - Genres and biographies surfaced to clients come from Last.fm enrichment, not just file tags
 - DISCOVER-location albums are excluded from all library views
 

backend/src/middleware/subsonicAuth.ts

@@ -1,5 +1,6 @@
 import { Request, Response, NextFunction } from "express";
 import bcrypt from "bcrypt";
+import crypto from "crypto";
 import { prisma } from "../utils/db";
 import { subsonicError, SubsonicError } from "../utils/subsonicResponse";
 
@@ -18,13 +19,55 @@ export async function subsonicAuth(
         return;
     }
 
-    // Reject MD5 token auth — cryptographically insecure, not supported
-    if (tokenMd5) {
-        subsonicError(req, res, SubsonicError.TOKEN_AUTH_NOT_SUPPORTED, "Token-based auth is not supported. Use apiKey (OpenSubsonic) instead.");
-        return;
-    }
-
     try {
+        // MD5 token auth — verify against the user's API keys.
+        // Standard Subsonic clients send t=md5(password+salt)&s=salt. Since Kima
+        // stores bcrypt hashes it cannot verify against the login password, so the
+        // user enters an API key as the "password" in their client. The server
+        // computes md5(apiKey+salt) for each of the user's keys and checks for a match.
+        if (tokenMd5) {
+            const salt = req.query.s as string | undefined;
+            if (!salt) {
+                subsonicError(req, res, SubsonicError.MISSING_PARAM, "Required parameter is missing: s");
+                return;
+            }
+
+            const user = await prisma.user.findUnique({
+                where: { username },
+                select: { id: true, username: true, role: true },
+            });
+
+            if (!user) {
+                subsonicError(req, res, SubsonicError.WRONG_CREDENTIALS, "Wrong username or password");
+                return;
+            }
+
+            const apiKeys = await prisma.apiKey.findMany({
+                where: { userId: user.id },
+                select: { id: true, key: true },
+            });
+
+            let matchedKeyId: string | null = null;
+            for (const k of apiKeys) {
+                const expected = crypto.createHash("md5").update(k.key + salt).digest("hex");
+                if (expected === tokenMd5) {
+                    matchedKeyId = k.id;
+                    break;
+                }
+            }
+
+            if (!matchedKeyId) {
+                subsonicError(req, res, SubsonicError.WRONG_CREDENTIALS, "Wrong username or password");
+                return;
+            }
+
+            prisma.apiKey.update({ where: { id: matchedKeyId }, data: { lastUsed: new Date() } }).catch(() => {});
+
+            req.user = user;
+            next();
+            return;
+        }
+
         // OpenSubsonic API key auth (preferred)
         if (apiKey) {
             const keyRecord = await prisma.apiKey.findUnique({

frontend/features/settings/components/sections/SubsonicSection.tsx

@@ -134,7 +134,7 @@ export function SubsonicSection() {
                         type="text"
                         value={deviceName}
                         onChange={(e) => setDeviceName(e.target.value)}
-                        placeholder="Client name (e.g. Symfonium, DSub)"
+                        placeholder="Client name (e.g. Amperfy, Symfonium, DSub)"
                         className="text-sm text-white bg-white/5 border border-white/10 px-3 py-2 rounded-lg font-mono
                             placeholder:text-white/20 focus:outline-none focus:border-white/20 w-full"
                     />