Skip to main content
Local users authenticate with a username and password stored in Dockhand’s database. This is the simplest authentication method and works without external dependencies.

Creating Users

Via Web UI

  1. Navigate to Settings > Users
  2. Click Add User
  3. Fill in user details:
    • Username - Unique identifier (required)
    • Password - Minimum 8 characters (required)
    • Email - For notifications and password recovery
    • Display Name - Full name or alias
  4. Click Create User

Via API

Password Requirements

Dockhand enforces these password requirements:
  • Minimum Length: 8 characters
  • Recommended: 12+ characters with mixed case, numbers, and symbols
  • Hashing Algorithm: Argon2id with these parameters:
    • Memory cost: 64 MB (65536 KiB)
    • Time cost: 3 iterations
    • Parallelism: 1 thread
    • Hash length: 32 bytes (256 bits)

Password Storage Format

Passwords are stored in PHC format:
This format is compatible with standard Argon2 implementations.

User Management

List Users

Update User

Change Password

Users can change their own password:
Admins can reset passwords without knowing the current one:

Disable User

Disable a user account (preserves data):
Disabled users cannot log in but their sessions remain active until they expire.

Delete User

Permanently delete a user account:
Deleting a user removes all their data including audit logs, preferences, and role assignments. This action cannot be undone.

Login Flow

Basic Login

Login with 2FA

If the user has 2FA enabled, the initial login returns:
Then submit the TOTP code:
See Two-Factor Authentication for details.

Rate Limiting

Dockhand protects against brute force attacks with rate limiting:
  • Threshold: 5 failed attempts per IP + username combination
  • Window: 15 minutes
  • Lockout: 15 minutes after threshold reached
  • Response: HTTP 429 with Retry-After header

Rate Limit Response

Rate limits are stored in-memory and reset on server restart.

Session Management

Session Token

After successful login, Dockhand sets a session cookie:
  • Name: dockhand_session
  • Token Format: 32-byte random value, base64url encoded (256 bits entropy)
  • HttpOnly: Prevents JavaScript access (XSS protection)
  • Secure: Only sent over HTTPS (production)
  • SameSite=Strict: Prevents CSRF attacks
  • Max-Age: Configurable (default 24 hours)

Check Session

Logout

This deletes the session from the database and clears the cookie.

Security Considerations

Timing Attack Protection

Dockhand prevents username enumeration via timing attacks:
This ensures authentication failures take the same time whether the username exists or not.

Password Hash Migration

If you change the Argon2 parameters, existing hashes remain valid. Users are not required to reset passwords.

Session Token Security

Session tokens are:
  • Generated using crypto.randomBytes() (CSPRNG)
  • 32 bytes = 256 bits of entropy
  • Base64url encoded for cookie safety
  • Stored as plain text in database (lookup key)
  • Not encrypted (entropy makes guessing infeasible)

First User Setup

When authentication is enabled but no admin exists, Dockhand allows creating the first user without authentication:
The first user automatically:
  • Receives the Admin role
  • Can create additional users
  • Is logged in automatically (if authEnabled: true)
This special case is implemented in hooks.server.ts:270:

Disabling Local Login

For SSO-only deployments, disable local username/password authentication:
This:
  • Removes “Local” from the login provider list
  • Rejects POST requests to /api/auth/login with provider: local
  • Forces all users to authenticate via OIDC or LDAP
  • Prevents password-based attacks
Keep at least one admin account with a known password as a backup before enabling this setting.

Database Schema

Local users are stored in the users table:
Sessions are stored in the sessions table:

Source Code Reference

Key implementation files:
  • src/lib/server/auth.ts - Core authentication logic
  • src/routes/api/auth/login/+server.ts - Login endpoint
  • src/routes/api/users/+server.ts - User management CRUD
  • src/hooks.server.ts - Session validation middleware
  • src/lib/server/authorize.ts - Permission checks

Next Steps

Two-Factor Auth

Add TOTP-based 2FA to user accounts

OIDC/SSO

Integrate with your Identity Provider

RBAC

Configure role-based access control (Enterprise)

LDAP

Connect to Active Directory (Enterprise)