Authentication

Botmarley supports optional password protection to secure access to the web interface.

How It Works

Authentication in Botmarley is simple and file-based:

  1. If a .password file exists in the Botmarley home directory, authentication is enabled
  2. All page routes require a valid session cookie
  3. Public routes (login page, static files, /book) remain accessible
  4. Sessions are stored as secure cookies

Setting Up Password Protection

Via the Settings Page

  1. Navigate to Settings (/settings)
  2. Enter your desired password in the password field
  3. Click Save
  4. The .password file is created automatically
  5. You'll be redirected to the login page

The password is securely hashed before storage. When setting it through the Settings page, this is handled automatically.

Logging In

When authentication is enabled:

  1. Visit any page — you'll be redirected to /login
  2. Enter your password
  3. Click Login
  4. A session cookie is set and you're redirected to the dashboard

Logging Out

Click the Logout button in the sidebar footer, or navigate to /logout.

Disabling Authentication

To remove password protection:

  1. Delete the .password file from the Botmarley home directory
  2. Restart the server
  3. All pages become accessible without login
rm ~/.botmarley/.password

Security Notes

Danger

Botmarley is designed as a single-tenant, locally-run application. If you expose it to the internet (e.g., for remote access), always enable password protection and consider using HTTPS via a reverse proxy like Caddy or nginx.

  • Sessions expire after a configurable timeout
  • The cookie is marked HttpOnly and SameSite=Strict
  • Failed login attempts are logged
  • There is no username — only a single password protects the entire instance