Creating Users
Via Web UI
- Navigate to Settings > Users
- Click Add User
- Fill in user details:
- Username - Unique identifier (required)
- Password - Minimum 8 characters (required)
- Email - For notifications and password recovery
- Display Name - Full name or alias
- Click Create User
Via API
Password Requirements
Dockhand enforces these password requirements:- Minimum Length: 8 characters
- Recommended: 12+ characters with mixed case, numbers, and symbols
- Hashing Algorithm: Argon2id with these parameters:
- Memory cost: 64 MB (65536 KiB)
- Time cost: 3 iterations
- Parallelism: 1 thread
- Hash length: 32 bytes (256 bits)
Password Storage Format
Passwords are stored in PHC format:User Management
List Users
Update User
Change Password
Users can change their own password:Disable User
Disable a user account (preserves data):Delete User
Permanently delete a user account:Login Flow
Basic Login
Login with 2FA
If the user has 2FA enabled, the initial login returns:Rate Limiting
Dockhand protects against brute force attacks with rate limiting:- Threshold: 5 failed attempts per IP + username combination
- Window: 15 minutes
- Lockout: 15 minutes after threshold reached
- Response: HTTP 429 with
Retry-Afterheader
Rate Limit Response
Session Management
Session Token
After successful login, Dockhand sets a session cookie:- Name:
dockhand_session - Token Format: 32-byte random value, base64url encoded (256 bits entropy)
- HttpOnly: Prevents JavaScript access (XSS protection)
- Secure: Only sent over HTTPS (production)
- SameSite=Strict: Prevents CSRF attacks
- Max-Age: Configurable (default 24 hours)
Check Session
Logout
Security Considerations
Timing Attack Protection
Dockhand prevents username enumeration via timing attacks:Password Hash Migration
If you change the Argon2 parameters, existing hashes remain valid. Users are not required to reset passwords.Session Token Security
Session tokens are:- Generated using
crypto.randomBytes()(CSPRNG) - 32 bytes = 256 bits of entropy
- Base64url encoded for cookie safety
- Stored as plain text in database (lookup key)
- Not encrypted (entropy makes guessing infeasible)
First User Setup
When authentication is enabled but no admin exists, Dockhand allows creating the first user without authentication:- Receives the Admin role
- Can create additional users
- Is logged in automatically (if
authEnabled: true)
hooks.server.ts:270:
Disabling Local Login
For SSO-only deployments, disable local username/password authentication:- Removes “Local” from the login provider list
- Rejects POST requests to
/api/auth/loginwithprovider: local - Forces all users to authenticate via OIDC or LDAP
- Prevents password-based attacks
Database Schema
Local users are stored in theusers table:
sessions table:
Source Code Reference
Key implementation files:src/lib/server/auth.ts- Core authentication logicsrc/routes/api/auth/login/+server.ts- Login endpointsrc/routes/api/users/+server.ts- User management CRUDsrc/hooks.server.ts- Session validation middlewaresrc/lib/server/authorize.ts- Permission checks
Next Steps
Two-Factor Auth
Add TOTP-based 2FA to user accounts
OIDC/SSO
Integrate with your Identity Provider
RBAC
Configure role-based access control (Enterprise)
LDAP
Connect to Active Directory (Enterprise)
