Docker Web improvements & better security

.github/scripts/generate_release_version.py

@@ -73,7 +73,7 @@ def main():
     args = parser.parse_args()
 
     # Fallback version if version generation fails
-    FALLBACK_VERSION = "2026.1.4"
+    FALLBACK_VERSION = "2026.1.5"
 
     try:
         base_ver = get_current_date_version()

.github/workflows/deploy-docs.yml

@@ -11,7 +11,7 @@ on:
   workflow_dispatch:
 
 permissions:
-  contents: read
+  contents: write
   pages: write
   id-token: write
 
@@ -214,18 +214,12 @@ jobs:
         env:
           BASE_URL: /
 
-      - name: Upload artifact
-        uses: actions/upload-pages-artifact@v4
+      - name: Upload to gh-pages
+        uses: JamesIves/github-pages-deploy-action@v4
         with:
-          path: docs/.vitepress/dist
-
-  deploy:
-    environment:
-      name: github-pages
-      url: ${{ steps.deployment.outputs.page_url }}
-    needs: build
-    runs-on: ubuntu-latest
-    steps:
-      - name: Deploy to GitHub Pages
-        id: deployment
-        uses: actions/deploy-pages@v4
+          folder: docs/.vitepress/dist
+          branch: gh-pages
+          clean: true
+          # Preserve the pr-preview directory
+          clean-exclude: |
+            pr-preview/

.github/workflows/docs_preview.yml

@@ -28,6 +28,56 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v6
 
+      - name: Set up Python
+        uses: actions/setup-python@v6
+        with:
+          python-version: '3.13'
+
+      - name: Install Python Dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install .[test]
+          pip install Pillow
+
+      - name: Pre-install Addons (Web)
+        run: |
+           mkdir -p src/switchcraft/addons
+           python -c "import zipfile, os, glob; from pathlib import Path; [zipfile.ZipFile(z).extractall(Path('src/switchcraft/addons') / Path(z).stem.replace('switchcraft_', '')) for z in glob.glob('src/switchcraft/assets/addons/*.zip')]"
+
+      - name: Build Web Demo
+        run: |
+          python scripts/prepare_web_dist.py --bake
+          mkdir -p build_web
+          cp -r src/switchcraft build_web/
+
+          PR_NUMBER=${{ github.event.pull_request.number }}
+          cat > build_web/web_entry.py <<EOF
+          import os
+          import sys
+          import flet as ft
+          # WASM compatibility patches
+          if sys.platform == "emscripten":
+              import pyodide_http
+              pyodide_http.patch_all()
+          sys.path.insert(0, os.getcwd())
+          import switchcraft
+          switchcraft.IS_DEMO = True
+          import switchcraft.main
+          if __name__ == "__main__":
+              ft.run(switchcraft.main.main, assets_dir="assets")
+          EOF
+
+          cd build_web
+          # Simplified publish for preview - use the PR specific base-url
+          flet publish web_entry.py --app-name "SwitchCraft Demo PR-$PR_NUMBER" --base-url "/pr-preview/pr-$PR_NUMBER/demo/" --distpath ../dist --assets switchcraft/assets
+          cd ..
+
+          python scripts/prepare_web_dist.py --patch dist
+          rm -rf docs/public/demo
+          mkdir -p docs/public/demo
+          cp -r dist/* docs/public/demo/
+        shell: bash
+
       - name: Setup Node
         uses: actions/setup-node@v6
         with:
@@ -36,8 +86,13 @@ jobs:
           cache-dependency-path: docs/package-lock.json
 
       - name: Install dependencies
-        run: npm ci
-        working-directory: docs
+        run: |
+          cd docs
+          if [ -f package-lock.json ]; then
+            npm ci
+          else
+            npm install vitepress vue
+          fi
 
       - name: Build Docs
         run: npm run docs:build

.github/workflows/release.yml

@@ -71,6 +71,8 @@ jobs:
           sed -i "s/\"version\": \".*\"/\"version\": \"$VERSION\"/" src/switchcraft_advanced/manifest.json
           sed -i "s/\"version\": \".*\"/\"version\": \"$VERSION\"/" src/switchcraft_ai/manifest.json
           sed -i "s/\"version\": \".*\"/\"version\": \"$VERSION\"/" src/switchcraft_winget/manifest.json
+          sed -i "s/\"description\": \".*\"/\"description\": \"SwitchCraft - Enterprise Application Management\"/" src/switchcraft/assets/manifest.json
+          sed -i "s/\"version\": \".*\"/\"version\": \"$VERSION\"/" src/switchcraft/assets/manifest.json
 
 
           # Update .iss files (Inno Setup installer scripts)
@@ -125,7 +127,7 @@ jobs:
           git config --global user.name "github-actions[bot]"
           git config --global user.email "github-actions[bot]@users.noreply.github.com"
 
-          git add pyproject.toml src/switchcraft/__init__.py file_version_info.txt switchcraft.iss switchcraft_legacy.iss src/switchcraft_advanced/manifest.json src/switchcraft_ai/manifest.json src/switchcraft_winget/manifest.json
+          git add pyproject.toml src/switchcraft/__init__.py file_version_info.txt switchcraft.iss switchcraft_legacy.iss src/switchcraft_advanced/manifest.json src/switchcraft_ai/manifest.json src/switchcraft_winget/manifest.json src/switchcraft/assets/manifest.json
 
 
           # Only commit if there are changes

.github/workflows/test.yml

@@ -55,7 +55,7 @@ jobs:
         if: steps.should_run.outputs.should_run == 'true'
         run: |
           python -m pip install --upgrade pip
-          pip install .[test,gui,desktop]
+          pip install .[test,gui,desktop,web-server]
 
       - name: Run All Python Tests
         if: steps.should_run.outputs.should_run == 'true'
@@ -121,7 +121,7 @@ jobs:
       - name: Install Dependencies
         run: |
            python -m pip install --upgrade pip
-           pip install .[test,gui,desktop]
+           pip install .[test,gui,desktop,web-server]
            pip install pytest-asyncio
 
       - name: Run E2E Integration Tests

Dockerfile

@@ -16,9 +16,8 @@ COPY pyproject.toml .
 COPY README.md .
 COPY src ./src
 
-# Install dependencies (Modern Flet only)
-# Note: We omit 'gui' (Legacy Tkinter) to avoid system package requirements
-RUN pip install --no-cache-dir .[modern]
+# Install dependencies (Modern Flet + Web Server + Web WASM)
+RUN pip install --no-cache-dir .[modern,web-server] flet-web packaging
 
 # Generate Addons (Pre-installed)
 RUN python src/generate_addons.py
@@ -42,5 +41,5 @@ ENV SC_DISABLE_WINGET_INSTALL=1
 # Create symlink for assets so Flet can find them at /app/assets
 RUN ln -s /app/src/switchcraft/assets /app/assets
 
-# Command to run the application in web mode
-CMD ["flet", "run", "--web", "--port", "8080", "--host", "0.0.0.0", "src/switchcraft/main.py"]
+# Command to run the application using the Auth Proxy Server
+CMD ["uvicorn", "switchcraft.server.app:app", "--host", "0.0.0.0", "--port", "8080"]

docker-compose.yml

@@ -0,0 +1,24 @@
+services:
+  switchcraft-web:
+    build: .
+    image: switchcraft-web:latest
+    container_name: switchcraft-web
+    ports:
+      - "8080:8080"
+    volumes:
+      - switchcraft_data:/root/.switchcraft
+    environment:
+      - SC_CLIENT_ID=${SC_CLIENT_ID}
+      - SC_CLIENT_SECRET=${SC_CLIENT_SECRET}
+      - SC_AUTH_PROVIDER=${SC_AUTH_PROVIDER:-entra}
+      - SC_ENTRA_CLIENT_ID=${SC_ENTRA_CLIENT_ID}
+      - SC_ENTRA_CLIENT_SECRET=${SC_ENTRA_CLIENT_SECRET}
+      - SC_ENTRA_TENANT_ID=${SC_ENTRA_TENANT_ID}
+      - SC_GITHUB_CLIENT_ID=${SC_GITHUB_CLIENT_ID}
+      - SC_GITHUB_CLIENT_SECRET=${SC_GITHUB_CLIENT_SECRET}
+      - SC_BASE_URL=${SC_BASE_URL}
+      - SC_DISABLE_WINGET_INSTALL=1
+    restart: unless-stopped
+
+volumes:
+  switchcraft_data:

docs/.vitepress/config.mts

@@ -97,7 +97,8 @@ export default defineConfig({
                         { text: 'OMA-URI Reference', link: '/Intune_Configuration_Guide' },
                         { text: 'GPO / ADMX Policies', link: '/PolicyDefinitions/README' },
                         { text: 'Registry Settings', link: '/Registry' },
-                        { text: 'Security Guide', link: '/SECURITY' }
+                        { text: 'Security Guide', link: '/SECURITY' },
+                        { text: 'Docker Self-Hosting', link: '/docker_setup' }
                     ]
                 },
                 {

docs/docker_setup.md

@@ -1,42 +1,107 @@
-# SwitchCraft Web App (Docker) Guide
-
-## Overview
-SwitchCraft can be deployed as a Dockerized Web Application using Flet. This provides a web-accessible version of the packaging tool.
-
-## Deployment
-
-### Prerequisites
-- Docker Engine
-- Git
-
-### Build & Run
-1. **Build the Image**
-   ```bash
-   docker build -t switchcraft-web .
-   ```
-
-2. **Run the Container**
-   ```bash
-   docker run -d -p 8080:8080 --name switchcraft switchcraft-web
-   ```
-   Access the app at `http://localhost:8080`.
-
-## Configuration
-The application uses environment variables for configuration in Docker.
-
-| Variable | Description | Default |
-| :--- | :--- | :--- |
-| `SC_AUTH_PROVIDER` | Auth provider (`github`, `entra`, `none`) | `none` |
-| `SC_GITHUB_CLIENT_ID` | GitHub App Client ID | - |
-| `SC_GITHUB_CLIENT_SECRET` | GitHub App Client Secret | - |
-| `SC_SESSION_SECRET` | Secret key for session encryption | (Random) |
-| `SC_DISABLE_WINGET_INSTALL` | Set `1` to skip Winget check (Use static fallback) | `0` |
-
-## Limitations vs Desktop
-- **Winget Search**: Relies on a static dataset of ~50 popular apps or external APIs. Results may differ from Desktop Winget CLI.
-- **Intune Upload**: Requires Azure authentication which may need device code flow.
-- **Local Files**: Browser sandbox applies; file upload/download is used instead of direct file system access.
-
-## Troubleshooting
-- **No Search Results?** The app uses a fallback static dataset if public APIs are unreachable.
-- **Login Fails?** Ensure `SC_GITHUB_CLIENT_ID` and `SECRET` are set correctly if using GitHub auth.
+# SwitchCraft Server (Docker) Guide
+
+SwitchCraft enables you to host your own instance of the application using **Docker**. The containerized version allows you to access SwitchCraft from any browser in your network, complete with a built-in authentication system, Single Sign-On (SSO), and administrative controls.
+
+## 🚀 Quick Start
+
+### 1. Build & Run
+You can build the image directly from the source:
+
+```bash
+# Build the image
+docker build -t switchcraft-web .
+
+# Run the container (Mapping port 8080)
+# We map a volume to persist configuration AND user database
+docker run -d \
+  -p 8080:8080 \
+  -v switchcraft_data:/root/.switchcraft \
+  --name switchcraft \
+  switchcraft-web
+```
+
+Access the application at: `http://localhost:8080`
+
+## 🔐 Authentication & User Management
+
+The Docker container includes a full **User Management System**.
+
+### Default Login
+- **Username:** `admin`
+- **Password:** `admin` (You should change this immediately in the Admin Panel)
+
+### Multi-User Support
+The server supports multiple users with distinct roles (`admin` or `user`).
+- **Admins** have access to the `/admin` dashboard to manage users and server settings.
+- **Users** can access the application tools but cannot modify server settings or other users.
+
+### Single Sign-On (SSO) Setup
+SwitchCraft supports OAuth2 login via **GitHub** and **Microsoft Entra ID (Office 365)**.
+To enable SSO, you must provide the following environment variables when running the Docker container.
+
+#### 1. Microsoft Entra ID (O365)
+Register an App in Azure AD -> App Registrations.
+*   **Redirect URI:** `http://<your-domain>:8080/oauth_callback/entra`
+*   **API Permissions:** `User.Read` (Delegated)
+
+```bash
+docker run -d ... \
+  -e SC_ENTRA_CLIENT_ID="<your-client-id>" \
+  -e SC_ENTRA_TENANT_ID="<your-tenant-id>" \
+  -e SC_ENTRA_CLIENT_SECRET="<your-client-secret>" \
+  -e SC_BASE_URL="http://myserver.com:8080" \
+  switchcraft-web
+```
+
+*Users logging in via Entra for the first time will be **automatically created** as normal users.*
+
+#### 2. GitHub
+Register an OAuth App in GitHub Developer Settings.
+*   **Callback URL:** `http://<your-domain>:8080/oauth_callback/github`
+
+```bash
+docker run -d ... \
+  -e SC_GITHUB_CLIENT_ID="<your-client-id>" \
+  -e SC_GITHUB_CLIENT_SECRET="<your-client-secret>" \
+  switchcraft-web
+```
+
+## ⚙️ Administration Dashboard
+
+Access the dashboard at `http://localhost:8080/admin` (Link in Footer).
+
+### Features
+1.  **User Management**:
+    *   **List Users:** See all registered accounts (Local and SSO).
+    *   **Add User:** Manually create accounts with passwords.
+    *   **Delete User:** Remove accounts (except the root admin).
+2.  **Server Settings**:
+    *   **Demo Mode:** Switch app to Read-Only mode.
+    *   **Disable Auth:** Allow public access without login (Auto-Login as Guest/Admin).
+3.  **Security**:
+    *   **Change Password:** Update your own password.
+    *   **MFA / 2FA:** Setup Time-based OTP (Google Authenticator) enforcement.
+
+## 💾 Persistence
+
+To keep your users and settings safe, mount the `/root/.switchcraft` volume.
+
+| Path | Purpose |
+| :--- | :--- |
+| `server/auth_config.json` | Stores Global Server Config (Secret Keys, Demo Mode). |
+| `server/users.json` | **User Database** (Usernames, Password Hashes, Roles). |
+| `users/<username>/config.json` | (Future) Server-side user profiles. |
+
+## 🌐 Web Architecture Notes
+
+*   **Session Storage:** Login sessions use secure, encrypted cookies valid for 24 hours.
+*   **Client Settings:** Currently, app preferences (Theme, etc.) are stored in the **Browser** (LocalStorage) to ensure fast load times. We are working on server-side roaming profiles for the next release.
+*   **File Access:** The web version runs in a sandbox. You cannot access the host filesystem directly. Use the Upload/Download features.
+
+## 🛠 Troubleshooting
+
+*   **SSO Redirect Error?** Ensure `SC_BASE_URL` matches exactly the URL you access in the browser (including http/https and port).
+*   **Locked Out?**
+  *   `docker exec -it switchcraft sh`
+  *   Delete `server/users.json` to reset the database (recreating default admin).
+  *   Or manually edit `server/users.json` if you know JSON syntax.