Added auth support and a helper script, targeting frankenphp

2026-02-02 14:05:21 -05:00 · 2026-02-02 14:05:21 -05:00 · 0783e08fe9
commit 0783e08fe9
parent 8f545c3f67
8 changed files with 655 additions and 4 deletions
--- a/start-server.sh
+++ b/start-server.sh
@ -0,0 +1,144 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# start-media-server.sh
+#
+# Starts frankenphp with MEDIA_USER and MEDIA_PASS_HASH set.
+# Hash is generated via:
+#   - system php (preferred) OR
+#   - frankenphp php-cli (fallback)
+#
+# Usage:
+#   ./start-media-server.sh --user admin --prompt [--port 9000] [--dir /path/to/docroot]
+#
+# Security:
+#   Avoid --pass on command line; use --prompt or --pass-stdin to keep it out of `ps`/history.
+
+PORT="9000"
+USER=""
+PASS=""
+DOCROOT=""
+
+read_pass_stdin=false
+prompt=false
+
+usage() {
+  cat <<'EOF'
+Usage:
+  start-media-server.sh --user <username> [--pass <password> | --pass-stdin | --prompt] [--port <port>] [--dir <docroot>]
+
+Options:
+  --user <u>        Username to set in MEDIA_USER (required)
+  --pass <p>        Password to hash (insecure: visible in process list & shell history)
+  --pass-stdin      Read password from stdin (safer)
+  --prompt          Prompt for password (safer; hidden input)
+  --port <p>        Listen port (default: 9000)
+  --dir <path>      cd into docroot before starting (optional)
+  -h, --help        Show help
+
+Examples:
+  ./start-media-server.sh --user admin --prompt --port 9000 --dir /home/me/samba-serv
+  printf '%s\n' 'test123' | ./start-media-server.sh --user admin --pass-stdin
+EOF
+}
+
+have_cmd() { command -v "$1" >/dev/null 2>&1; }
+
+# Pick a PHP hashing command:
+# - If `php` exists: use it.
+# - Else if `frankenphp` exists and supports php-cli: use it.
+pick_php_runner() {
+  if have_cmd php; then
+    echo "php"
+    return 0
+  fi
+
+  if have_cmd frankenphp; then
+    # Verify php-cli is available (frankenphp subcommand)
+    if frankenphp php-cli -v >/dev/null 2>&1; then
+      echo "frankenphp php-cli"
+      return 0
+    fi
+  fi
+
+  return 1
+}
+
+while (($#)); do
+  case "$1" in
+    --user) USER="${2-}"; shift 2 ;;
+    --pass) PASS="${2-}"; shift 2 ;;
+    --pass-stdin) read_pass_stdin=true; shift ;;
+    --prompt) prompt=true; shift ;;
+    --port) PORT="${2-}"; shift 2 ;;
+    --dir) DOCROOT="${2-}"; shift 2 ;;
+    -h|--help) usage; exit 0 ;;
+    *)
+      echo "Unknown argument: $1" >&2
+      usage
+      exit 2
+      ;;
+  esac
+done
+
+if [[ -z "$USER" ]]; then
+  echo "Error: --user is required" >&2
+  usage
+  exit 2
+fi
+
+if $read_pass_stdin && $prompt; then
+  echo "Error: choose only one of --pass-stdin or --prompt" >&2
+  exit 2
+fi
+
+if [[ -z "$PASS" ]]; then
+  if $read_pass_stdin; then
+    IFS= read -r PASS
+  elif $prompt; then
+    read -r -s -p "Password: " PASS
+    echo
+  else
+    echo "Error: provide --pass, --pass-stdin, or --prompt" >&2
+    usage
+    exit 2
+  fi
+fi
+
+if ! [[ "$PORT" =~ ^[0-9]+$ ]] || ((PORT < 1 || PORT > 65535)); then
+  echo "Error: invalid --port '$PORT'" >&2
+  exit 2
+fi
+
+if ! have_cmd frankenphp; then
+  echo "Error: frankenphp not found in PATH" >&2
+  exit 127
+fi
+
+PHP_RUNNER="$(pick_php_runner)" || {
+  echo "Error: neither 'php' nor 'frankenphp php-cli' is available for hashing" >&2
+  echo "Install php OR ensure frankenphp supports 'php-cli'." >&2
+  exit 127
+}
+
+# Generate bcrypt hash without needing to escape $.
+# We pass the password via an env var P to avoid quoting surprises in -r strings.
+MEDIA_PASS_HASH="$(
+  P="$PASS" $PHP_RUNNER -r 'echo password_hash(getenv("P"), PASSWORD_BCRYPT), PHP_EOL;'
+)"
+
+export MEDIA_USER="$USER"
+export MEDIA_PASS_HASH
+
+if [[ -n "$DOCROOT" ]]; then
+  cd "$DOCROOT"
+fi
+
+echo "Using PHP runner: $PHP_RUNNER"
+echo "Starting frankenphp on :$PORT"
+echo "MEDIA_USER=$MEDIA_USER"
+echo "MEDIA_PASS_HASH set (bcrypt)"
+echo
+
+exec frankenphp php-server --listen ":$PORT"
+