Simplify nested conditional in server-start.sh

Co-authored-by: danielalves96 <62755605+danielalves96@users.noreply.github.com>

Dockerfile

@@ -73,9 +73,9 @@ ENV NODE_ENV=production
 ENV NEXT_TELEMETRY_DISABLED=1
 ENV API_BASE_URL=http://127.0.0.1:3333
 
-# Define build arguments for user/group configuration (defaults to current values)
-ARG PALMR_UID=1001
-ARG PALMR_GID=1001
+# Define build arguments for user/group configuration (defaults to standard Linux values)
+ARG PALMR_UID=1000
+ARG PALMR_GID=1000
 
 # Create application user with configurable UID/GID
 RUN addgroup --system --gid ${PALMR_GID} nodejs

apps/docs/content/docs/3.2-beta/quick-start.mdx

@@ -67,7 +67,7 @@ Choose your storage method based on your needs:
           # - ENCRYPTION_KEY=your-secure-key-min-32-chars # Required only if encryption is enabled
           # - PALMR_UID=1000 # UID for the container processes (default is 1000)
           # - PALMR_GID=1000 # GID for the container processes (default is 1000)
-          # - SECURE_SITE=false # Set to true for HTTPS/reverse proxy (enables cross-origin cookies for Safari)
+          # - SECURE_SITE=false # Set to true if you are using a reverse proxy
           # - DEFAULT_LANGUAGE=en-US # Default language for the application (optional, defaults to en-US)
           # - PRESIGNED_URL_EXPIRATION=3600 # Duration in seconds for presigned URL expiration (optional, defaults to 3600 seconds / 1 hour)
           # - DOWNLOAD_MAX_CONCURRENT=5 # Maximum simultaneous downloads (auto-scales if not set)
@@ -122,7 +122,7 @@ Choose your storage method based on your needs:
           # - ENCRYPTION_KEY=your-secure-key-min-32-chars # Required only if encryption is enabled
           # - PALMR_UID=1000 # UID for the container processes (default is 1000)
           # - PALMR_GID=1000 # GID for the container processes (default is 1000)
-          # - SECURE_SITE=false # Set to true for HTTPS/reverse proxy (enables cross-origin cookies for Safari)
+          # - SECURE_SITE=false # Set to true if you are using a reverse proxy
           # - DEFAULT_LANGUAGE=en-US # Default language for the application (optional, defaults to en-US)
           # - PRESIGNED_URL_EXPIRATION=3600 # Duration in seconds for presigned URL expiration (optional, defaults to 3600 seconds / 1 hour)
           # - DOWNLOAD_MAX_CONCURRENT=5 # Maximum simultaneous downloads (auto-scales if not set)
@@ -168,7 +168,7 @@ Customize Palmr's behavior with these environment variables:
 | `DISABLE_FILESYSTEM_ENCRYPTION`    | `true`         | Disable file encryption for better performance (set to `false` to enable encryption)                                                  |
 | `PRESIGNED_URL_EXPIRATION`         | `3600`         | Duration in seconds for presigned URL expiration (applies to both filesystem and S3 storage)                                          |
 | `CUSTOM_PATH`                      | -              | Custom base path for disk space detection in manual installations with symlinks                                                       |
-| `SECURE_SITE`                      | `false`        | Enable secure cookies for HTTPS/reverse proxy deployments. Required for Safari cross-site tracking compatibility when frontend and backend are on different domains |
+| `SECURE_SITE`                      | `false`        | Enable secure cookies for HTTPS/reverse proxy deployments                                                                             |
 | `DEFAULT_LANGUAGE`                 | `en-US`        | Default application language ([see available languages](/docs/3.2-beta/available-languages))                                          |
 | `PALMR_UID`                        | `1000`         | User ID for container processes (helps with file permissions)                                                                         |
 | `PALMR_GID`                        | `1000`         | Group ID for container processes (helps with file permissions)                                                                        |
@@ -238,7 +238,7 @@ Prefer Docker commands over Compose? Here are the equivalent commands:
       # -e ENCRYPTION_KEY=your-secure-key-min-32-chars # Required only if encryption is enabled
       # -e PALMR_UID=1000 # UID for the container processes (default is 1000)
       # -e PALMR_GID=1000 # GID for the container processes (default is 1000)
-      # -e SECURE_SITE=false # Set to true for HTTPS/reverse proxy (enables cross-origin cookies for Safari)
+      # -e SECURE_SITE=false # Set to true if you are using a reverse proxy
       # -e DEFAULT_LANGUAGE=en-US # Default language for the application (optional, defaults to en-US)
       -p 5487:5487 \
       -p 3333:3333 \
@@ -265,7 +265,7 @@ Prefer Docker commands over Compose? Here are the equivalent commands:
       # -e ENCRYPTION_KEY=your-secure-key-min-32-chars # Required only if encryption is enabled
       # -e PALMR_UID=1000 # UID for the container processes (default is 1000)
       # -e PALMR_GID=1000 # GID for the container processes (default is 1000)
-      # -e SECURE_SITE=false # Set to true for HTTPS/reverse proxy (enables cross-origin cookies for Safari)
+      # -e SECURE_SITE=false # Set to true if you are using a reverse proxy
       # -e DEFAULT_LANGUAGE=en-US # Default language for the application (optional, defaults to en-US)
       -p 5487:5487 \
       -p 3333:3333 \

apps/docs/content/docs/3.2-beta/reverse-proxy-configuration.mdx

@@ -17,10 +17,8 @@ The `SECURE_SITE` variable configures how Palmr. handles authentication cookies
 
 | Value   | Cookie Settings                       | Use Case                            |
 | ------- | ------------------------------------- | ----------------------------------- |
-| `true`  | `secure: true`, `sameSite: "none"`    | HTTPS/Production with reverse proxy |
-| `false` | `secure: false`, `sameSite: "lax"`    | HTTP/Development (default)          |
-
-> **🔒 Safari Cross-Site Tracking**: When `SECURE_SITE=true`, cookies use `sameSite: "none"` to support Safari's Cross-Site Tracking prevention when the frontend and backend are on different domains/subdomains.
+| `true`  | `secure: true`, `sameSite: "lax"`     | HTTPS/Production with reverse proxy |
+| `false` | `secure: false`, `sameSite: "strict"` | HTTP/Development (default)          |
 
 ### When to Use SECURE_SITE=true
 

apps/docs/content/docs/3.2-beta/troubleshooting.mdx

@@ -194,45 +194,6 @@ docker exec palmr stat /app/server/uploads/your-file.txt
 
 See our [OIDC Configuration Guide](/docs/3.0-beta/oidc-authentication) for detailed setup.
 
-### Safari: Images Don't Render and Downloads Are Corrupted
-
-**Symptoms:**
-- Images show as broken/loading icon in Safari
-- Downloaded files are corrupted
-- Works fine on localhost but fails on production domain
-- Only affects Safari with "Cross-Site Tracking Prevention" enabled
-
-**Cause:**
-Safari blocks cookies when the frontend and backend are on different domains/subdomains due to Cross-Site Tracking prevention.
-
-**Solution:**
-
-1. **Enable secure cookies in your server `.env`:**
-
-   ```bash
-   SECURE_SITE=true
-   ```
-
-2. **Ensure HTTPS is enabled:**
-   
-   The `sameSite: none` cookie attribute requires HTTPS. Make sure your reverse proxy (nginx, Traefik, etc.) is configured with SSL/TLS.
-
-3. **Restart the server:**
-
-   ```bash
-   docker-compose down && docker-compose up -d
-   ```
-
-**Verification:**
-
-- Check browser dev tools → Application → Cookies
-- Look for the `token` cookie with:
-  - ✅ `Secure` flag enabled
-  - ✅ `SameSite=None`
-  - ✅ `HttpOnly` flag enabled
-
-> **💡 Note**: This requires HTTPS. If using HTTP in development, keep `SECURE_SITE=false`.
-
 ---
 
 ## 🌐 Network Issues

apps/docs/content/docs/3.2-beta/uid-gid-configuration.mdx

@@ -9,7 +9,13 @@ Configure user and group permissions for seamless bind mount compatibility acros
 
 Palmr. supports runtime UID/GID configuration to resolve permission conflicts when using bind mounts. This eliminates the need for manual permission management on your host system.
 
-**⚠️ Important**: Palmr uses **UID 1000, GID 1000** by default, which matches the standard Linux convention. However, some systems may use different UID/GID values, which can cause permission issues with bind mounts.
+**✅ Good News**: Palmr uses **UID 1000, GID 1000** by default, which matches the standard Linux convention for the first user. For most systems, you won't need to configure these values.
+
+**⚠️ When to Configure**: Only set PALMR_UID/PALMR_GID if:
+- You're using bind mounts AND your host system uses different UID/GID values (e.g., NAS systems)
+- You're experiencing permission errors with bind mounts
+
+**Note**: Setting these values triggers ownership updates on startup, which can take 1-2 minutes. If left at defaults, startup is fast (~5 seconds).
 
 ## The Permission Problem
 
@@ -35,9 +41,19 @@ drwxr-xr-x 2 user user 4096 Jan 15 10:00 uploads/
 
 ## Quick Fix
 
-### Option 1: Set Palmr to Use Standard UID/GID (Recommended)
+### For Most Users: No Configuration Needed
 
-Add these environment variables to your `docker-compose.yaml`:
+If your host system uses the standard Linux UID:GID of 1000:1000 (which is the case for most desktop Linux systems), you don't need to set PALMR_UID or PALMR_GID at all. Just use the default docker-compose.yaml as-is.
+
+To check if you need configuration:
+```bash
+id
+# If output shows uid=1000 and gid=1000, you don't need to configure anything
+```
+
+### Option 1: Set Palmr to Match Your Host UID/GID (For Non-Standard Systems)
+
+If your system uses different values (common on NAS devices), add these environment variables to your `docker-compose.yaml`:
 
 ```yaml
 services:
@@ -55,14 +71,14 @@ services:
     restart: unless-stopped
 ```
 
-### Option 2: Change Host Directory Permissions
+### Option 2: Change Host Directory Permissions (Alternative)
 
-If you prefer to keep Palmr's defaults:
+If you prefer not to set environment variables and your host uses different UID/GID:
 
 ```bash
-# Create directories with correct ownership
+# Create directories with Palmr's default ownership (1000:1000)
 mkdir -p uploads temp-uploads
-chown -R 1001:1001 uploads temp-uploads
+sudo chown -R 1000:1000 uploads temp-uploads
 ```
 
 ## Environment Variables
@@ -71,8 +87,8 @@ Configure permissions using these optional environment variables:
 
 | Variable    | Description                      | Default | Example |
 | ----------- | -------------------------------- | ------- | ------- |
-| `PALMR_UID` | User ID for container processes  | `1001`  | `1000`  |
-| `PALMR_GID` | Group ID for container processes | `1001`  | `1000`  |
+| `PALMR_UID` | User ID for container processes  | `1000`  | `1000`  |
+| `PALMR_GID` | Group ID for container processes | `1000`  | `1000`  |
 
 ---
 
@@ -230,17 +246,19 @@ sudo chown -R $(id -u):$(id -g) uploads temp-uploads
 
 UID/GID configuration is **required** when:
 
-- ✅ Using bind mounts (most common case)
-- ✅ Encountering "permission denied" errors
-- ✅ Deploying on NAS systems (Synology, QNAP, etc.)
-- ✅ Host system uses different default UID/GID values
-- ✅ Running multiple containers that need to share files
+- ✅ Using bind mounts AND your host system uses non-standard UID/GID (not 1000:1000)
+- ✅ Encountering "permission denied" errors with bind mounts
+- ✅ Deploying on NAS systems (Synology, QNAP, etc.) with non-standard user IDs
+- ✅ Running multiple containers that need to share files with specific ownership
 
-UID/GID configuration is **optional** when:
+UID/GID configuration is **NOT needed** when:
 
-- ❌ Using Docker named volumes (Docker manages permissions)
-- ❌ Not using bind mounts
-- ❌ No permission errors occurring
+- ❌ Using Docker named volumes (Docker manages permissions automatically)
+- ❌ Your host system uses the standard UID:GID 1000:1000 (most Linux desktop systems)
+- ❌ Not using bind mounts at all
+- ❌ No permission errors are occurring
+
+**Performance Note**: Configuring custom UID/GID values triggers a recursive ownership update on container startup, which can take 1-2 minutes depending on data volume. If you use the defaults (1000:1000), startup is much faster (~5 seconds).
 
 ---
 

apps/server/.env.example

@@ -4,9 +4,6 @@ DISABLE_FILESYSTEM_ENCRYPTION=true
 # ENCRYPTION_KEY=change-this-key-in-production-min-32-chars # Required only if encryption is enabled (DISABLE_FILESYSTEM_ENCRYPTION=false)
 DATABASE_URL="file:./palmr.db"
 
-# SECURITY SETTINGS
-# SECURE_SITE=true # Set to true when using HTTPS in production. This enables secure cookies with SameSite=none, allowing cross-origin requests (required when frontend and backend are on different domains/subdomains)
-
 # FOR USE WITH S3 COMPATIBLE STORAGE
 # ENABLE_S3=true 
 # S3_ENDPOINT=

apps/server/src/modules/auth-providers/controller.ts

@@ -124,7 +124,7 @@ export class AuthProvidersController {
     reply.setCookie("token", token, {
       httpOnly: true,
       secure: isSecure,
-      sameSite: isSecure ? "none" : "lax",
+      sameSite: "lax",
       maxAge: COOKIE_MAX_AGE,
       path: "/",
     });

apps/server/src/modules/auth/controller.ts

@@ -44,7 +44,7 @@ export class AuthController {
         httpOnly: true,
         path: "/",
         secure: env.SECURE_SITE === "true" ? true : false,
-        sameSite: env.SECURE_SITE === "true" ? "none" : "lax",
+        sameSite: env.SECURE_SITE === "true" ? "lax" : "strict",
       });
 
       return reply.send({ user });
@@ -74,7 +74,7 @@ export class AuthController {
         httpOnly: true,
         path: "/",
         secure: env.SECURE_SITE === "true" ? true : false,
-        sameSite: env.SECURE_SITE === "true" ? "none" : "lax",
+        sameSite: env.SECURE_SITE === "true" ? "lax" : "strict",
       });
 
       return reply.send({ user });

docker-compose-bind-mount-example.yaml

@@ -12,7 +12,7 @@ services:
       # - PALMR_GID=1000 # GID for the container processes (OPTIONAL - default is 1000) | See our UID/GID Documentation for more information
       # - DEFAULT_LANGUAGE=en-US # Default language for the application (optional, defaults to en-US) | See the docs for see all supported languages
       # - PRESIGNED_URL_EXPIRATION=3600 # Duration in seconds for presigned URL expiration (OPTIONAL - default is 3600 seconds / 1 hour)
-      # - SECURE_SITE=true # Set to true for HTTPS/reverse proxy deployments. Enables cross-origin cookies for Safari compatibility (OPTIONAL - default is false)
+      # - SECURE_SITE=true # Set to true if you are using a reverse proxy (OPTIONAL - default is false)
 
       # Download Memory Management Configuration (OPTIONAL - See documentation for details)
       # - DOWNLOAD_MAX_CONCURRENT=5 # Maximum number of simultaneous downloads (OPTIONAL - auto-scales based on system memory if not set)

docker-compose-minio.yaml

@@ -17,7 +17,7 @@ services:
       # - PALMR_GID=1000 # GID for the container processes (OPTIONAL - default is 1000) | See our UID/GID Documentation for more information
       # - DEFAULT_LANGUAGE=en-US # Default language for the application (optional, defaults to en-US) | See the docs for see all supported languages
       # - PRESIGNED_URL_EXPIRATION=3600 # Duration in seconds for presigned URL expiration (OPTIONAL - default is 3600 seconds / 1 hour)
-      # - SECURE_SITE=true # Set to true for HTTPS/reverse proxy deployments. Enables cross-origin cookies for Safari compatibility (OPTIONAL - default is false)
+      # - SECURE_SITE=true # Set to true if you are using a reverse proxy (OPTIONAL - default is false)
 
       # Download Memory Management Configuration (OPTIONAL - See documentation for details)
       # - DOWNLOAD_MAX_CONCURRENT=5 # Maximum number of simultaneous downloads (OPTIONAL - auto-scales based on system memory if not set)

docker-compose-s3.yaml

@@ -17,7 +17,7 @@ services:
       # - PALMR_GID=1000 # GID for the container processes (OPTIONAL - default is 1000) | See our UID/GID Documentation for more information
       # - DEFAULT_LANGUAGE=en-US # Default language for the application (optional, defaults to en-US) | See the docs for see all supported languages
       # - PRESIGNED_URL_EXPIRATION=3600 # Duration in seconds for presigned URL expiration (OPTIONAL - default is 3600 seconds / 1 hour)
-      # - SECURE_SITE=true # Set to true for HTTPS/reverse proxy deployments. Enables cross-origin cookies for Safari compatibility (OPTIONAL - default is false)
+      # - SECURE_SITE=true # Set to true if you are using a reverse proxy (OPTIONAL - default is false)
 
       # Download Memory Management Configuration (OPTIONAL - See documentation for details)
       # - DOWNLOAD_MAX_CONCURRENT=5 # Maximum number of simultaneous downloads (OPTIONAL - auto-scales based on system memory if not set)

docker-compose.yaml

@@ -12,7 +12,7 @@ services:
       # - PALMR_GID=1000 # GID for the container processes (OPTIONAL - default is 1000) | See our UID/GID Documentation for more information
       # - DEFAULT_LANGUAGE=en-US # Default language for the application (optional, defaults to en-US) | See the docs to see all supported languages
       # - PRESIGNED_URL_EXPIRATION=3600 # Duration in seconds for presigned URL expiration (OPTIONAL - default is 3600 seconds / 1 hour)
-      # - SECURE_SITE=true # Set to true for HTTPS/reverse proxy deployments. Enables cross-origin cookies for Safari compatibility (OPTIONAL - default is false)
+      # - SECURE_SITE=true # Set to true if you are using a reverse proxy (OPTIONAL - default is false)
 
       # Download Memory Management Configuration (OPTIONAL - See documentation for details)
       # - DOWNLOAD_MAX_CONCURRENT=5 # Maximum number of simultaneous downloads (OPTIONAL - auto-scales based on system memory if not set)

infra/server-start.sh

@@ -6,10 +6,13 @@ echo "🌴 Starting Palmr Server..."
 TARGET_UID=${PALMR_UID:-1000}
 TARGET_GID=${PALMR_GID:-1000}
 
-if [ -n "$PALMR_UID" ] || [ -n "$PALMR_GID" ]; then
-    echo "🔧 Runtime UID/GID: $TARGET_UID:$TARGET_GID"
-    
-    echo "🔐 Updating file ownership..."
+echo "🔧 Runtime UID/GID: $TARGET_UID:$TARGET_GID"
+
+# Check if we need to update ownership
+# Only run chown if explicitly configured via environment variables
+# This prevents unnecessary slowdowns on default configurations
+if ([ -n "$PALMR_UID" ] || [ -n "$PALMR_GID" ]) && [ "$(id -u)" = "0" ]; then
+    echo "🔐 Updating file ownership to match runtime configuration..."
     chown -R $TARGET_UID:$TARGET_GID /app/palmr-app 2>/dev/null || echo "⚠️ Some ownership changes may have failed"
     chown -R $TARGET_UID:$TARGET_GID /home/palmr 2>/dev/null || echo "⚠️ Some home directory ownership changes may have failed"