feat: update auth

Merge branch 'DEV' into feature/node-app
feat: remove useless host
2026-04-19 21:50:38 +03:00 · 2026-04-19 21:11:31 +03:00 · 2026-04-19 21:01:30 +03:00 · 2026-04-08 16:55:19 +00:00 · 2026-04-08 17:54:53 +01:00 · 2026-04-08 16:51:24 +00:00
46 changed files with 1781 additions and 480 deletions
@@ -0,0 +1,49 @@
+---
+description: Новые React-компоненты — папка kebab-case, TSX + CSS module, index.ts (furumi-node-player/client/src)
+globs: furumi-node-player/client/src/**/*
+alwaysApply: false
+---
+
+# Структура новых компонентов (furumi-node-player/client)
+
+**Область:** при добавлении **нового** компонента в `furumi-node-player/client/src/` используйте расположение и файлы ниже.
+
+## Расположение
+
+- Базовая папка: `furumi-node-player/client/src/components/`
+- Для каждого компонента — **отдельная подпапка** с именем в **kebab-case** (например `play-button`, `search-dropdown`).
+
+## Файлы внутри папки компонента
+
+1. **Компонент:** `components/<имя-kebab>/<имя-kebab>.tsx` — реализация компонента; к нему подключён CSS-модуль (`import styles from './<имя-kebab>.module.css'`).
+2. **Стили:** `components/<имя-kebab>/<имя-kebab>.module.css` — модульные стили для этого компонента.
+3. **Баррель:** `components/<имя-kebab>/index.ts` — **реэкспорт всего** из файла компонента: `export * from './<имя-kebab>'`.
+
+Импорт снаружи: `import { MyWidget } from './components/my-widget'` (относительный путь к папке), без указания `index.ts`.
+
+## Пример (`my-widget`)
+
+```
+components/my-widget/
+  my-widget.tsx
+  my-widget.module.css
+  index.ts
+```
+
+```typescript
+// my-widget.tsx
+import styles from './my-widget.module.css'
+
+export function MyWidget() {
+  return <div className={styles.root}>…</div>
+}
+```
+
+```typescript
+// index.ts
+export * from './my-widget'
+```
+
+## Примечание
+
+Существующие файлы-компоненты в корне `components/` (один файл без папки) — наследие; **новые** компоненты добавляйте только по структуре выше.
@@ -0,0 +1,40 @@
+name: Publish Node Player Image (dev)
+
+on:
+  push:
+    branches:
+      - DEV
+
+env:
+  REGISTRY: docker.io
+  IMAGE_NAME: ${{ secrets.DOCKERHUB_USERNAME }}/furumi-node-player
+
+jobs:
+  build-and-push-image:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: docker/Dockerfile.node-player
+          push: true
+          tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:dev
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
@@ -0,0 +1,57 @@
+name: Publish Node Player Image
+
+on:
+  push:
+    branches:
+      - '**'
+      - '!DEV'
+    tags:
+      - 'v*.*.*'
+
+env:
+  REGISTRY: docker.io
+  IMAGE_NAME: ${{ secrets.DOCKERHUB_USERNAME }}/furumi-node-player
+
+jobs:
+  build-and-push-image:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Determine version and tags
+        id: info
+        run: |
+          IMAGE="${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}"
+          SHORT_SHA="$(echo '${{ github.sha }}' | cut -c1-7)"
+
+          if [[ "${{ github.ref }}" == refs/tags/v* ]]; then
+            TAG="${{ github.ref_name }}"
+            VERSION="${TAG#v}"
+            echo "tags=${IMAGE}:${VERSION},${IMAGE}:latest" >> "$GITHUB_OUTPUT"
+          else
+            echo "tags=${IMAGE}:trunk,${IMAGE}:${SHORT_SHA}" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: docker/Dockerfile.node-player
+          push: true
+          tags: ${{ steps.info.outputs.tags }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
@@ -1,4 +1,5 @@
 /target
-/inbox
-/storage
+/docker/inbox
+/docker/storage
 .env
+.DS_Store
@@ -2,6 +2,12 @@
 # It is not intended for manual editing.
 version = 4

+[[package]]
+name = "adler2"
+version = "2.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "320119579fcad9c21884f5c4861d16174d0e06250625266f50fe6898340abefa"
+
 [[package]]
 name = "aho-corasick"
 version = "1.1.4"
@@ -572,6 +578,15 @@ version = "2.4.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "19d374276b40fb8bbdee95aef7c7fa6b5316ec764510eb64b8dd0e2ed0d7e7f5"

+[[package]]
+name = "crc32fast"
+version = "1.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9481c1c90cbf2ac953f07c8d4a58aa3945c425b7185c9154d67a65e4230da511"
+dependencies = [
+ "cfg-if",
+]
+
 [[package]]
 name = "crossbeam-channel"
 version = "0.5.15"
@@ -969,6 +984,16 @@ version = "0.5.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1d674e81391d1e1ab681a28d99df07927c6d4aa5b027d7da16ba32d1d21ecd99"

+[[package]]
+name = "flate2"
+version = "1.1.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "843fba2746e448b37e26a819579957415c8cef339bf08564fe8b7ddbd959573c"
+dependencies = [
+ "crc32fast",
+ "miniz_oxide",
+]
+
 [[package]]
 name = "flume"
 version = "0.11.1"
@@ -1017,6 +1042,7 @@ dependencies = [
 "chrono",
 "clap",
 "encoding_rs",
+ "id3",
 "reqwest 0.12.28",
 "serde",
 "serde_json",
@@ -1114,7 +1140,7 @@ dependencies = [
 "futures-core",
 "futures-util",
 "hmac",
- "jsonwebtoken",
+ "jsonwebtoken 10.3.0",
 "libc",
 "mime_guess",
 "ogg",
@@ -1150,8 +1176,10 @@ dependencies = [
 "anyhow",
 "axum",
 "base64 0.22.1",
+ "chrono",
 "clap",
 "hmac",
+ "jsonwebtoken 9.3.1",
 "mime_guess",
 "openidconnect",
 "rand 0.8.5",
@@ -1165,6 +1193,7 @@ dependencies = [
 "tokio",
 "tokio-util",
 "tower 0.4.13",
+ "tower-http",
 "tracing",
 "tracing-subscriber",
 "urlencoding",
@@ -1748,6 +1777,17 @@ version = "2.3.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "3d3067d79b975e8844ca9eb072e16b31c3c1c36928edf9c6789548c524d0d954"

+[[package]]
+name = "id3"
+version = "1.16.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "965c5e6a62a241f2f673df956ea5f52c27780bc1031855890a551ed9b869e2d1"
+dependencies = [
+ "bitflags 2.11.0",
+ "byteorder",
+ "flate2",
+]
+
 [[package]]
 name = "ident_case"
 version = "1.0.1"
@@ -1864,6 +1904,21 @@ dependencies = [
 "wasm-bindgen",
 ]

+[[package]]
+name = "jsonwebtoken"
+version = "9.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5a87cc7a48537badeae96744432de36f4be2b4a34a05a5ef32e9dd8a1c169dde"
+dependencies = [
+ "base64 0.22.1",
+ "js-sys",
+ "pem",
+ "ring",
+ "serde",
+ "serde_json",
+ "simple_asn1",
+]
+
 [[package]]
 name = "jsonwebtoken"
 version = "10.3.0"
@@ -2021,6 +2076,16 @@ version = "0.2.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "68354c5c6bd36d73ff3feceb05efa59b6acb7626617f4962be322a825e61f79a"

+[[package]]
+name = "miniz_oxide"
+version = "0.8.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1fa76a2c86f704bdb222d66965fb3d63269ce38518b83cb0575fca855ebb6316"
+dependencies = [
+ "adler2",
+ "simd-adler32",
+]
+
 [[package]]
 name = "mio"
 version = "1.1.1"
@@ -3412,6 +3477,12 @@ dependencies = [
 "rand_core 0.6.4",
 ]

+[[package]]
+name = "simd-adler32"
+version = "0.3.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "703d5c7ef118737c72f1af64ad2f6f8c5e1921f818cdcb97b8fe6fc69bf66214"
+
 [[package]]
 name = "simple_asn1"
 version = "0.6.4"
@@ -8,8 +8,35 @@ RUN apt-get update && apt-get install -y \
    && rm -rf /var/lib/apt/lists/*

 WORKDIR /usr/src/app
+
+# 1. Copy workspace manifests and lock file (changes rarely → cached layer)
+COPY Cargo.toml Cargo.lock ./
+COPY furumi-common/Cargo.toml furumi-common/Cargo.toml
+COPY furumi-server/Cargo.toml furumi-server/Cargo.toml
+COPY furumi-client-core/Cargo.toml furumi-client-core/Cargo.toml
+COPY furumi-mount-linux/Cargo.toml furumi-mount-linux/Cargo.toml
+COPY furumi-mount-macos/Cargo.toml furumi-mount-macos/Cargo.toml
+COPY furumi-agent/Cargo.toml furumi-agent/Cargo.toml
+COPY furumi-web-player/Cargo.toml furumi-web-player/Cargo.toml
+
+# 2. Create dummy sources so cargo can resolve and build dependencies
+RUN mkdir -p furumi-common/src && echo "pub fn _dummy(){}" > furumi-common/src/lib.rs \
+    && mkdir -p furumi-server/src && echo "fn main(){}" > furumi-server/src/main.rs \
+    && mkdir -p furumi-client-core/src && echo "pub fn _dummy(){}" > furumi-client-core/src/lib.rs \
+    && mkdir -p furumi-mount-linux/src && echo "fn main(){}" > furumi-mount-linux/src/main.rs \
+    && mkdir -p furumi-mount-macos/src && echo "fn main(){}" > furumi-mount-macos/src/main.rs \
+    && mkdir -p furumi-agent/src && echo "fn main(){}" > furumi-agent/src/main.rs \
+    && mkdir -p furumi-web-player/src && echo "fn main(){}" > furumi-web-player/src/main.rs
+
+# 3. Build dependencies only (this layer is cached until Cargo.toml/lock change)
+RUN cargo build --release --bin furumi-agent 2>/dev/null || true
+
+# 4. Copy real source code
 COPY . .

+# 5. Touch sources to invalidate cargo's fingerprint for our crates (not deps)
+RUN touch furumi-common/src/lib.rs furumi-agent/src/main.rs
+
 ARG FURUMI_VERSION=dev
 RUN FURUMI_VERSION=${FURUMI_VERSION} cargo build --release --bin furumi-agent

@@ -0,0 +1,38 @@
+FROM node:22-alpine AS build
+
+WORKDIR /app
+
+# 1. Install server dependencies (cached layer)
+COPY furumi-node-player/server/package.json furumi-node-player/server/package-lock.json ./server/
+RUN cd server && npm ci
+
+# 2. Install client dependencies (cached layer)
+COPY furumi-node-player/client/package.json furumi-node-player/client/package-lock.json ./client/
+RUN cd client && npm ci
+
+# 3. Build server
+COPY furumi-node-player/server/ ./server/
+RUN cd server && npm run build
+
+# 4. Build client (VITE_FURUMI_API_URL empty = relative /api on same origin)
+COPY furumi-node-player/client/ ./client/
+RUN cd client && npm run build
+
+FROM node:22-alpine
+
+WORKDIR /app
+
+# Server runtime
+COPY --from=build /app/server/dist ./server/dist
+COPY --from=build /app/server/node_modules ./server/node_modules
+COPY --from=build /app/server/package.json ./server/
+
+# Client static files
+COPY --from=build /app/client/dist ./client/dist
+
+ENV NODE_ENV=production
+ENV PORT=3001
+
+EXPOSE 3001
+
+CMD ["node", "server/dist/index.js"]
@@ -8,8 +8,35 @@ RUN apt-get update && apt-get install -y \
    && rm -rf /var/lib/apt/lists/*

 WORKDIR /usr/src/app
+
+# 1. Copy workspace manifests and lock file (changes rarely → cached layer)
+COPY Cargo.toml Cargo.lock ./
+COPY furumi-common/Cargo.toml furumi-common/Cargo.toml
+COPY furumi-server/Cargo.toml furumi-server/Cargo.toml
+COPY furumi-client-core/Cargo.toml furumi-client-core/Cargo.toml
+COPY furumi-mount-linux/Cargo.toml furumi-mount-linux/Cargo.toml
+COPY furumi-mount-macos/Cargo.toml furumi-mount-macos/Cargo.toml
+COPY furumi-agent/Cargo.toml furumi-agent/Cargo.toml
+COPY furumi-web-player/Cargo.toml furumi-web-player/Cargo.toml
+
+# 2. Create dummy sources so cargo can resolve and build dependencies
+RUN mkdir -p furumi-common/src && echo "pub fn _dummy(){}" > furumi-common/src/lib.rs \
+    && mkdir -p furumi-server/src && echo "fn main(){}" > furumi-server/src/main.rs \
+    && mkdir -p furumi-client-core/src && echo "pub fn _dummy(){}" > furumi-client-core/src/lib.rs \
+    && mkdir -p furumi-mount-linux/src && echo "fn main(){}" > furumi-mount-linux/src/main.rs \
+    && mkdir -p furumi-mount-macos/src && echo "fn main(){}" > furumi-mount-macos/src/main.rs \
+    && mkdir -p furumi-agent/src && echo "fn main(){}" > furumi-agent/src/main.rs \
+    && mkdir -p furumi-web-player/src && echo "fn main(){}" > furumi-web-player/src/main.rs
+
+# 3. Build dependencies only (this layer is cached until Cargo.toml/lock change)
+RUN cargo build --release --bin furumi-web-player 2>/dev/null || true
+
+# 4. Copy real source code
 COPY . .

+# 5. Touch sources to invalidate cargo's fingerprint for our crates (not deps)
+RUN touch furumi-common/src/lib.rs furumi-web-player/src/main.rs
+
 ARG FURUMI_VERSION=dev
 RUN FURUMI_VERSION=${FURUMI_VERSION} cargo build --release --bin furumi-web-player

@@ -16,8 +16,8 @@ services:

  agent:
    build:
-      context: .
-      dockerfile: Dockerfile.agent
+      context: ..
+      dockerfile: docker/Dockerfile.agent
    container_name: furumi-agent
    depends_on:
      db:
@@ -25,10 +25,12 @@ services:
    ports:
      - "8090:8090"
    environment:
+      RUST_LOG: info
      FURUMI_AGENT_DATABASE_URL: "postgres://${POSTGRES_USER:-furumi}:${POSTGRES_PASSWORD:-furumi}@db:5432/${POSTGRES_DB:-furumi}"
      FURUMI_AGENT_INBOX_DIR: "/inbox"
      FURUMI_AGENT_STORAGE_DIR: "/storage"
      FURUMI_AGENT_OLLAMA_URL: "${OLLAMA_URL:-http://host.docker.internal:11434}"
+      FURUMI_AGENT_OLLAMA_MODEL: "${OLLAMA_MODEL:-qwen3:14b}"
      FURUMI_AGENT_OLLAMA_AUTH: "${OLLAMA_AUTH:-CHANGE-ME}"
      FURUMI_PLAYER_BIND: "0.0.0.0:8090"
      FURUMI_AGENT_POLL_INTERVAL_SECS: 5
@@ -41,8 +43,8 @@ services:

  web-player:
    build:
-      context: .
-      dockerfile: Dockerfile.web-player
+      context: ..
+      dockerfile: docker/Dockerfile.web-player
    container_name: furumi-web-player
    depends_on:
      db:
@@ -53,7 +55,11 @@ services:
      FURUMI_PLAYER_DATABASE_URL: "postgres://${POSTGRES_USER:-furumi}:${POSTGRES_PASSWORD:-furumi}@db:5432/${POSTGRES_DB:-furumi}"
      FURUMI_PLAYER_STORAGE_DIR: "/storage"
      FURUMI_PLAYER_BIND: "0.0.0.0:8085"
-      FURUMI_PLAYER_API_KEY: "node-player-api-key"
+      FURUMI_PLAYER_OIDC_ISSUER_URL: "${OIDC_ISSUER_URL}"
+      FURUMI_PLAYER_OIDC_CLIENT_ID: "${OIDC_CLIENT_ID}"
+      FURUMI_PLAYER_OIDC_CLIENT_SECRET: "${OIDC_CLIENT_SECRET}"
+      FURUMI_PLAYER_OIDC_REDIRECT_URL: "${OIDC_REDIRECT_URL}"
+      FURUMI_PLAYER_OIDC_SESSION_SECRET: "${OIDC_SESSION_SECRET}"
    volumes:
      - ./storage:/storage
    restart: always
@@ -14,6 +14,7 @@ serde = { version = "1", features = ["derive"] }
 serde_json = "1"
 sqlx = { version = "0.8", features = ["runtime-tokio-rustls", "postgres", "chrono", "uuid", "migrate"] }
 symphonia = { version = "0.5", default-features = false, features = ["mp3", "aac", "flac", "vorbis", "wav", "alac", "adpcm", "pcm", "mpa", "isomp4", "ogg", "aiff", "mkv"] }
+id3 = "1"
 thiserror = "2.0"
 tokio = { version = "1.50", features = ["full"] }
 tracing = "0.1"
@@ -0,0 +1,20 @@
+CREATE TABLE users (
+    id           TEXT PRIMARY KEY,
+    username     TEXT NOT NULL,
+    display_name TEXT,
+    email        TEXT,
+    created_at   TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    last_seen_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+
+CREATE TABLE play_events (
+    id        BIGSERIAL PRIMARY KEY,
+    user_id   TEXT NOT NULL REFERENCES users(id) ON DELETE CASCADE,
+    track_id  BIGINT NOT NULL REFERENCES tracks(id) ON DELETE CASCADE,
+    played_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+
+CREATE INDEX idx_play_events_user_id ON play_events(user_id);
+CREATE INDEX idx_play_events_track_id ON play_events(track_id);
+CREATE INDEX idx_play_events_user_track ON play_events(user_id, track_id);
+CREATE INDEX idx_play_events_played_at ON play_events(played_at DESC);
@@ -64,7 +64,7 @@ You are a music metadata normalization assistant. Your job is to take raw metada

 10. **Consistency**: When the database already contains entries for an artist or album, your output MUST match the existing canonical names. Do not introduce new variations.

-11. **Confidence**: Rate your confidence from 0.0 to 1.0.
+11. **Confidence**: MUST be a decimal number between 0.0 and 1.0 (e.g., 0.95, 0.7, 0.3). NEVER use words like "high", "medium", "low" — only a numeric float value.
   - 1.0: All fields are clear and unambiguous.
   - 0.8+: Minor inferences made (e.g., year from path), but high certainty.
   - 0.5-0.8: Some guesswork involved, human review recommended.
@@ -19,9 +19,25 @@ pub struct RawMetadata {
    pub duration_secs: Option<f64>,
 }

-/// Extract metadata from an audio file using Symphonia.
+/// Extract metadata from an audio file.
+/// For MP3, falls back to the `id3` crate when Symphonia cannot probe the file
+/// (e.g., ID3 tag with large embedded cover art exceeds Symphonia's 1 MB probe limit).
 /// Must be called from a blocking context (spawn_blocking).
 pub fn extract(path: &Path) -> anyhow::Result<RawMetadata> {
+    match extract_via_symphonia(path) {
+        Ok(meta) => return Ok(meta),
+        Err(e) => {
+            let is_mp3 = path.extension().and_then(|e| e.to_str()).map(|e| e.eq_ignore_ascii_case("mp3")).unwrap_or(false);
+            if is_mp3 {
+                tracing::debug!(error = %e, "Symphonia failed on MP3, falling back to id3 crate");
+                return extract_mp3_via_id3(path);
+            }
+            return Err(e);
+        }
+    }
+}
+
+fn extract_via_symphonia(path: &Path) -> anyhow::Result<RawMetadata> {
    let file = std::fs::File::open(path)?;
    let mss = MediaSourceStream::new(Box::new(file), Default::default());

@@ -66,6 +82,25 @@ pub fn extract(path: &Path) -> anyhow::Result<RawMetadata> {
    Ok(meta)
 }

+/// Read MP3 tags via the `id3` crate. Duration is not available this way.
+fn extract_mp3_via_id3(path: &Path) -> anyhow::Result<RawMetadata> {
+    use id3::TagLike;
+
+    let tag = id3::Tag::read_from_path(path)
+        .map_err(|e| anyhow::anyhow!("id3 read failed: {}", e))?;
+
+    let mut meta = RawMetadata::default();
+    meta.title = tag.title().map(|s| fix_encoding(s.to_owned()));
+    meta.artist = tag.artist().map(|s| fix_encoding(s.to_owned()));
+    meta.album = tag.album().map(|s| fix_encoding(s.to_owned()));
+    meta.year = tag.year().and_then(|y| u32::try_from(y).ok());
+    meta.track_number = tag.track();
+    meta.genre = tag.genre().map(|s: &str| fix_encoding(s.to_owned()));
+    // duration_secs remains None — acceptable for large-cover files
+
+    Ok(meta)
+}
+
 fn extract_tags(tags: &[symphonia::core::meta::Tag], meta: &mut RawMetadata) {
    for tag in tags {
        let value = fix_encoding(tag.value.to_string());
@@ -25,16 +25,37 @@ pub async fn normalize(
 ) -> anyhow::Result<NormalizedFields> {
    let user_message = build_user_message(raw, hints, similar_artists, similar_albums, folder_ctx);

+    let schema = normalize_schema();
    let response = call_ollama(
        &state.config.ollama_url,
        &state.config.ollama_model,
        &state.system_prompt,
        &user_message,
        state.config.ollama_auth.as_deref(),
+        0.5,
+        512,
+        Some(("normalized_metadata", schema.clone())),
    )
    .await?;

-    parse_response(&response)
+    match parse_response(&response) {
+        Ok(fields) => Ok(fields),
+        Err(e) => {
+            tracing::warn!(error = %e, "LLM parse failed, retrying with higher frequency_penalty");
+            let response2 = call_ollama(
+                &state.config.ollama_url,
+                &state.config.ollama_model,
+                &state.system_prompt,
+                &user_message,
+                state.config.ollama_auth.as_deref(),
+                1.5,
+                512,
+                Some(("normalized_metadata", schema)),
+            )
+            .await?;
+            parse_response(&response2)
+        }
+    }
 }

 fn build_user_message(
@@ -113,32 +134,49 @@ fn build_user_message(
 }

 #[derive(Serialize)]
-struct OllamaRequest {
+struct ChatRequest {
    model: String,
-    messages: Vec<OllamaMessage>,
-    format: String,
+    messages: Vec<ChatMessage>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    response_format: Option<ChatResponseFormat>,
    stream: bool,
-    options: OllamaOptions,
+    temperature: f64,
+    max_tokens: u32,
+    frequency_penalty: f64,
 }

 #[derive(Serialize)]
-struct OllamaMessage {
+struct ChatMessage {
    role: String,
    content: String,
 }

 #[derive(Serialize)]
-struct OllamaOptions {
-    temperature: f64,
+struct ChatResponseFormat {
+    #[serde(rename = "type")]
+    kind: String,
+    json_schema: JsonSchemaWrapper,
+}
+
+#[derive(Serialize)]
+struct JsonSchemaWrapper {
+    name: String,
+    strict: bool,
+    schema: serde_json::Value,
 }

 #[derive(Deserialize)]
-struct OllamaResponse {
-    message: OllamaResponseMessage,
+struct ChatResponse {
+    choices: Vec<ChatChoice>,
 }

 #[derive(Deserialize)]
-struct OllamaResponseMessage {
+struct ChatChoice {
+    message: ChatResponseMessage,
+}
+
+#[derive(Deserialize)]
+struct ChatResponseMessage {
    content: String,
 }

@@ -148,30 +186,40 @@ pub async fn call_ollama(
    system_prompt: &str,
    user_message: &str,
    auth: Option<&str>,
+    frequency_penalty: f64,
+    max_tokens: u32,
+    schema: Option<(&str, serde_json::Value)>,
 ) -> anyhow::Result<String> {
    let client = reqwest::Client::builder()
        .timeout(std::time::Duration::from_secs(120))
        .build()?;

-    let request = OllamaRequest {
+    let response_format = schema.map(|(name, schema)| ChatResponseFormat {
+        kind: "json_schema".to_owned(),
+        json_schema: JsonSchemaWrapper { name: name.to_owned(), strict: true, schema },
+    });
+
+    let request = ChatRequest {
        model: model.to_owned(),
        messages: vec![
-            OllamaMessage {
+            ChatMessage {
                role: "system".to_owned(),
                content: system_prompt.to_owned(),
            },
-            OllamaMessage {
+            ChatMessage {
                role: "user".to_owned(),
                content: user_message.to_owned(),
            },
        ],
-        format: "json".to_owned(),
+        response_format,
        stream: false,
-        options: OllamaOptions { temperature: 0.1 },
+        temperature: 0.1,
+        max_tokens,
+        frequency_penalty,
    };

-    let url = format!("{}/api/chat", base_url.trim_end_matches('/'));
-    tracing::info!(%url, model, prompt_len = user_message.len(), "Calling Ollama API...");
+    let url = format!("{}/v1/chat/completions", base_url.trim_end_matches('/'));
+    tracing::info!(%url, model, prompt_len = user_message.len(), "Calling LLM API...");

    let start = std::time::Instant::now();
    let mut req = client.post(&url).json(&request);
@@ -184,18 +232,45 @@ pub async fn call_ollama(
    if !resp.status().is_success() {
        let status = resp.status();
        let body = resp.text().await.unwrap_or_default();
-        tracing::error!(%status, body = &body[..body.len().min(500)], "Ollama API error");
-        anyhow::bail!("Ollama returned {}: {}", status, body);
+        tracing::error!(%status, body = &body[..body.len().min(500)], "LLM API error");
+        anyhow::bail!("LLM returned {}: {}", status, body);
    }

-    let ollama_resp: OllamaResponse = resp.json().await?;
+    let chat_resp: ChatResponse = resp.json().await?;
+    let content = chat_resp
+        .choices
+        .into_iter()
+        .next()
+        .ok_or_else(|| anyhow::anyhow!("LLM returned empty choices"))?
+        .message
+        .content;
    tracing::info!(
        elapsed_ms = elapsed.as_millis() as u64,
-        response_len = ollama_resp.message.content.len(),
-        "Ollama response received"
+        response_len = content.len(),
+        "LLM response received"
    );
-    tracing::debug!(raw_response = %ollama_resp.message.content, "LLM raw output");
-    Ok(ollama_resp.message.content)
+    tracing::debug!(raw_response = %content, "LLM raw output");
+    Ok(content)
+}
+
+fn normalize_schema() -> serde_json::Value {
+    serde_json::json!({
+        "type": "object",
+        "properties": {
+            "artist":           { "type": ["string", "null"] },
+            "album":            { "type": ["string", "null"] },
+            "title":            { "type": ["string", "null"] },
+            "year":             { "type": ["integer", "null"] },
+            "track_number":     { "type": ["integer", "null"] },
+            "genre":            { "type": ["string", "null"] },
+            "featured_artists": { "type": "array", "items": { "type": "string" } },
+            "release_kind":     { "type": ["string", "null"] },
+            "confidence":       { "type": ["number", "null"] },
+            "notes":            { "type": ["string", "null"] }
+        },
+        "required": ["artist", "album", "title", "year", "track_number", "genre", "featured_artists", "release_kind", "confidence", "notes"],
+        "additionalProperties": false
+    })
 }

 /// Parse the LLM JSON response into NormalizedFields.
@@ -222,6 +297,7 @@ fn parse_response(response: &str) -> anyhow::Result<NormalizedFields> {
        genre: Option<String>,
        #[serde(default)]
        featured_artists: Vec<String>,
+        #[serde(rename = "release_kind")]
        release_type: Option<String>,
        confidence: Option<f64>,
        notes: Option<String>,
@@ -35,12 +35,39 @@ pub async fn propose_merge(state: &Arc<AppState>, merge_id: Uuid) -> anyhow::Res

    let user_message = build_merge_message(&artists_data);

+    let schema = serde_json::json!({
+        "type": "object",
+        "properties": {
+            "canonical_artist_name": { "type": "string" },
+            "winner_artist_id":      { "type": "integer" },
+            "album_mappings": {
+                "type": "array",
+                "items": {
+                    "type": "object",
+                    "properties": {
+                        "source_album_id":     { "type": "integer" },
+                        "canonical_name":      { "type": "string" },
+                        "merge_into_album_id": { "type": ["integer", "null"] }
+                    },
+                    "required": ["source_album_id", "canonical_name", "merge_into_album_id"],
+                    "additionalProperties": false
+                }
+            },
+            "notes": { "type": "string" }
+        },
+        "required": ["canonical_artist_name", "winner_artist_id", "album_mappings", "notes"],
+        "additionalProperties": false
+    });
+
    let response = call_ollama(
        &state.config.ollama_url,
        &state.config.ollama_model,
        &state.merge_prompt,
        &user_message,
        state.config.ollama_auth.as_deref(),
+        0.5,
+        4096,
+        Some(("artist_merge", schema)),
    ).await?;

    let proposal = parse_merge_response(&response)?;
@@ -1,2 +1,2 @@
-VITE_API_BASE_URL=http://localhost:8085
-VITE_API_KEY=
+# Leave empty — vite proxy handles /api in dev, same-origin in production
+VITE_FURUMI_API_URL=
@@ -0,0 +1,45 @@
+const DB_NAME = 'furumi-sw'
+const STORE = 'auth'
+const KEY = 'bearer'
+
+function openDB() {
+  return new Promise((resolve, reject) => {
+    const req = indexedDB.open(DB_NAME, 1)
+    req.onupgradeneeded = () => req.result.createObjectStore(STORE)
+    req.onsuccess = () => resolve(req.result)
+    req.onerror = () => reject(req.error)
+  })
+}
+
+async function getToken() {
+  try {
+    const db = await openDB()
+    return new Promise((resolve) => {
+      const tx = db.transaction(STORE, 'readonly')
+      const req = tx.objectStore(STORE).get(KEY)
+      req.onsuccess = () => resolve(req.result || null)
+      req.onerror = () => resolve(null)
+    })
+  } catch {
+    return null
+  }
+}
+
+self.addEventListener('fetch', (e) => {
+  const url = new URL(e.request.url)
+  if (url.origin !== self.location.origin || !url.pathname.startsWith('/api/')) return
+
+  e.respondWith(
+    (async () => {
+      const token = await getToken()
+      if (!token) return fetch(e.request)
+
+      const headers = new Headers(e.request.headers)
+      headers.set('Authorization', `Bearer ${token}`)
+      return fetch(new Request(e.request, { headers }))
+    })()
+  )
+})
+
+self.addEventListener('install', () => self.skipWaiting())
+self.addEventListener('activate', (e) => e.waitUntil(self.clients.claim()))
@@ -1,71 +1,102 @@
-.page {
+@import url('https://fonts.googleapis.com/css2?family=Inter:wght@300;400;500;600;700&display=swap');
+
+.auth-page {
  min-height: 100vh;
  display: grid;
  place-items: center;
  padding: 24px;
+  background: #0a0c12;
+  font-family: 'Inter', system-ui, sans-serif;
+  color: #e2e8f0;
 }

-.card {
-  width: min(520px, 100%);
-  border: 1px solid #d8dde6;
-  border-radius: 14px;
-  padding: 24px;
-  background-color: #ffffff;
-  box-shadow: 0 12px 30px rgba(0, 0, 0, 0.08);
-}
+/* ---------- loading spinner ---------- */

-.subtitle {
-  margin-top: 0;
-  margin-bottom: 20px;
-  color: #5a6475;
-}
-
-.settings {
-  margin-bottom: 16px;
-  padding: 12px;
-  border: 1px solid #e6eaf2;
-  border-radius: 10px;
-  background: #f8fafc;
-}
-
-.toggle {
+.auth-loading {
  display: flex;
+  flex-direction: column;
  align-items: center;
-  gap: 10px;
-  color: #0f172a;
-  font-weight: 600;
+  gap: 20px;
 }

-.toggle input {
-  width: 18px;
-  height: 18px;
+.spinner {
+  width: 36px;
+  height: 36px;
+  border: 3px solid #1f2c45;
+  border-top-color: #7c6af7;
+  border-radius: 50%;
+  animation: spin 0.8s linear infinite;
 }

-.hint {
-  margin: 10px 0 0;
-  color: #5a6475;
+@keyframes spin {
+  to { transform: rotate(360deg); }
 }

-.btn {
-  display: inline-block;
-  text-decoration: none;
-  background: #2251ff;
-  color: #ffffff;
-  padding: 10px 16px;
+.auth-loading .logo {
+  font-size: 1.6rem;
+  font-weight: 700;
+  color: #7c6af7;
+}
+
+.auth-loading p {
+  color: #64748b;
+  font-size: 0.85rem;
+}
+
+/* ---------- login card ---------- */
+
+.auth-card {
+  width: min(380px, 100%);
+  background: #111520;
+  border: 1px solid #1f2c45;
+  border-radius: 16px;
+  padding: 2.5rem 2rem;
+  text-align: center;
+  box-shadow: 0 20px 60px rgba(0, 0, 0, 0.4);
+  animation: fadeIn 0.3s ease;
+}
+
+@keyframes fadeIn {
+  from { opacity: 0; transform: translateY(8px); }
+  to { opacity: 1; transform: translateY(0); }
+}
+
+.auth-card .logo {
+  font-size: 1.8rem;
+  font-weight: 700;
+  color: #7c6af7;
+  margin-bottom: 4px;
+}
+
+.auth-card .subtitle {
+  font-size: 0.85rem;
+  color: #64748b;
+  margin-bottom: 2rem;
+}
+
+.auth-card .btn-login {
+  display: block;
+  width: 100%;
+  padding: 0.75rem;
+  text-align: center;
+  background: #7c6af7;
+  border: none;
  border-radius: 8px;
+  color: #fff;
+  font-size: 0.95rem;
  font-weight: 600;
+  text-decoration: none;
+  cursor: pointer;
+  transition: background 0.2s;
 }

-.btn.ghost {
-  background: #edf1ff;
-  color: #1e3fc4;
-  margin-top: 10px;
+.auth-card .btn-login:hover {
+  background: #6b58e8;
 }

-.profile p {
-  margin: 8px 0;
+.auth-card .error {
+  color: #f87171;
+  font-size: 0.85rem;
+  margin-bottom: 1rem;
 }

-.error {
-  color: #cc1e1e;
-}
@@ -1,5 +1,6 @@
-import { useEffect, useMemo, useState } from 'react'
+import { useEffect, useState } from 'react'
 import { FurumiPlayer } from './FurumiPlayer'
+import { setAuthToken, clearAuthToken } from './furumiApi'
 import './App.css'

 type UserProfile = {
@@ -8,38 +9,21 @@ type UserProfile = {
  email?: string
 }

-const NO_AUTH_STORAGE_KEY = 'furumiNodePlayer.runWithoutAuth'
-
 function App() {
  const [loading, setLoading] = useState(true)
  const [user, setUser] = useState<UserProfile | null>(null)
  const [error, setError] = useState<string | null>(null)
-  const [runWithoutAuth, setRunWithoutAuth] = useState(() => {
-    try {
-      return window.localStorage.getItem(NO_AUTH_STORAGE_KEY) === '1'
-    } catch {
-      return false
-    }
-  })
-
-  const apiBase = useMemo(() => import.meta.env.VITE_API_BASE_URL ?? '', [])

  useEffect(() => {
-    if (runWithoutAuth) {
-      setError(null)
-      setUser({ sub: 'noauth', name: 'No Auth' })
-      setLoading(false)
-      return
-    }
-
    const loadMe = async () => {
      try {
-        const response = await fetch(`${apiBase}/api/me`, {
+        const response = await fetch(`/auth/me`, {
          credentials: 'include',
        })

        if (response.status === 401) {
          setUser(null)
+          clearAuthToken()
          return
        }

@@ -49,6 +33,20 @@ function App() {

        const data = await response.json()
        setUser(data.user ?? null)
+
+        if (data.user) {
+          try {
+            const tokenRes = await fetch('/auth/token', { credentials: 'include' })
+            if (tokenRes.ok) {
+              const tokenData = await tokenRes.json()
+              if (tokenData.access_token) {
+                setAuthToken(tokenData.access_token)
+              }
+            }
+          } catch {
+            // Token fetch failed
+          }
+        }
      } catch (err) {
        setError(err instanceof Error ? err.message : 'Failed to load session')
      } finally {
@@ -57,84 +55,42 @@ function App() {
    }

    void loadMe()
-  }, [apiBase, runWithoutAuth])
+  }, [])

-  const loginUrl = `${apiBase}/api/login`
-  const logoutUrl = `${apiBase}/api/logout`
+  const loginUrl = `/api/login`
+  const logoutUrl = `/api/logout`
+  // Authenticated — render player immediately
+  if (!loading && user) {
+    return <FurumiPlayer user={user} />
+  }

+  // Loading — show spinner (no login form flash)
+  if (loading) {
+    return (
+      <main className="auth-page">
+        <div className="auth-loading">
+          <div className="logo">Furumi</div>
+          <div className="spinner" />
+          <p>Loading...</p>
+        </div>
+      </main>
+    )
+  }
+
+  // Not authenticated — show login
  return (
-    <>
-      {!loading && (user || runWithoutAuth) ? (
-        <FurumiPlayer />
-      ) : (
-        <main className="page">
-          <section className="card">
-            <h1>OIDC Login</h1>
-            <p className="subtitle">Авторизация обрабатывается на Express сервере.</p>
+    <main className="auth-page">
+      <section className="auth-card">
+        <div className="logo">Furumi</div>
+        <p className="subtitle">Sign in to continue</p>

-            <div className="settings">
-              <label className="toggle">
-                <input
-                  type="checkbox"
-                  checked={runWithoutAuth}
-                  onChange={(e) => {
-                    const next = e.target.checked
-                    setRunWithoutAuth(next)
-                    try {
-                      if (next) window.localStorage.setItem(NO_AUTH_STORAGE_KEY, '1')
-                      else window.localStorage.removeItem(NO_AUTH_STORAGE_KEY)
-                    } catch {
-                      // ignore
-                    }
-                    setLoading(true)
-                    setUser(null)
-                  }}
-                />
-                <span>Запускать без авторизации</span>
-              </label>
-            </div>
+        {error && <p className="error">{error}</p>}

-            {loading && <p>Проверяю сессию...</p>}
-            {error && <p className="error">Ошибка: {error}</p>}
-
-            {!loading && runWithoutAuth && (
-              <p className="hint">
-                Режим без авторизации включён. Для входа отключи настройку выше.
-              </p>
-            )}
-
-            {!loading && !user && (
-              <a className="btn" href={loginUrl}>
-                Войти через OIDC
-              </a>
-            )}
-
-            {!loading && user && (
-              <div className="profile">
-                <p>
-                  <strong>ID:</strong> {user.sub}
-                </p>
-                {user.name && (
-                  <p>
-                    <strong>Имя:</strong> {user.name}
-                  </p>
-                )}
-                {user.email && (
-                  <p>
-                    <strong>Email:</strong> {user.email}
-                  </p>
-                )}
-                {!runWithoutAuth && (
-                  <a className="btn ghost" href={logoutUrl}>
-                    Выйти
-                  </a>
-                )}
-              </div>
-            )}
-          </section>
-        </main>
-      )}
-    </>
+        <a className="btn-login" href="/auth/login">
+          Sign in with SSO
+        </a>
+      </section>
+    </main>
  )
 }

@@ -1,6 +1,6 @@
 import { useEffect, useRef, useState, type MouseEvent as ReactMouseEvent } from 'react'
 import './furumi-player.css'
-import { API_ROOT, searchTracks, preloadStream } from './furumiApi'
+import { furumiApi, searchTracks, recordPlay } from './furumiApi'
 import { store, useAppDispatch, useAppSelector } from './store'
 import { fetchArtists } from './store/slices/artistsSlice'
 import { fetchArtistAlbums } from './store/slices/albumsSlice'
@@ -15,8 +15,6 @@ import {
  playAtIndex,
  removeFromQueueAt,
  moveQueueItemInOrder,
-  toggleShuffle,
-  toggleRepeat,
  rebuildShuffleOrder,
  selectQueueOrder,
  selectPlayingOrigIdx,
@@ -26,12 +24,18 @@ import {
 } from './store/slices/queueSlice'
 import { attachAudioPlayback } from './audioPlaybackService'
 import { fmt } from './utils'
-import { Header } from './components/Header'
+import { Header } from './components/header'
 import { MainPanel, type Crumb } from './components/MainPanel'
 import { PlayerBar } from './components/PlayerBar'
 import type { Track } from './types'

-export function FurumiPlayer() {
+export type UserProfile = {
+  sub: string
+  name?: string
+  email?: string
+}
+
+export function FurumiPlayer({ user }: { user: UserProfile }) {
  const dispatch = useAppDispatch()
  const artistsLoading = useAppSelector((s) => s.artists.loading)
  const artistsError = useAppSelector((s) => s.artists.error)
@@ -71,6 +75,7 @@ export function FurumiPlayer() {
    playIndex: (i: number) => void
    removeFromQueue: (idx: number) => void
    moveQueueItem: (fromPos: number, toPos: number) => void
+    clearQueue: () => void
  } | null>(null)

  const audioRef = useRef<HTMLAudioElement>(null)
@@ -81,32 +86,25 @@ export function FurumiPlayer() {
      return
    }
    document.title = `${nowPlayingTrack.title} — Furumi`
-    const coverUrl = `${API_ROOT}/tracks/${nowPlayingTrack.slug}/cover`
    if ('mediaSession' in navigator) {
      try {
-        // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-        navigator.mediaSession.metadata = new window.MediaMetadata({
+        const meta = new window.MediaMetadata({
          title: nowPlayingTrack.title,
          artist: nowPlayingTrack.artist || '',
          album: '',
-          artwork: [{ src: coverUrl, sizes: '512x512' }],
        })
+        navigator.mediaSession.metadata = meta
+        furumiApi.get(`/tracks/${nowPlayingTrack.slug}/cover`, { responseType: 'blob' })
+          .then((res) => {
+            meta.artwork = [{ src: URL.createObjectURL(res.data), sizes: '512x512' }]
+          })
+          .catch(() => {})
      } catch {
        // ignore
      }
    }
  }, [nowPlayingTrack])

-  const shuffle = useAppSelector((s) => s.queue.shuffle)
-  const repeatAll = useAppSelector((s) => s.queue.repeatAll)
-
-  useEffect(() => {
-    const btnShuffle = document.getElementById('btnShuffle')
-    const btnRepeat = document.getElementById('btnRepeat')
-    btnShuffle?.classList.toggle('active', shuffle)
-    btnRepeat?.classList.toggle('active', repeatAll)
-  }, [shuffle, repeatAll])
-
  useEffect(() => {
    const audioEl = audioRef.current
    if (!audioEl) return
@@ -303,6 +301,7 @@ export function FurumiPlayer() {
      dispatch(playAtIndex(i))
      const track = store.getState().queue.items[i]
      void playback.loadStreamForTrack(track.slug)
+      void recordPlay(track.slug)
      if (window.history && window.history.replaceState) {
        const url = new URL(window.location.href)
        url.searchParams.set('t', track.slug)
@@ -359,14 +358,7 @@ export function FurumiPlayer() {
      playIndex,
      removeFromQueue,
      moveQueueItem,
-    }
-
-    function onToggleShuffle() {
-      dispatch(toggleShuffle())
-    }
-
-    function onToggleRepeat() {
-      dispatch(toggleRepeat())
+      clearQueue: clearQueuePlayback,
    }

    function onSearch(q: string) {
@@ -402,7 +394,7 @@ export function FurumiPlayer() {
          { slug, title: '', artist: '', album_slug: null, duration: null },
          true,
        )
-        void preloadStream(slug)
+        void playback.loadStreamForTrack(slug)
      }
    }
    searchSelectRef.current = onSearchSelect
@@ -452,20 +444,10 @@ export function FurumiPlayer() {
      searchInput.addEventListener('keydown', onSearchKeydown)
    }

-    const onShuffleClick = () => onToggleShuffle()
-    const onRepeatClick = () => onToggleRepeat()
-    const onClearClick = () => clearQueuePlayback()
    const onPrevClick = () => prevTrack()
    const onPlayClick = () => togglePlay()
    const onNextClick = () => nextTrack()

-    const btnShuffle = document.getElementById('btnShuffle')
-    btnShuffle?.addEventListener('click', onShuffleClick)
-    const btnRepeat = document.getElementById('btnRepeat')
-    btnRepeat?.addEventListener('click', onRepeatClick)
-    const btnClear = document.getElementById('btnClearQueue')
-    btnClear?.addEventListener('click', onClearClick)
-
    const btnPrev = document.getElementById('btnPrev')
    btnPrev?.addEventListener('click', onPrevClick)
    const btnPlay = document.getElementById('btnPlayPause')
@@ -503,9 +485,6 @@ export function FurumiPlayer() {
      sidebarOverlay?.removeEventListener('click', onSidebarOverlayClick)
      searchInput?.removeEventListener('input', onSearchInput)
      searchInput?.removeEventListener('keydown', onSearchKeydown)
-      btnShuffle?.removeEventListener('click', onShuffleClick)
-      btnRepeat?.removeEventListener('click', onRepeatClick)
-      btnClear?.removeEventListener('click', onClearClick)
      btnPrev?.removeEventListener('click', onPrevClick)
      btnPlay?.removeEventListener('click', onPlayClick)
      btnNext?.removeEventListener('click', onNextClick)
@@ -543,6 +522,8 @@ export function FurumiPlayer() {
        searchOpen={searchOpen}
        searchResults={searchResults}
        onSearchSelect={(type, slug) => searchSelectRef.current(type, slug)}
+        onPlayTrack={(slug) => searchSelectRef.current('track', slug)}
+        user={user}
      />

      <MainPanel
@@ -550,10 +531,22 @@ export function FurumiPlayer() {
        libraryLoading={libraryLoading}
        libraryError={libraryError}
        libraryItems={libraryItems}
-        queueItemsView={queueItemsView}
-        queueOrderView={queueOrderView}
-        queuePlayingOrigIdxView={queuePlayingOrigIdxView}
-        queueScrollSignal={queueScrollSignal}
+        onQueuePlay={(origIdx) => queueActionsRef.current?.playIndex(origIdx)}
+        onQueueRemove={(origIdx) =>
+          queueActionsRef.current?.removeFromQueue(origIdx)
+        }
+        onQueueMove={(fromPos, toPos) =>
+          queueActionsRef.current?.moveQueueItem(fromPos, toPos)
+        }
+        onClearQueue={() => queueActionsRef.current?.clearQueue()}
+      />
+
+      <PlayerBar
+        track={nowPlayingTrack}
+        queue={queueItemsView}
+        order={queueOrderView}
+        playingOrigIdx={queuePlayingOrigIdxView}
+        scrollSignal={queueScrollSignal}
        onQueuePlay={(origIdx) => queueActionsRef.current?.playIndex(origIdx)}
        onQueueRemove={(origIdx) =>
          queueActionsRef.current?.removeFromQueue(origIdx)
@@ -563,8 +556,6 @@ export function FurumiPlayer() {
        }
      />

-      <PlayerBar track={nowPlayingTrack} />
-
      <div className="toast" id="toast" />
      <audio ref={audioRef} />
    </div>
@@ -1,4 +1,4 @@
-import { preloadStream } from './furumiApi'
+import { furumiApi } from './furumiApi'
 import { fmt } from './utils'

 const MAX_PLAYBACK_ERROR_SKIPS = 5
@@ -109,9 +109,13 @@ export function attachAudioPlayback(
  volSlider?.addEventListener('input', onVolInput)

  async function loadStreamForTrack(slug: string) {
-    const response = await preloadStream(slug)
-    audio.src = URL.createObjectURL(response?.data)
-    await audio.play().catch(() => { })
+    try {
+      const res = await furumiApi.get(`/stream/${slug}`, { responseType: 'blob' })
+      audio.src = URL.createObjectURL(res.data)
+      await audio.play().catch(() => { })
+    } catch {
+      // stream failed
+    }
  }

  function pauseAndClearSource() {
@@ -0,0 +1,24 @@
+import { useEffect, useState } from 'react'
+import { furumiApi } from '../furumiApi'
+
+export function AuthImg({ src, alt, ...props }: React.ImgHTMLAttributes<HTMLImageElement>) {
+  const [blobUrl, setBlobUrl] = useState<string | null>(null)
+
+  useEffect(() => {
+    if (!src) return
+    let revoked = false
+    furumiApi.get(src, { responseType: 'blob' })
+      .then((res) => {
+        if (!revoked) setBlobUrl(URL.createObjectURL(res.data))
+      })
+      .catch(() => {})
+    return () => {
+      revoked = true
+      if (blobUrl) URL.revokeObjectURL(blobUrl)
+    }
+  // eslint-disable-next-line react-hooks/exhaustive-deps
+  }, [src])
+
+  if (!blobUrl) return null
+  return <img src={blobUrl} alt={alt ?? ''} {...props} />
+}
@@ -1,45 +0,0 @@
-import { SearchDropdown } from './SearchDropdown'
-
-type SearchResultItem = {
-  result_type: string
-  slug: string
-  name: string
-  detail?: string
-}
-
-type HeaderProps = {
-  searchOpen: boolean
-  searchResults: SearchResultItem[]
-  onSearchSelect: (type: string, slug: string) => void
-}
-
-export function Header({
-  searchOpen,
-  searchResults,
-  onSearchSelect,
-}: HeaderProps) {
-  return (
-    <header className="header">
-      <div className="header-logo">
-        <button className="btn-menu">&#9776;</button>
-        <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="2">
-          <circle cx="9" cy="18" r="3" />
-          <circle cx="18" cy="15" r="3" />
-          <path d="M12 18V6l9-3v3" />
-        </svg>
-        Furumi
-        <span className="header-version">v</span>
-      </div>
-      <div style={{ display: 'flex', alignItems: 'center', gap: '1rem' }}>
-        <div className="search-wrap">
-          <input id="searchInput" placeholder="Search..." />
-          <SearchDropdown
-            isOpen={searchOpen}
-            results={searchResults}
-            onSelect={onSearchSelect}
-          />
-        </div>
-      </div>
-    </header>
-  )
-}
@@ -1,7 +1,18 @@
 import type { MouseEvent as ReactMouseEvent } from 'react'
+import { useAppDispatch, useAppSelector } from '../store'
+import {
+  selectPlayingOrigIdx,
+  selectQueueItems,
+  selectQueueOrder,
+  selectQueueScrollSignal,
+  selectRepeatAll,
+  selectShuffle,
+  toggleRepeat,
+  toggleShuffle,
+} from '../store/slices/queueSlice'
 import { Breadcrumbs } from './Breadcrumbs'
 import { LibraryList } from './LibraryList'
-import { QueueList, type QueueItem } from './QueueList'
+import { QueueList } from './QueueList'

 export type Crumb = { label: string; action?: () => void }

@@ -21,13 +32,10 @@ type MainPanelProps = {
  libraryLoading: boolean
  libraryError: string | null
  libraryItems: LibraryListItem[]
-  queueItemsView: QueueItem[]
-  queueOrderView: number[]
-  queuePlayingOrigIdxView: number
-  queueScrollSignal: number
  onQueuePlay: (origIdx: number) => void
  onQueueRemove: (origIdx: number) => void
  onQueueMove: (fromPos: number, toPos: number) => void
+  onClearQueue: () => void
 }

 export function MainPanel({
@@ -35,14 +43,19 @@ export function MainPanel({
  libraryLoading,
  libraryError,
  libraryItems,
-  queueItemsView,
-  queueOrderView,
-  queuePlayingOrigIdxView,
-  queueScrollSignal,
  onQueuePlay,
  onQueueRemove,
  onQueueMove,
+  onClearQueue,
 }: MainPanelProps) {
+  const dispatch = useAppDispatch()
+  const queueItemsView = useAppSelector(selectQueueItems)
+  const queueOrderView = useAppSelector(selectQueueOrder)
+  const queuePlayingOrigIdxView = useAppSelector(selectPlayingOrigIdx)
+  const queueScrollSignal = useAppSelector(selectQueueScrollSignal)
+  const shuffle = useAppSelector(selectShuffle)
+  const repeatAll = useAppSelector(selectRepeatAll)
+
  return (
    <div className="main">
      <div className="sidebar-overlay" id="sidebarOverlay" />
@@ -58,13 +71,21 @@ export function MainPanel({
        <div className="queue-header">
          <span>Queue</span>
          <div className="queue-actions">
-            <button className="queue-btn active" id="btnShuffle">
+            <button
+              type="button"
+              className={`queue-btn${shuffle ? ' active' : ''}`}
+              onClick={() => dispatch(toggleShuffle())}
+            >
              Shuffle
            </button>
-            <button className="queue-btn active" id="btnRepeat">
+            <button
+              type="button"
+              className={`queue-btn${repeatAll ? ' active' : ''}`}
+              onClick={() => dispatch(toggleRepeat())}
+            >
              Repeat
            </button>
-            <button className="queue-btn" id="btnClearQueue">
+            <button type="button" className="queue-btn" onClick={onClearQueue}>
              Clear
            </button>
          </div>
@@ -1,16 +1,13 @@
-import { useEffect, useState } from 'react'
-import { API_ROOT } from '../furumiApi'
+import { useState } from 'react'
+import { AuthImg } from './AuthImg'
 import type { QueueItem } from './QueueList'

-function Cover({ src }: { src: string }) {
+function Cover({ slug }: { slug: string }) {
  const [errored, setErrored] = useState(false)
-
-  useEffect(() => {
-    setErrored(false)
-  }, [src])
+  const src = `/tracks/${slug}/cover`

  if (errored) return <>&#127925;</>
-  return <img src={src} alt="" onError={() => setErrored(true)} />
+  return <AuthImg src={src} alt="" onError={() => setErrored(true)} />
 }

 export function NowPlaying({ track }: { track: QueueItem | null }) {
@@ -32,12 +29,10 @@ export function NowPlaying({ track }: { track: QueueItem | null }) {
    )
  }

-  const coverUrl = `${API_ROOT}/tracks/${track.slug}/cover`
-
  return (
    <div className="np-info">
      <div className="np-cover" id="npCover">
-        <Cover src={coverUrl} />
+        <Cover slug={track.slug} />
      </div>
      <div className="np-text">
        <div className="np-title" id="npTitle">
@@ -50,4 +45,3 @@ export function NowPlaying({ track }: { track: QueueItem | null }) {
    </div>
  )
 }
-
@@ -1,7 +1,28 @@
 import { NowPlaying } from './NowPlaying'
+import { QueuePopover } from './queue-popover'
 import type { QueueItem } from './QueueList'

-export function PlayerBar({ track }: { track: QueueItem | null }) {
+type PlayerBarProps = {
+  track: QueueItem | null
+  queue: QueueItem[]
+  order: number[]
+  playingOrigIdx: number
+  scrollSignal: number
+  onQueuePlay: (origIdx: number) => void
+  onQueueRemove: (origIdx: number) => void
+  onQueueMove: (fromPos: number, toPos: number) => void
+}
+
+export function PlayerBar({
+  track,
+  queue,
+  order,
+  playingOrigIdx,
+  scrollSignal,
+  onQueuePlay,
+  onQueueRemove,
+  onQueueMove,
+}: PlayerBarProps) {
  return (
    <div className="player-bar">
      <NowPlaying track={track} />
@@ -30,6 +51,15 @@ export function PlayerBar({ track }: { track: QueueItem | null }) {
        </div>
      </div>
      <div className="volume-row">
+        <QueuePopover
+          queue={queue}
+          order={order}
+          playingOrigIdx={playingOrigIdx}
+          scrollSignal={scrollSignal}
+          onPlay={onQueuePlay}
+          onRemove={onQueueRemove}
+          onMove={onQueueMove}
+        />
        <span className="vol-icon" id="volIcon">
          &#128266;
        </span>
@@ -1,5 +1,5 @@
 import { useEffect, useRef, useState } from 'react'
-import { API_ROOT } from '../furumiApi'
+import { AuthImg } from './AuthImg'

 export type QueueItem = {
  slug: string
@@ -32,14 +32,10 @@ function fmt(secs: number) {
  return `${m}:${pad(s % 60)}`
 }

-function Cover({ src }: { src: string }) {
+function Cover({ slug }: { slug: string }) {
  const [errored, setErrored] = useState(false)
-  useEffect(() => {
-    setErrored(false)
-  }, [src])
-
  if (errored) return <>&#127925;</>
-  return <img src={src} alt="" onError={() => setErrored(true)} />
+  return <AuthImg src={`/tracks/${slug}/cover`} alt="" onError={() => setErrored(true)} />
 }

 export function QueueList({
@@ -77,7 +73,7 @@ export function QueueList({
        if (!t) return null

        const isPlaying = origIdx === playingOrigIdx
-        const coverSrc = t.album_slug ? `${API_ROOT}/tracks/${t.slug}/cover` : ''
+        const hasAlbum = !!t.album_slug
        const dur = t.duration ? fmt(t.duration) : ''
        const isDragging = draggingPos === pos
        const isDragOver = dragOverPos === pos
@@ -118,7 +114,7 @@ export function QueueList({
          >
            <span className="qi-index">{isPlaying ? '' : pos + 1}</span>
            <div className="qi-cover">
-              {coverSrc ? <Cover src={coverSrc} /> : <>&#127925;</>}
+              {hasAlbum ? <Cover slug={t.slug} /> : <>&#127925;</>}
            </div>
            <div className="qi-info">
              <div className="qi-title">{t.title}</div>
@@ -0,0 +1,109 @@
+import { useState, useRef, useEffect } from 'react'
+import { SearchDropdown } from '../SearchDropdown'
+import { RecentPlays } from './RecentPlays'
+import styles from './header.module.css'
+
+type SearchResultItem = {
+  result_type: string
+  slug: string
+  name: string
+  detail?: string
+}
+
+type UserInfo = {
+  sub: string
+  name?: string
+  email?: string
+}
+
+type HeaderProps = {
+  searchOpen: boolean
+  searchResults: SearchResultItem[]
+  onSearchSelect: (type: string, slug: string) => void
+  onPlayTrack: (slug: string) => void
+  user: UserInfo
+}
+
+function UserMenu({ user, onShowRecent }: { user: UserInfo; onShowRecent: () => void }) {
+  const [open, setOpen] = useState(false)
+  const ref = useRef<HTMLDivElement>(null)
+
+  useEffect(() => {
+    function handleClick(e: MouseEvent) {
+      if (ref.current && !ref.current.contains(e.target as Node)) setOpen(false)
+    }
+    document.addEventListener('mousedown', handleClick)
+    return () => document.removeEventListener('mousedown', handleClick)
+  }, [])
+
+  const initials = (user.name ?? user.sub)
+    .split(' ')
+    .map((w) => w[0])
+    .slice(0, 2)
+    .join('')
+    .toUpperCase()
+
+  return (
+    <div className={styles.userMenu} ref={ref}>
+      <button className={styles.userAvatar} onClick={() => setOpen(!open)} title={user.name ?? user.sub}>
+        {initials}
+      </button>
+      {open && (
+        <div className={styles.userDropdown}>
+          <div className={styles.userInfo}>
+            <div className={styles.userName}>{user.name ?? user.sub}</div>
+            {user.email && <div className={styles.userEmail}>{user.email}</div>}
+          </div>
+          <button className={styles.userAction} onClick={() => { setOpen(false); onShowRecent() }}>
+            Recent plays
+          </button>
+          <a href="/auth/logout" className={styles.userLogout}>Sign out</a>
+        </div>
+      )}
+    </div>
+  )
+}
+
+export function Header({
+  searchOpen,
+  searchResults,
+  onSearchSelect,
+  onPlayTrack,
+  user,
+}: HeaderProps) {
+  const [showRecent, setShowRecent] = useState(false)
+
+  return (
+    <>
+      <header className={styles.header}>
+        <div className={styles.headerLogo}>
+          <button className="btn-menu">&#9776;</button>
+          <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="2">
+            <circle cx="9" cy="18" r="3" />
+            <circle cx="18" cy="15" r="3" />
+            <path d="M12 18V6l9-3v3" />
+          </svg>
+          Furumi
+          <span className={styles.headerVersion}>v</span>
+        </div>
+        <div style={{ display: 'flex', alignItems: 'center', gap: '1rem' }}>
+          <div className="search-wrap">
+            <input id="searchInput" placeholder="Search..." />
+            <SearchDropdown
+              isOpen={searchOpen}
+              results={searchResults}
+              onSelect={onSearchSelect}
+            />
+          </div>
+          <UserMenu user={user} onShowRecent={() => setShowRecent(true)} />
+        </div>
+      </header>
+      {showRecent && (
+        <RecentPlays
+          onClose={() => setShowRecent(false)}
+          onPlay={onPlayTrack}
+        />
+      )}
+    </>
+  )
+}
@@ -0,0 +1,64 @@
+import { useEffect, useState } from 'react'
+import { getRecentPlays, type RecentPlay } from '../../furumiApi'
+import styles from './header.module.css'
+
+function timeAgo(iso: string): string {
+  const diff = Date.now() - new Date(iso).getTime()
+  const mins = Math.floor(diff / 60000)
+  if (mins < 1) return 'just now'
+  if (mins < 60) return `${mins}m ago`
+  const hrs = Math.floor(mins / 60)
+  if (hrs < 24) return `${hrs}h ago`
+  const days = Math.floor(hrs / 24)
+  return `${days}d ago`
+}
+
+export function RecentPlays({ onClose, onPlay }: { onClose: () => void; onPlay: (slug: string) => void }) {
+  const [plays, setPlays] = useState<RecentPlay[] | null>(null)
+  const [loading, setLoading] = useState(true)
+
+  useEffect(() => {
+    getRecentPlays().then((data) => {
+      setPlays(data)
+      setLoading(false)
+    })
+  }, [])
+
+  useEffect(() => {
+    function onKey(e: KeyboardEvent) {
+      if (e.key === 'Escape') onClose()
+    }
+    window.addEventListener('keydown', onKey)
+    return () => window.removeEventListener('keydown', onKey)
+  }, [onClose])
+
+  return (
+    <div className={styles.recentOverlay} onClick={onClose}>
+      <div className={styles.recentPanel} onClick={(e) => e.stopPropagation()}>
+        <div className={styles.recentHeader}>
+          <h2>Recent plays</h2>
+          <button className={styles.recentClose} onClick={onClose}>&#10005;</button>
+        </div>
+        <div className={styles.recentList}>
+          {loading && <p className={styles.recentEmpty}>Loading...</p>}
+          {!loading && (!plays || plays.length === 0) && (
+            <p className={styles.recentEmpty}>No play history yet</p>
+          )}
+          {plays?.map((p, i) => (
+            <div
+              key={`${p.track_slug}-${i}`}
+              className={styles.recentItem}
+              onClick={() => { onPlay(p.track_slug); onClose() }}
+            >
+              <div className={styles.recentTrack}>
+                <div className={styles.recentTitle}>{p.track_title}</div>
+                <div className={styles.recentArtist}>{p.artist_name}</div>
+              </div>
+              <div className={styles.recentTime}>{timeAgo(p.played_at)}</div>
+            </div>
+          ))}
+        </div>
+      </div>
+    </div>
+  )
+}
@@ -0,0 +1,234 @@
+.header {
+    display: flex;
+    align-items: center;
+    justify-content: space-between;
+    padding: 0.75rem 1.5rem;
+    background: var(--bg-panel);
+    border-bottom: 1px solid var(--border);
+    flex-shrink: 0;
+    z-index: 10;
+}
+
+.headerLogo {
+    display: flex;
+    align-items: center;
+    gap: 0.75rem;
+    font-weight: 700;
+    font-size: 1.1rem;
+    color: #ffffff;
+}
+
+.headerLogo svg {
+    width: 22px;
+    height: 22px;
+}
+
+.headerVersion {
+    font-size: 0.7rem;
+    color: var(--text-muted);
+    background: rgba(255, 255, 255, 0.05);
+    padding: 0.1rem 0.4rem;
+    border-radius: 4px;
+    margin-left: 0.25rem;
+    font-weight: 500;
+    text-decoration: none;
+}
+
+/* User menu */
+
+.userMenu {
+    position: relative;
+}
+
+.userAvatar {
+    width: 32px;
+    height: 32px;
+    border-radius: 50%;
+    background: var(--accent);
+    color: #fff;
+    border: none;
+    font-size: 0.75rem;
+    font-weight: 600;
+    cursor: pointer;
+    display: flex;
+    align-items: center;
+    justify-content: center;
+    transition: background 0.2s;
+}
+
+.userAvatar:hover {
+    background: var(--accent-dim);
+}
+
+.userDropdown {
+    position: absolute;
+    top: calc(100% + 8px);
+    right: 0;
+    min-width: 200px;
+    background: var(--bg-card);
+    border: 1px solid var(--border);
+    border-radius: 10px;
+    box-shadow: 0 12px 32px rgba(0, 0, 0, 0.4);
+    z-index: 100;
+    overflow: hidden;
+    animation: fadeIn 0.15s ease;
+}
+
+@keyframes fadeIn {
+    from { opacity: 0; transform: translateY(-4px); }
+    to { opacity: 1; transform: translateY(0); }
+}
+
+.userInfo {
+    padding: 12px 16px;
+    border-bottom: 1px solid var(--border);
+}
+
+.userName {
+    font-weight: 600;
+    font-size: 0.9rem;
+    color: var(--text);
+}
+
+.userEmail {
+    font-size: 0.75rem;
+    color: var(--text-muted);
+    margin-top: 2px;
+}
+
+.userLogout {
+    display: block;
+    padding: 10px 16px;
+    color: var(--danger);
+    text-decoration: none;
+    font-size: 0.85rem;
+    font-weight: 500;
+    transition: background 0.15s;
+}
+
+.userLogout:hover {
+    background: var(--bg-hover);
+}
+
+.userAction {
+    display: block;
+    padding: 10px 16px;
+    color: var(--text);
+    text-decoration: none;
+    font-size: 0.85rem;
+    font-weight: 500;
+    cursor: pointer;
+    background: none;
+    border: none;
+    width: 100%;
+    text-align: left;
+    transition: background 0.15s;
+}
+
+.userAction:hover {
+    background: var(--bg-hover);
+}
+
+/* Recent plays overlay */
+
+.recentOverlay {
+    position: fixed;
+    inset: 0;
+    background: rgba(0, 0, 0, 0.5);
+    z-index: 200;
+    display: grid;
+    place-items: center;
+    animation: fadeIn 0.15s ease;
+}
+
+.recentPanel {
+    width: min(480px, 90vw);
+    max-height: 70vh;
+    background: var(--bg-panel);
+    border: 1px solid var(--border);
+    border-radius: 14px;
+    display: flex;
+    flex-direction: column;
+    box-shadow: 0 20px 60px rgba(0, 0, 0, 0.5);
+}
+
+.recentHeader {
+    display: flex;
+    align-items: center;
+    justify-content: space-between;
+    padding: 16px 20px;
+    border-bottom: 1px solid var(--border);
+}
+
+.recentHeader h2 {
+    font-size: 1rem;
+    font-weight: 600;
+    color: var(--text);
+    margin: 0;
+}
+
+.recentClose {
+    background: none;
+    border: none;
+    color: var(--text-muted);
+    font-size: 1rem;
+    cursor: pointer;
+    padding: 4px 8px;
+    border-radius: 4px;
+}
+
+.recentClose:hover {
+    color: var(--text);
+    background: var(--bg-hover);
+}
+
+.recentList {
+    overflow-y: auto;
+    flex: 1;
+}
+
+.recentItem {
+    display: flex;
+    align-items: center;
+    justify-content: space-between;
+    padding: 10px 20px;
+    cursor: pointer;
+    transition: background 0.15s;
+}
+
+.recentItem:hover {
+    background: var(--bg-hover);
+}
+
+.recentTrack {
+    min-width: 0;
+    flex: 1;
+}
+
+.recentTitle {
+    font-size: 0.85rem;
+    color: var(--text);
+    white-space: nowrap;
+    overflow: hidden;
+    text-overflow: ellipsis;
+}
+
+.recentArtist {
+    font-size: 0.75rem;
+    color: var(--text-muted);
+    margin-top: 1px;
+}
+
+.recentTime {
+    font-size: 0.7rem;
+    color: var(--text-dim);
+    flex-shrink: 0;
+    margin-left: 12px;
+}
+
+.recentEmpty {
+    padding: 32px 20px;
+    text-align: center;
+    color: var(--text-muted);
+    font-size: 0.85rem;
+}
@@ -0,0 +1 @@
+export * from './Header'
@@ -0,0 +1 @@
+export * from './queue-popover'
@@ -0,0 +1,68 @@
+.root {
+  position: relative;
+  display: flex;
+  align-items: center;
+}
+
+.trigger {
+  display: flex;
+  align-items: center;
+  justify-content: center;
+  padding: 0.35rem;
+  margin: 0;
+  border: none;
+  border-radius: 6px;
+  background: transparent;
+  color: var(--text-muted);
+  cursor: pointer;
+  font: inherit;
+  line-height: 1;
+}
+
+.trigger:hover {
+  color: var(--text);
+  background: var(--bg-hover);
+}
+
+.triggerIcon {
+  font-size: 0.95rem;
+}
+
+.popover {
+  position: absolute;
+  bottom: calc(100% + 0.5rem);
+  right: 0;
+  z-index: 60;
+  display: flex;
+  flex-direction: column;
+  min-width: min(100vw - 2rem, 320px);
+  max-width: min(100vw - 2rem, 360px);
+  max-height: min(50vh, 360px);
+  border-radius: 8px;
+  border: 1px solid var(--border);
+  background: var(--bg-card);
+  box-shadow: 0 8px 28px rgba(0, 0, 0, 0.45);
+}
+
+.header {
+  flex-shrink: 0;
+  padding: 0.55rem 0.75rem;
+  font-size: 0.75rem;
+  font-weight: 600;
+  letter-spacing: 0.04em;
+  text-transform: uppercase;
+  color: var(--text-muted);
+  border-bottom: 1px solid var(--border);
+}
+
+.body {
+  flex: 1;
+  min-height: 0;
+  overflow: auto;
+  padding: 0.35rem 0.5rem;
+}
+
+.body :global(.queue-empty) {
+  padding: 1.25rem 0.75rem;
+  font-size: 0.8rem;
+}
@@ -0,0 +1,86 @@
+import { useEffect, useId, useRef, useState } from 'react'
+import { QueueList, type QueueItem } from '../QueueList'
+import styles from './queue-popover.module.css'
+
+export type QueuePopoverProps = {
+  queue: QueueItem[]
+  order: number[]
+  playingOrigIdx: number
+  scrollSignal: number
+  onPlay: (origIdx: number) => void
+  onRemove: (origIdx: number) => void
+  onMove: (fromPos: number, toPos: number) => void
+}
+
+export function QueuePopover({
+  queue,
+  order,
+  playingOrigIdx,
+  scrollSignal,
+  onPlay,
+  onRemove,
+  onMove,
+}: QueuePopoverProps) {
+  const [open, setOpen] = useState(false)
+  const rootRef = useRef<HTMLDivElement>(null)
+  const titleId = useId()
+  const panelId = useId()
+
+  useEffect(() => {
+    if (!open) return
+    function onDocMouseDown(e: MouseEvent) {
+      const el = rootRef.current
+      if (el && !el.contains(e.target as Node)) setOpen(false)
+    }
+    function onKey(e: KeyboardEvent) {
+      if (e.key === 'Escape') setOpen(false)
+    }
+    document.addEventListener('mousedown', onDocMouseDown)
+    document.addEventListener('keydown', onKey)
+    return () => {
+      document.removeEventListener('mousedown', onDocMouseDown)
+      document.removeEventListener('keydown', onKey)
+    }
+  }, [open])
+
+  return (
+    <div className={styles.root} ref={rootRef}>
+      <button
+        type="button"
+        className={styles.trigger}
+        title="Playback queue"
+        aria-expanded={open}
+        aria-haspopup="dialog"
+        aria-controls={open ? panelId : undefined}
+        onClick={() => setOpen((v) => !v)}
+      >
+        <span className={styles.triggerIcon} aria-hidden>
+          &#9776;
+        </span>
+      </button>
+      {open && (
+        <div
+          id={panelId}
+          className={styles.popover}
+          role="dialog"
+          aria-labelledby={titleId}
+        >
+          <div className={styles.header} id={titleId}>
+            Queue
+          </div>
+          <div className={styles.body}>
+            <QueueList
+              queue={queue}
+              order={order}
+              playingOrigIdx={playingOrigIdx}
+              scrollSignal={scrollSignal}
+              onPlay={onPlay}
+              onRemove={onRemove}
+              onMove={onMove}
+            />
+          </div>
+        </div>
+      )}
+    </div>
+  )
+}
@@ -31,40 +31,6 @@
  --danger: #f87171;
 }

-.header {
-  display: flex;
-  align-items: center;
-  justify-content: space-between;
-  padding: 0.75rem 1.5rem;
-  background: var(--bg-panel);
-  border-bottom: 1px solid var(--border);
-  flex-shrink: 0;
-  z-index: 10;
-}
-
-.header-logo {
-  display: flex;
-  align-items: center;
-  gap: 0.75rem;
-  font-weight: 700;
-  font-size: 1.1rem;
-}
-
-.header-logo svg {
-  width: 22px;
-  height: 22px;
-}
-
-.header-version {
-  font-size: 0.7rem;
-  color: var(--text-muted);
-  background: rgba(255, 255, 255, 0.05);
-  padding: 0.1rem 0.4rem;
-  border-radius: 4px;
-  margin-left: 0.25rem;
-  font-weight: 500;
-  text-decoration: none;
-}

 .btn-menu {
  display: none;
@@ -378,6 +344,10 @@
  color: var(--accent);
 }

+.qi-title {
+  color: #ffffff;
+}
+
 .queue-item .qi-index {
  font-size: 0.75rem;
  color: var(--text-muted);
@@ -531,6 +501,7 @@
  overflow: hidden;
  text-overflow: ellipsis;
  white-space: nowrap;
+  color: #ffffff;
 }

 .np-artist {
@@ -1,16 +1,64 @@
 import axios from 'axios'
 import type { Album, Artist, SearchResult, Track, TrackDetail } from './types'

-const API_BASE = import.meta.env.VITE_API_BASE_URL ?? ''
-export const API_ROOT = `${API_BASE}/api`
-
-const API_KEY = import.meta.env.VITE_API_KEY
+const FURUMI_API_BASE = import.meta.env.VITE_FURUMI_API_URL ?? ''
+export const API_ROOT = `${FURUMI_API_BASE}/api`

 export const furumiApi = axios.create({
  baseURL: API_ROOT,
-  headers: API_KEY ? { 'x-api-key': API_KEY } : {},
 })

+function sendTokenToSW(token: string) {
+  try {
+    const req = indexedDB.open('furumi-sw', 1)
+    req.onupgradeneeded = () => req.result.createObjectStore('auth')
+    req.onsuccess = () => {
+      const tx = req.result.transaction('auth', 'readwrite')
+      tx.objectStore('auth').put(token, 'bearer')
+    }
+  } catch { /* ignore */ }
+}
+
+export function setAuthToken(token: string) {
+  furumiApi.defaults.headers.common['Authorization'] = `Bearer ${token}`
+  sendTokenToSW(token)
+}
+
+export function clearAuthToken() {
+  delete furumiApi.defaults.headers.common['Authorization']
+}
+
+async function refreshToken(): Promise<boolean> {
+  try {
+    const res = await fetch('/auth/token', { credentials: 'include' })
+    if (!res.ok) return false
+    const data = await res.json()
+    if (data.access_token) {
+      setAuthToken(data.access_token)
+      return true
+    }
+  } catch { /* ignore */ }
+  return false
+}
+
+let refreshPromise: Promise<boolean> | null = null
+
+furumiApi.interceptors.response.use(
+  (response) => response,
+  async (error) => {
+    const original = error.config
+    if (error.response?.status === 401 && !original._retried) {
+      original._retried = true
+      if (!refreshPromise) {
+        refreshPromise = refreshToken().finally(() => { refreshPromise = null })
+      }
+      const ok = await refreshPromise
+      if (ok) return furumiApi(original)
+    }
+    return Promise.reject(error)
+  },
+)
+
 export async function getArtists(): Promise<Artist[] | null> {
  const res = await furumiApi.get<Artist[]>('/artists').catch(() => null)
  return res?.data ?? null
@@ -43,7 +91,19 @@ export async function getTrackInfo(trackSlug: string): Promise<TrackDetail | nul
  return res?.data ?? null
 }

-export async function preloadStream(trackSlug: string) {
-  return await furumiApi.get(`/stream/${trackSlug}`, { responseType: 'blob' }).catch(() => null)
+export type RecentPlay = {
+  track_slug: string
+  track_title: string
+  artist_name: string
+  album_slug: string | null
+  played_at: string
 }

+export async function getRecentPlays(): Promise<RecentPlay[] | null> {
+  const res = await furumiApi.get<RecentPlay[]>('/me/recent').catch(() => null)
+  return res?.data ?? null
+}
+
+export async function recordPlay(trackSlug: string): Promise<void> {
+  await furumiApi.post(`/tracks/${trackSlug}/play`).catch(() => null)
+}
@@ -5,6 +5,10 @@ import { store } from './store'
 import './index.css'
 import App from './App.tsx'

+if ('serviceWorker' in navigator) {
+  navigator.serviceWorker.register('/sw.js')
+}
+
 createRoot(document.getElementById('root')!).render(
  <StrictMode>
    <Provider store={store}>
@@ -239,6 +239,7 @@ export function selectQueueItems(state: QueueSliceRoot) {
  return state.queue.items
 }

+// TODO: toggle shuffle should rebuild the shuffle order
 export function selectQueueOrder(state: QueueSliceRoot): number[] {
  const q = state.queue
  if (!q.shuffle) return q.items.map((_, i) => i)
@@ -6,10 +6,18 @@ export default defineConfig({
  plugins: [react()],
  server: {
    proxy: {
-      '/api': {
+      '/auth': {
        target: 'http://localhost:3001',
        changeOrigin: true,
      },
+      '/callback': {
+        target: 'http://localhost:3001',
+        changeOrigin: true,
+      },
+      '/api': {
+        target: 'http://localhost:8085',
+        changeOrigin: true,
+      },
    },
  },
 })
@@ -1,5 +1,6 @@
 import 'dotenv/config';

+import path from 'path';
 import cors from 'cors';
 import express from 'express';
 import { auth } from 'express-openid-connect';
@@ -23,12 +24,14 @@ const oidcConfig = {
  clientSecret: process.env.OIDC_CLIENT_SECRET ?? '',
  authorizationParams: {
    response_type: 'code',
-    scope: process.env.OIDC_SCOPE ?? 'openid profile email',
+    scope: process.env.OIDC_SCOPE ?? 'openid profile email offline_access',
  },
+  routes: {
+    callback: process.env.OIDC_REDIRECT_URL
+  }
 };

 if (!disableAuth && (!oidcConfig.clientID || !oidcConfig.issuerBaseURL || !oidcConfig.clientSecret)) {
-  // Keep a clear startup failure if OIDC is not configured.
  throw new Error(
    'OIDC config is missing. Set OIDC_ISSUER_BASE_URL, OIDC_CLIENT_ID, OIDC_CLIENT_SECRET in server/.env (or set DISABLE_AUTH=true)',
  );
@@ -46,11 +49,11 @@ if (!disableAuth) {
  app.use(auth(oidcConfig));
 }

-app.get('/api/health', (_req, res) => {
+app.get('/auth/health', (_req, res) => {
  res.json({ ok: true });
 });

-app.get('/api/me', (req, res) => {
+app.get('/auth/me', (req, res) => {
  if (disableAuth) {
    res.json({
      authenticated: false,
@@ -74,7 +77,42 @@ app.get('/api/me', (req, res) => {
  });
 });

-app.get('/api/login', (req, res) => {
+app.get('/auth/token', async (req, res) => {
+  if (disableAuth) {
+    res.status(204).end();
+    return;
+  }
+
+  if (!req.oidc.isAuthenticated()) {
+    res.status(401).json({ authenticated: false });
+    return;
+  }
+
+  let accessToken = req.oidc.accessToken;
+  if (!accessToken?.access_token) {
+    res.status(500).json({ error: 'no access token in session' });
+    return;
+  }
+
+  // Refresh if expired
+  if (accessToken.isExpired()) {
+    try {
+      accessToken = await accessToken.refresh();
+    } catch (e) {
+      console.error('Token refresh failed:', e);
+      res.status(401).json({ error: 'token refresh failed' });
+      return;
+    }
+  }
+
+  res.json({
+    access_token: accessToken.access_token,
+    token_type: 'Bearer',
+    expires_in: accessToken.expires_in,
+  });
+});
+
+app.get('/auth/login', (req, res) => {
  if (disableAuth) {
    res.status(204).end();
    return;
@@ -85,7 +123,7 @@ app.get('/api/login', (req, res) => {
  });
 });

-app.get('/api/logout', (req, res) => {
+app.get('/auth/logout', (req, res) => {
  if (disableAuth) {
    res.status(204).end();
    return;
@@ -96,6 +134,13 @@ app.get('/api/logout', (req, res) => {
  });
 });

+// Production: serve Vite-built client as static files
+const clientDist = path.resolve(import.meta.dirname, '../../client/dist');
+app.use(express.static(clientDist));
+app.get('/{*path}', (_req, res) => {
+  res.sendFile(path.join(clientDist, 'index.html'));
+});
+
 app.listen(port, () => {
  console.log(
    `${disableAuth ? 'NO-AUTH' : 'OIDC auth'} server listening on http://localhost:${port}`,
@@ -9,6 +9,7 @@ axum = { version = "0.7", features = ["tokio", "macros"] }
 clap = { version = "4.5", features = ["derive", "env"] }
 serde = { version = "1", features = ["derive"] }
 serde_json = "1"
+chrono = { version = "0.4", features = ["serde"] }
 sqlx = { version = "0.8", features = ["runtime-tokio-rustls", "postgres", "chrono", "uuid", "migrate"] }
 tokio = { version = "1.50", features = ["full"] }
 tower = { version = "0.4", features = ["util"] }
@@ -18,7 +19,8 @@ mime_guess = "2.0"
 symphonia = { version = "0.5", default-features = false, features = ["mp3", "aac", "flac", "vorbis", "wav", "alac", "adpcm", "pcm", "mpa", "isomp4", "ogg", "aiff", "mkv"] }
 tokio-util = { version = "0.7", features = ["io"] }
 openidconnect = "3.4"
-reqwest = { version = "0.12", default-features = false, features = ["rustls-tls"] }
+reqwest = { version = "0.12", default-features = false, features = ["rustls-tls", "json"] }
+jsonwebtoken = "9"
 sha2 = "0.10"
 hmac = "0.12"
 base64 = "0.22"
@@ -82,6 +82,82 @@ pub struct SearchResult {
    pub detail: Option<String>, // artist name for albums/tracks
 }

+// --- User management ---
+
+pub async fn upsert_user(
+    pool: &PgPool,
+    id: &str,
+    username: &str,
+    display_name: Option<&str>,
+    email: Option<&str>,
+) -> Result<(), sqlx::Error> {
+    sqlx::query(
+        r#"INSERT INTO users (id, username, display_name, email, last_seen_at)
+           VALUES ($1, $2, $3, $4, NOW())
+           ON CONFLICT (id) DO UPDATE SET
+             username = EXCLUDED.username,
+             display_name = EXCLUDED.display_name,
+             email = EXCLUDED.email,
+             last_seen_at = NOW()"#
+    )
+    .bind(id)
+    .bind(username)
+    .bind(display_name)
+    .bind(email)
+    .execute(pool)
+    .await?;
+    Ok(())
+}
+
+pub async fn record_play_event(
+    pool: &PgPool,
+    user_id: &str,
+    track_slug: &str,
+) -> Result<bool, sqlx::Error> {
+    let result = sqlx::query(
+        r#"INSERT INTO play_events (user_id, track_id, played_at)
+           SELECT $1, t.id, NOW()
+           FROM tracks t WHERE t.slug = $2"#
+    )
+    .bind(user_id)
+    .bind(track_slug)
+    .execute(pool)
+    .await?;
+    Ok(result.rows_affected() > 0)
+}
+
+#[derive(Debug, Serialize, sqlx::FromRow)]
+pub struct RecentPlay {
+    pub track_slug: String,
+    pub track_title: String,
+    pub artist_name: String,
+    pub album_slug: Option<String>,
+    pub played_at: chrono::DateTime<chrono::Utc>,
+}
+
+pub async fn recent_plays(
+    pool: &PgPool,
+    user_id: &str,
+    limit: i32,
+) -> Result<Vec<RecentPlay>, sqlx::Error> {
+    sqlx::query_as::<_, RecentPlay>(
+        r#"SELECT t.slug AS track_slug, t.title AS track_title,
+           ar.name AS artist_name, al.slug AS album_slug,
+           pe.played_at
+           FROM play_events pe
+           JOIN tracks t ON pe.track_id = t.id
+           JOIN artists ar ON t.artist_id = ar.id
+           LEFT JOIN albums al ON t.album_id = al.id
+           WHERE pe.user_id = $1
+           ORDER BY pe.played_at DESC
+           LIMIT $2"#
+    )
+    .bind(user_id)
+    .bind(limit)
+    .fetch_all(pool)
+    .await
+}
+
 // --- Queries ---

 pub async fn list_artists(pool: &PgPool) -> Result<Vec<ArtistListItem>, sqlx::Error> {
@@ -40,9 +40,6 @@ struct Args {
    #[arg(long, env = "FURUMI_PLAYER_OIDC_SESSION_SECRET")]
    oidc_session_secret: Option<String>,

-    /// API key for x-api-key header auth (alternative to OIDC session)
-    #[arg(long, env = "FURUMI_PLAYER_API_KEY")]
-    api_key: Option<String>,
 }

 #[tokio::main]
@@ -94,15 +91,10 @@ async fn main() -> Result<(), Box<dyn std::error::Error>> {
        std::process::exit(1);
    });

-    if args.api_key.is_some() {
-        tracing::info!("x-api-key auth: enabled");
-    }
-
    let state = Arc::new(web::AppState {
        pool,
        storage_dir: Arc::new(args.storage_dir),
        oidc: oidc_state,
-        api_key: args.api_key,
    });

    tracing::info!("Web player: http://{}", bind_addr);
@@ -9,8 +9,10 @@ use axum::{
 use serde::Deserialize;
 use tokio::io::{AsyncReadExt, AsyncSeekExt};

+use axum::Extension;
 use crate::db;
 use super::AppState;
+use super::auth::AuthUser;

 type S = Arc<AppState>;

@@ -291,6 +293,30 @@ pub async fn search(State(state): State<S>, Query(q): Query<SearchQuery>) -> imp
    }
 }

+// --- Play tracking ---
+
+pub async fn recent_plays(
+    State(state): State<S>,
+    Extension(user): Extension<AuthUser>,
+) -> impl IntoResponse {
+    match db::recent_plays(&state.pool, &user.id, 50).await {
+        Ok(plays) => (StatusCode::OK, Json(serde_json::to_value(plays).unwrap())).into_response(),
+        Err(e) => error_json(StatusCode::INTERNAL_SERVER_ERROR, &e.to_string()),
+    }
+}
+
+pub async fn record_play(
+    State(state): State<S>,
+    Path(slug): Path<String>,
+    Extension(user): Extension<AuthUser>,
+) -> impl IntoResponse {
+    match db::record_play_event(&state.pool, &user.id, &slug).await {
+        Ok(true) => StatusCode::NO_CONTENT.into_response(),
+        Ok(false) => error_json(StatusCode::NOT_FOUND, "track not found"),
+        Err(e) => error_json(StatusCode::INTERNAL_SERVER_ERROR, &e.to_string()),
+    }
+}
+
 // --- Helpers ---

 fn error_json(status: StatusCode, message: &str) -> Response {
@@ -3,10 +3,9 @@ use axum::{
    extract::{Request, State},
    http::{header, HeaderMap, StatusCode},
    middleware::Next,
-    response::{Html, IntoResponse, Redirect, Response},
+    response::{IntoResponse, Redirect, Response},
 };

-const X_API_KEY: &str = "x-api-key";
 use openidconnect::{
    core::{CoreClient, CoreProviderMetadata, CoreResponseType},
    reqwest::async_http_client,
@@ -18,17 +17,26 @@ use serde::Deserialize;

 use base64::Engine;
 use hmac::{Hmac, Mac};
+use jsonwebtoken::{decode, decode_header, DecodingKey, Validation as JwtValidation};
+use jsonwebtoken::jwk::JwkSet;
+use std::time::{Duration, Instant};
+use tokio::sync::RwLock;

 use super::AppState;
 use std::sync::Arc;

 const SESSION_COOKIE: &str = "furumi_session";
+const JWKS_CACHE_TTL: Duration = Duration::from_secs(3600);

 type HmacSha256 = Hmac<sha2::Sha256>;

 pub struct OidcState {
    pub client: CoreClient,
    pub session_secret: Vec<u8>,
+    jwks_uri: String,
+    issuer_url: String,
+    jwks_cache: RwLock<Option<(JwkSet, Instant)>>,
+    http_client: reqwest::Client,
 }

 pub async fn oidc_init(
@@ -44,6 +52,9 @@ pub async fn oidc_init(
    )
    .await?;

+    let jwks_uri = provider_metadata.jwks_uri().to_string();
+    let issuer_url = provider_metadata.issuer().to_string();
+
    let client = CoreClient::from_provider_metadata(
        provider_metadata,
        ClientId::new(client_id),
@@ -62,9 +73,84 @@ pub async fn oidc_init(
        b
    };

+    let http_client = reqwest::Client::new();
+
+    tracing::info!("JWKS URI: {}", jwks_uri);
+
    Ok(OidcState {
        client,
        session_secret,
+        jwks_uri,
+        issuer_url,
+        jwks_cache: RwLock::new(None),
+        http_client,
+    })
+}
+
+impl OidcState {
+    async fn get_jwks(&self) -> anyhow::Result<JwkSet> {
+        {
+            let cache = self.jwks_cache.read().await;
+            if let Some((ref jwks, fetched_at)) = *cache {
+                if fetched_at.elapsed() < JWKS_CACHE_TTL {
+                    return Ok(jwks.clone());
+                }
+            }
+        }
+        self.refresh_jwks().await
+    }
+
+    async fn refresh_jwks(&self) -> anyhow::Result<JwkSet> {
+        tracing::debug!("Fetching JWKS from {}", self.jwks_uri);
+        let jwks: JwkSet = self.http_client.get(&self.jwks_uri).send().await?.json().await?;
+        let mut cache = self.jwks_cache.write().await;
+        *cache = Some((jwks.clone(), Instant::now()));
+        Ok(jwks)
+    }
+}
+
+#[derive(Debug, Clone)]
+pub struct AuthUser {
+    pub id: String,
+    pub username: String,
+    pub display_name: Option<String>,
+    pub email: Option<String>,
+}
+
+#[derive(Debug, serde::Deserialize)]
+struct BearerClaims {
+    sub: String,
+    preferred_username: Option<String>,
+    name: Option<String>,
+    email: Option<String>,
+}
+
+async fn validate_bearer_token(oidc: &OidcState, token: &str) -> Option<AuthUser> {
+    let header = decode_header(token).ok()?;
+    let kid = header.kid.as_ref()?;
+
+    let mut jwks = oidc.get_jwks().await.ok()?;
+    let mut jwk = jwks.find(kid);
+
+    // Handle key rotation: refresh JWKS if kid not found
+    if jwk.is_none() {
+        jwks = oidc.refresh_jwks().await.ok()?;
+        jwk = jwks.find(kid);
+    }
+
+    let key = DecodingKey::from_jwk(jwk?).ok()?;
+
+    let mut validation = JwtValidation::new(header.alg);
+    validation.set_issuer(&[&oidc.issuer_url]);
+    validation.validate_aud = false;
+
+    let data = decode::<BearerClaims>(token, &key, &validation).ok()?;
+    let c = data.claims;
+    Some(AuthUser {
+        id: c.sub.clone(),
+        username: c.preferred_username.unwrap_or(c.sub),
+        display_name: c.name,
+        email: c.email,
    })
 }

@@ -94,75 +180,73 @@ fn verify_sso_cookie(secret: &[u8], cookie_val: &str) -> Option<String> {
    }
 }

-/// Auth middleware: requires valid SSO session cookie or x-api-key header.
+/// Auth middleware: requires valid Bearer JWT or SSO session cookie.
+/// Inserts AuthUser into request extensions and upserts user in DB.
 pub async fn require_auth(
    State(state): State<Arc<AppState>>,
-    req: Request,
+    mut req: Request,
    next: Next,
 ) -> Response {
-    // 1. Check x-api-key header (if configured)
-    if let Some(ref expected) = state.api_key {
-        if let Some(val) = req
+    let mut auth_user: Option<AuthUser> = None;
+
+    // 1. Check Bearer token — JWT from OIDC provider
+    if let Some(ref oidc) = state.oidc {
+        if let Some(token) = req
            .headers()
-            .get(X_API_KEY)
+            .get(header::AUTHORIZATION)
            .and_then(|v| v.to_str().ok())
+            .and_then(|v| v.strip_prefix("Bearer "))
        {
-            if val == expected {
-                return next.run(req).await;
-            }
+            auth_user = validate_bearer_token(oidc, token).await;
        }
    }

    // 2. Check SSO session cookie (if OIDC configured)
-    if let Some(ref oidc) = state.oidc {
-        let cookies = req
-            .headers()
-            .get(header::COOKIE)
-            .and_then(|v| v.to_str().ok())
-            .unwrap_or("");
+    if auth_user.is_none() {
+        if let Some(ref oidc) = state.oidc {
+            let cookies = req
+                .headers()
+                .get(header::COOKIE)
+                .and_then(|v| v.to_str().ok())
+                .unwrap_or("");

-        for c in cookies.split(';') {
-            let c = c.trim();
-            if let Some(val) = c.strip_prefix(&format!("{}=", SESSION_COOKIE)) {
-                if verify_sso_cookie(&oidc.session_secret, val).is_some() {
-                    return next.run(req).await;
+            for c in cookies.split(';') {
+                let c = c.trim();
+                if let Some(val) = c.strip_prefix(&format!("{}=", SESSION_COOKIE)) {
+                    if let Some(user_id) = verify_sso_cookie(&oidc.session_secret, val) {
+                        auth_user = Some(AuthUser {
+                            id: user_id.clone(),
+                            username: user_id,
+                            display_name: None,
+                            email: None,
+                        });
+                        break;
+                    }
                }
            }
        }
    }

-    let uri = req.uri().to_string();
-    if uri.starts_with("/api/") {
-        (StatusCode::UNAUTHORIZED, "Unauthorized").into_response()
-    } else if state.oidc.is_some() {
-        Redirect::to("/login").into_response()
-    } else {
-        // Only API key configured — no web login available
-        (StatusCode::UNAUTHORIZED, "Unauthorized").into_response()
+    match auth_user {
+        Some(user) => {
+            tracing::debug!("Auth OK for user: {}", user.username);
+            // Upsert user in background
+            let pool = state.pool.clone();
+            let u = user.clone();
+            tokio::spawn(async move {
+                if let Err(e) = crate::db::upsert_user(
+                    &pool, &u.id, &u.username, u.display_name.as_deref(), u.email.as_deref(),
+                ).await {
+                    tracing::warn!("Failed to upsert user: {}", e);
+                }
+            });
+            req.extensions_mut().insert(user);
+            next.run(req).await
+        }
+        None => (StatusCode::UNAUTHORIZED, "Unauthorized").into_response(),
    }
 }

-/// GET /login — show SSO login page.
-pub async fn login_page(State(state): State<Arc<AppState>>) -> impl IntoResponse {
-    if state.oidc.is_none() {
-        return Redirect::to("/").into_response();
-    }
-
-    Html(LOGIN_HTML).into_response()
-}
-
-/// GET /logout — clear session cookie.
-pub async fn logout() -> impl IntoResponse {
-    let cookie = format!(
-        "{}=; HttpOnly; SameSite=Strict; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT",
-        SESSION_COOKIE
-    );
-    let mut headers = HeaderMap::new();
-    headers.insert(header::SET_COOKIE, cookie.parse().unwrap());
-    headers.insert(header::LOCATION, "/login".parse().unwrap());
-    (StatusCode::FOUND, headers, Body::empty()).into_response()
-}
-
 #[derive(Deserialize)]
 pub struct LoginQuery {
    pub next: Option<String>,
@@ -335,9 +419,9 @@ pub async fn oidc_callback(
        .unwrap_or(false);

    let session_attrs = if is_https {
-        "SameSite=Strict; Secure"
+        "SameSite=Lax; Secure"
    } else {
-        "SameSite=Strict"
+        "SameSite=Lax"
    };

    let session_cookie = format!(
@@ -354,47 +438,3 @@ pub async fn oidc_callback(

    (StatusCode::FOUND, headers, Body::empty()).into_response()
 }
-
-const LOGIN_HTML: &str = r#"<!DOCTYPE html>
-<html lang="en">
-<head>
-<meta charset="UTF-8">
-<meta name="viewport" content="width=device-width, initial-scale=1.0">
-<title>Furumi Player — Login</title>
-<style>
-  * { box-sizing: border-box; margin: 0; padding: 0; }
-  body {
-    min-height: 100vh;
-    display: flex; align-items: center; justify-content: center;
-    background: #0d0f14;
-    font-family: 'Inter', system-ui, sans-serif;
-    color: #e2e8f0;
-  }
-  .card {
-    background: #161b27;
-    border: 1px solid #2a3347;
-    border-radius: 16px;
-    padding: 2.5rem 3rem;
-    width: 360px;
-    box-shadow: 0 20px 60px rgba(0,0,0,0.5);
-    text-align: center;
-  }
-  .logo { font-size: 1.8rem; font-weight: 700; color: #7c6af7; margin-bottom: 0.25rem; }
-  .subtitle { font-size: 0.85rem; color: #64748b; margin-bottom: 2rem; }
-  .btn-sso {
-    display: block; width: 100%; padding: 0.75rem; text-align: center;
-    background: #7c6af7; border: none; border-radius: 8px;
-    color: #fff; font-size: 0.95rem; font-weight: 600; text-decoration: none;
-    cursor: pointer; transition: background 0.2s;
-  }
-  .btn-sso:hover { background: #6b58e8; }
-</style>
-</head>
-<body>
-<div class="card">
-  <div class="logo">Furumi</div>
-  <div class="subtitle">Sign in to continue</div>
-  <a href="/auth/login" class="btn-sso">SSO Login</a>
-</div>
-</body>
-</html>"#;
@@ -5,7 +5,7 @@ use std::sync::Arc;
 use std::path::PathBuf;
 use std::time::Duration;

-use axum::{Router, routing::get, middleware};
+use axum::{Router, routing::{get, post}, middleware};
 use axum::http::{header, Method};
 use sqlx::PgPool;
 use tower_http::cors::{Any, CorsLayer};
@@ -16,7 +16,6 @@ pub struct AppState {
    #[allow(dead_code)]
    pub storage_dir: Arc<PathBuf>,
    pub oidc: Option<Arc<auth::OidcState>>,
-    pub api_key: Option<String>,
 }

 pub fn build_router(state: Arc<AppState>) -> Router {
@@ -30,39 +29,31 @@ pub fn build_router(state: Arc<AppState>) -> Router {
        .route("/tracks/:slug", get(api::get_track_detail))
        .route("/tracks/:slug/cover", get(api::track_cover))
        .route("/stream/:slug", get(api::stream_track))
-        .route("/search", get(api::search));
+        .route("/search", get(api::search))
+        .route("/tracks/:slug/play", post(api::record_play))
+        .route("/me/recent", get(api::recent_plays));

-    let authed = Router::new()
-        .route("/", get(player_html))
+    let api = Router::new()
        .nest("/api", library);

    let requires_auth = state.oidc.is_some();

    let app = if requires_auth {
-        authed
-            .route_layer(middleware::from_fn_with_state(state.clone(), auth::require_auth))
+        api.route_layer(middleware::from_fn_with_state(state.clone(), auth::require_auth))
    } else {
-        authed
+        api
    };

    let cors = CorsLayer::new()
        .allow_origin(Any)
-        .allow_methods([Method::GET, Method::OPTIONS, Method::HEAD])
-        .allow_headers([header::ACCEPT, header::CONTENT_TYPE, header::HeaderName::from_static("x-api-key")])
+        .allow_methods([Method::GET, Method::POST, Method::OPTIONS, Method::HEAD])
+        .allow_headers([header::ACCEPT, header::CONTENT_TYPE, header::AUTHORIZATION])
        .max_age(Duration::from_secs(600));

    Router::new()
-        .route("/login", get(auth::login_page))
-        .route("/logout", get(auth::logout))
        .route("/auth/login", get(auth::oidc_login))
        .route("/auth/callback", get(auth::oidc_callback))
        .merge(app)
        .layer(cors)
        .with_state(state)
 }
-
-async fn player_html() -> axum::response::Html<String> {
-    let html = include_str!("player.html")
-        .replace("<!-- VERSION_PLACEHOLDER -->", option_env!("FURUMI_VERSION").unwrap_or(env!("CARGO_PKG_VERSION")));
-    axum::response::Html(html)
-}
Author	SHA1	Message	Date
Boris Cherepanov	bafa3e0ec0	feat: update auth Publish Metadata Agent Image / build-and-push-image (push) Successful in 1m5s Details Publish Node Player Image / build-and-push-image (push) Failing after 17s Details Publish Web Player Image / build-and-push-image (push) Successful in 1m19s Details	2026-04-19 21:50:38 +03:00
Boris Cherepanov	df8d8f0d73	Merge branch 'DEV' into feature/node-app Publish Metadata Agent Image / build-and-push-image (push) Successful in 1m5s Details Publish Node Player Image / build-and-push-image (push) Failing after 26s Details Publish Web Player Image / build-and-push-image (push) Successful in 1m43s Details	2026-04-19 21:11:31 +03:00
Boris Cherepanov	74d7b10386	feat: remove useless host Publish Metadata Agent Image / build-and-push-image (push) Successful in 2m41s Details Publish Web Player Image / build-and-push-image (push) Successful in 1m7s Details	2026-04-19 21:01:30 +03:00
ab	9467737a7c	Merge pull request 'fix(node-player): remove unused API_ROOT import from NowPlaying' (#13 ) from feature/USERS into DEV Publish Node Player Image (dev) / build-and-push-image (push) Successful in 2m12s Details Publish Web Player Image (dev) / build-and-push-image (push) Successful in 1m49s Details Publish Metadata Agent Image (dev) / build-and-push-image (push) Successful in 1m24s Details Reviewed-on: #13	2026-04-08 16:55:19 +00:00
Ultradesu	2edc293ee0	fix(node-player): remove unused API_ROOT import from NowPlaying Publish Web Player Image / build-and-push-image (push) Has been cancelled Details Publish Node Player Image / build-and-push-image (push) Has been cancelled Details Publish Metadata Agent Image / build-and-push-image (push) Has been cancelled Details Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-08 17:54:53 +01:00
ab	5c7f940b7e	Merge pull request 'feature/USERS' (#12 ) from feature/USERS into DEV Publish Metadata Agent Image (dev) / build-and-push-image (push) Successful in 44s Details Publish Node Player Image (dev) / build-and-push-image (push) Failing after 27s Details Publish Web Player Image (dev) / build-and-push-image (push) Successful in 1m25s Details Reviewed-on: #12	2026-04-08 16:51:24 +00:00
Ultradesu	4a39d44211	fix(node-player): use AuthImg component for cover art with Bearer auth Publish Web Player Image / build-and-push-image (push) Has been cancelled Details Publish Node Player Image / build-and-push-image (push) Has been cancelled Details Publish Metadata Agent Image / build-and-push-image (push) Has been cancelled Details SW doesn't reliably intercept <img> requests (no-cors mode). Use a thin AuthImg component that loads images via axios (which has the Bearer token) and displays them as blob URLs. Audio streaming still works via SW. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-08 17:50:19 +01:00
Ultradesu	d3aba1152c	fix(node-player): use blob for audio stream, keep SW for cover art <audio> elements with Sec-Fetch-Mode: no-cors are unreliable with Service Workers across browsers. Revert stream to blob download via axios (Bearer token works). SW remains for cover art in <img> tags. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-08 17:45:54 +01:00
Ultradesu	c11b71a0ef	fix(node-player): use IndexedDB for SW token instead of postMessage postMessage is unreliable on first load — SW may not be active yet. IndexedDB is shared between page and SW, so the token is always available regardless of SW lifecycle timing. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-08 17:43:33 +01:00
Ultradesu	ea2fc53faf	fix(node-player): proxy /api through vite dev server for same-origin SW Service Worker only intercepts same-origin requests. In dev mode, API calls went directly to localhost:8085 (cross-origin), bypassing the SW. Now vite proxies /api to Rust API, keeping everything same-origin so the SW can inject Bearer tokens for audio/image requests. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-08 17:40:47 +01:00
Ultradesu	d6dd046fad	feat(node-player): use Service Worker for auth, enable streaming playback Add a Service Worker that intercepts /api/* requests and injects the Bearer token. This allows <audio> and <img> elements to use direct URLs instead of downloading entire files as blobs first. - Audio now streams progressively (no full download before playback) - Cover art loads via regular <img src> (SW adds auth header) - Remove blob-based preloadStream, fetchCoverBlob, useCoverUrl hook - Register SW in main.tsx, token synced via postMessage Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-08 17:30:17 +01:00
ab	3fa79423bd	Merge pull request 'feature/USERS' (#11 ) from feature/USERS into DEV Publish Metadata Agent Image (dev) / build-and-push-image (push) Successful in 1m28s Details Publish Node Player Image (dev) / build-and-push-image (push) Successful in 37s Details Publish Web Player Image (dev) / build-and-push-image (push) Successful in 1m53s Details Reviewed-on: #11	2026-04-08 16:23:15 +00:00
Ultradesu	6b1aa6b5d5	feat: add recent plays history modal Publish Metadata Agent Image / build-and-push-image (push) Successful in 1m23s Details Publish Node Player Image / build-and-push-image (push) Successful in 37s Details Publish Web Player Image / build-and-push-image (push) Successful in 1m49s Details - GET /api/me/recent endpoint returning last 50 play events with track and artist info - RecentPlays modal component with time-ago display - "Recent plays" button in user dropdown menu - Clicking a track in history starts playback Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-08 17:08:54 +01:00
Ultradesu	4fdd56dae4	feat: add user support with play event tracking Backend (Rust API): - Add users and play_events tables (migration 0005) - Extract full user identity from JWT (sub, username, email, name) and pass AuthUser via request extensions to all handlers - Auto-upsert user in background on every authenticated request - POST /api/tracks/:slug/play endpoint to record play events - Allow POST method in CORS Frontend (Node player): - Call recordPlay() when a track starts playing - Add user profile avatar with dropdown menu (name, email, sign out) - Pass user info from App through FurumiPlayer to Header Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-08 16:51:53 +01:00
Ultradesu	5bc2b55ffd	feat(node-player): remove run-without-auth option from login page Publish Metadata Agent Image (dev) / build-and-push-image (push) Successful in 1m28s Details Publish Node Player Image (dev) / build-and-push-image (push) Successful in 38s Details Publish Web Player Image (dev) / build-and-push-image (push) Successful in 1m56s Details Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-08 16:32:19 +01:00
Ultradesu	ed918b9373	feat(node-player): redesign auth page with loading state Publish Metadata Agent Image (dev) / build-and-push-image (push) Successful in 1m31s Details Publish Node Player Image (dev) / build-and-push-image (push) Successful in 43s Details Publish Web Player Image (dev) / build-and-push-image (push) Successful in 2m22s Details - Show spinner while checking session (no login form flash on refresh) - Translate UI to English - Match player's dark theme (colors, fonts, card style) - Render login form only when authentication is actually needed Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-08 16:27:22 +01:00
Ultradesu	1ea5f66ea3	fix(node-player): add offline_access scope and server-side token refresh Publish Metadata Agent Image (dev) / build-and-push-image (push) Has been cancelled Details Publish Node Player Image (dev) / build-and-push-image (push) Successful in 36s Details Publish Web Player Image (dev) / build-and-push-image (push) Successful in 1m50s Details - Add offline_access to OIDC scope so Authentik issues a refresh token - /auth/token now checks if access token is expired and refreshes it server-side before returning to the client Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-08 16:01:16 +01:00
Ultradesu	7bc7de44cf	fix(node-player): restore useEffect import in QueueList Publish Metadata Agent Image (dev) / build-and-push-image (push) Has been cancelled Details Publish Node Player Image (dev) / build-and-push-image (push) Successful in 38s Details Publish Web Player Image (dev) / build-and-push-image (push) Successful in 1m48s Details Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-08 15:44:28 +01:00
Ultradesu	befba57374	fix(node-player): auto-refresh expired JWT tokens on 401 Publish Metadata Agent Image (dev) / build-and-push-image (push) Has been cancelled Details Publish Node Player Image (dev) / build-and-push-image (push) Failing after 28s Details Publish Web Player Image (dev) / build-and-push-image (push) Has been cancelled Details Adds an axios response interceptor that catches 401 errors, fetches a fresh access token from /auth/token, and retries the original request. Concurrent refresh attempts are deduplicated. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-08 15:41:47 +01:00
Ultradesu	a9a8ee81b8	fix(node-player): load cover art via axios with Bearer token Publish Metadata Agent Image (dev) / build-and-push-image (push) Successful in 1m22s Details Publish Node Player Image (dev) / build-and-push-image (push) Failing after 29s Details Publish Web Player Image (dev) / build-and-push-image (push) Has been cancelled Details Cover images were loaded via <img src> which doesn't include the Authorization header, resulting in 401 from the Rust API. Now covers are fetched through axios as blobs and displayed via object URLs. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-08 15:39:52 +01:00
ab	1df10fb0b7	Merge pull request 'fix(node-player): use Express 5 catch-all route syntax' (#10 ) from feature/JWT-OIDC-SSO into DEV Publish Metadata Agent Image (dev) / build-and-push-image (push) Has been cancelled Details Publish Node Player Image (dev) / build-and-push-image (push) Successful in 37s Details Publish Web Player Image (dev) / build-and-push-image (push) Successful in 1m48s Details Reviewed-on: #10	2026-04-08 14:21:54 +00:00
Ultradesu	b1f75b3ee2	fix(node-player): use Express 5 catch-all route syntax Publish Metadata Agent Image / build-and-push-image (push) Has been cancelled Details Publish Web Player Image / build-and-push-image (push) Has been cancelled Details Publish Node Player Image / build-and-push-image (push) Has been cancelled Details Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-08 15:20:02 +01:00
ab	5a5c9967e1	Merge pull request 'fix(node-player): use expires_in instead of expires_at on AccessToken type' (#9 ) from feature/JWT-OIDC-SSO into DEV Publish Metadata Agent Image (dev) / build-and-push-image (push) Successful in 3m38s Details Publish Node Player Image (dev) / build-and-push-image (push) Successful in 36s Details Publish Web Player Image (dev) / build-and-push-image (push) Successful in 1m50s Details Reviewed-on: #9	2026-04-08 14:11:17 +00:00
Ultradesu	f3392eff9f	fix(node-player): use expires_in instead of expires_at on AccessToken type Publish Web Player Image / build-and-push-image (push) Waiting to run Details Publish Metadata Agent Image / build-and-push-image (push) Successful in 4m18s Details Publish Node Player Image / build-and-push-image (push) Successful in 1m20s Details Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-08 15:01:30 +01:00
ab	e920059125	Merge pull request 'feature/JWT-OIDC-SSO' (#8 ) from feature/JWT-OIDC-SSO into DEV Publish Web Player Image (dev) / build-and-push-image (push) Has been cancelled Details Publish Node Player Image (dev) / build-and-push-image (push) Has been cancelled Details Publish Metadata Agent Image (dev) / build-and-push-image (push) Has been cancelled Details Reviewed-on: #8	2026-04-08 13:53:36 +00:00
Ultradesu	e99cacae8b	feat(auth): replace cookie/api-key auth with JWT Bearer tokens, separate UI from API Publish Metadata Agent Image / build-and-push-image (push) Successful in 6m3s Details Publish Node Player Image / build-and-push-image (push) Failing after 58s Details Publish Web Player Image / build-and-push-image (push) Has been cancelled Details - Add JWT Bearer token validation to Rust API via OIDC provider JWKS with automatic key rotation and 1-hour cache - Remove x-api-key auth support and built-in web UI from furumi-web-player, leaving it as a pure API server - Add /auth/token endpoint to Node player server to expose OIDC access tokens to the frontend - Move Node player auth endpoints from /api/* to /auth/* to avoid path conflicts with Rust API - Add static file serving to Node Express server for production single-container deployment - Fix SameSite=Strict cookie issue breaking OIDC redirect flow (use Lax) - Add Dockerfile.node-player with multi-stage Node.js build - Add CI workflows for node-player Docker image (dev + release) - Optimize Rust Dockerfiles with dependency caching layer - Update docker-compose with OIDC env vars and OLLAMA_MODEL support - Cherry-pick agent LLM client fixes from DEV branch Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-08 14:51:52 +01:00
ab	48c473de56	fix(agent): increase max_tokens for merge requests to avoid truncated responses Publish Metadata Agent Image (dev) / build-and-push-image (push) Successful in 3m43s Details Publish Web Player Image (dev) / build-and-push-image (push) Successful in 4m20s Details normalize: 512 tokens (sufficient for single track metadata) merge: 4096 tokens (needed for artists with many albums) Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>	2026-04-07 22:52:23 +01:00
ab	1e75644abb	feat(agent): switch LLM client from Ollama to OpenAI-compatible API (LM Studio support) Publish Metadata Agent Image (dev) / build-and-push-image (push) Successful in 4m7s Details Publish Web Player Image (dev) / build-and-push-image (push) Successful in 3m57s Details - Replace /api/chat with /v1/chat/completions endpoint - Use json_schema response_format (LM Studio does not support json_object) - Make schema parameter optional in call_ollama to support different schemas per use case - Add dedicated normalize schema (normalized_metadata) with release_kind field instead of release_type to avoid model repetition loops - Add dedicated merge schema (artist_merge) so model no longer confuses normalize and merge response structures - Add retry with frequency_penalty=1.5 on parse failure to suppress repetition - Add id3 crate as fallback metadata reader for MP3 files with large embedded cover art that exceed Symphonia probe limit of 1MB Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>	2026-04-07 22:34:39 +01:00
ab	2d7ac3d8ce	Fixed openai api endpoint Publish Metadata Agent Image (dev) / build-and-push-image (push) Successful in 4m0s Details Publish Web Player Image (dev) / build-and-push-image (push) Successful in 4m23s Details	2026-04-07 19:52:03 +01:00
ab	70a947a8c1	Fixed openai api endpoint Publish Metadata Agent Image (dev) / build-and-push-image (push) Successful in 3m38s Details Publish Web Player Image (dev) / build-and-push-image (push) Successful in 3m49s Details	2026-04-07 19:32:17 +01:00
Boris Cherepanov	94d14e8fc8	feat: update styles Publish Metadata Agent Image / build-and-push-image (push) Successful in 5m22s Details Publish Web Player Image / build-and-push-image (push) Successful in 4m15s Details	2026-04-04 19:34:20 +03:00
Boris Cherepanov	0b6f518b72	feat: refactoring Publish Metadata Agent Image / build-and-push-image (push) Successful in 4m2s Details Publish Web Player Image / build-and-push-image (push) Successful in 4m47s Details	2026-04-04 19:17:33 +03:00
Boris Cherepanov	3199c12af5	feat: added alternative queue display Publish Metadata Agent Image / build-and-push-image (push) Successful in 3m58s Details Publish Web Player Image / build-and-push-image (push) Successful in 4m16s Details	2026-04-04 18:49:29 +03:00
Boris Cherepanov	daaa3b0814	feat: update styles	2026-04-04 18:33:45 +03:00
XakPlant	aea4aef4b2	Merge pull request 'feature/node-app' (#7 ) from feature/node-app into DEV Publish Metadata Agent Image (dev) / build-and-push-image (push) Successful in 1m8s Details Publish Web Player Image (dev) / build-and-push-image (push) Successful in 1m7s Details Reviewed-on: #7	2026-03-23 14:00:08 +00:00