Spaces:

SalexAI
/

funserver-2.0

Running

App Files Files Community

SalexAI commited on 30 days ago

Commit

2b76608

verified ·

1 Parent(s): 921564c

Update app.py

Browse files

Files changed (1) hide show

app.py +534 -138

app.py CHANGED Viewed

@@ -8,21 +8,9 @@ import logging
 import os
 import asyncio
 import secrets
 from datetime import datetime, timezone
-# ==================================================
-# CONFIG
-# ==================================================
-ADMIN_PIN = os.environ.get("ADMIN_PIN", "4286")  # CHANGE THIS
-ADMIN_COOKIE = "admin_session"
-ADMIN_SESSIONS = set()
-DATA_ROOT = os.environ.get("PERSISTENT_DIR", "/data")
-VIDEO_DIR = os.path.join(DATA_ROOT, "videos")
-INDEX_FILE = os.path.join(DATA_ROOT, "index.json")
-os.makedirs(VIDEO_DIR, exist_ok=True)
 # ==================================================
 # APP SETUP
 # ==================================================
@@ -37,9 +25,29 @@ app.add_middleware(
 )
 # ==================================================
-# ALBUM METADATA
 # ==================================================
-ALBUM_PUBLISHERS = {
     "B2c5n8hH4uWRoAW": "Alex Rose",
     "B2c5yeZFhHXzdFg": "Central Space Program",
     "B2cGI9HKKtaAF3T": "Sam Holden",
@@ -48,7 +56,7 @@ ALBUM_PUBLISHERS = {
     "B2c5ON9t3uz8kT7": "Cole Vandepoll",
 }
-ALBUM_CATEGORIES = {
     "B2c5n8hH4uWRoAW": "Fun",
     "B2c5yeZFhHXzdFg": "Rockets",
     "B2cGI9HKKtaAF3T": "Sam Content Library",
@@ -57,16 +65,100 @@ ALBUM_CATEGORIES = {
     "B2c5ON9t3uz8kT7": "Cole Content Creator",
 }
 # ==================================================
-# CLIENT
 # ==================================================
-async def get_client():
     if not hasattr(app.state, "client"):
-        app.state.client = httpx.AsyncClient(timeout=30)
     return app.state.client
 # ==================================================
-# BASE62
 # ==================================================
 BASE_62_MAP = {c: i for i, c in enumerate(
     "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
@@ -79,7 +171,7 @@ def base62_to_int(token: str) -> int:
     return n
 # ==================================================
-# ICLOUD HELPERS
 # ==================================================
 ICLOUD_HEADERS = {
     "Origin": "https://www.icloud.com",
@@ -88,7 +180,11 @@ ICLOUD_HEADERS = {
 ICLOUD_PAYLOAD = '{"streamCtag":null}'
 async def get_base_url(token: str) -> str:
-    n = base62_to_int(token[1:3])
     return f"https://p{n:02d}-sharedstreams.icloud.com/{token}/sharedstreams/"
 async def get_redirected_base_url(base_url: str, token: str) -> str:
@@ -99,42 +195,39 @@ async def get_redirected_base_url(base_url: str, token: str) -> str:
         data=ICLOUD_PAYLOAD,
         follow_redirects=False,
     )
     if r.status_code == 330:
-        host = r.json()["X-Apple-MMe-Host"]
         return f"https://{host}/{token}/sharedstreams/"
-    return base_url
-async def post_json(path: str, base_url: str, payload: str):
     client = await get_client()
-    r = await client.post(f"{base_url}{path}", headers=ICLOUD_HEADERS, data=payload)
     r.raise_for_status()
     return r.json()
-async def get_metadata(base_url: str):
     return (await post_json("webstream", base_url, ICLOUD_PAYLOAD)).get("photos", [])
-async def get_asset_urls(base_url: str, guids: list):
-    return (await post_json(
-        "webasseturls", base_url, json.dumps({"photoGuids": guids})
-    )).get("items", {})
-# ==================================================
-# INDEX HELPERS
-# ==================================================
-def load_index():
-    if not os.path.exists(INDEX_FILE):
-        return {"videos": []}
-    with open(INDEX_FILE, "r", encoding="utf-8") as f:
-        return json.load(f)
-def save_index(data):
-    with open(INDEX_FILE, "w", encoding="utf-8") as f:
-        json.dump(data, f, indent=2)
 # ==================================================
 # DOWNLOADER
 # ==================================================
-async def download_file(url, path):
     client = await get_client()
     async with client.stream("GET", url) as r:
         r.raise_for_status()
@@ -143,29 +236,40 @@ async def download_file(url, path):
                 f.write(chunk)
 # ==================================================
-# POLLING
 # ==================================================
-async def poll_album(token):
-    base = await get_redirected_base_url(await get_base_url(token), token)
-    metadata = await get_metadata(base)
     guids = [p["photoGuid"] for p in metadata]
-    assets = await get_asset_urls(base, guids)
-    index = load_index()
-    known = {v["id"] for v in index["videos"]}
     album_dir = os.path.join(VIDEO_DIR, token)
     os.makedirs(album_dir, exist_ok=True)
-    for p in metadata:
-        if p.get("mediaAssetType", "").lower() != "video":
             continue
-        vid = p["photoGuid"]
         if vid in known:
             continue
         best = max(
-            (d for k, d in p["derivatives"].items() if k.lower() != "posterframe"),
             key=lambda d: int(d.get("fileSize") or 0),
             default=None,
         )
@@ -176,141 +280,433 @@ async def poll_album(token):
         if not asset:
             continue
         video_path = os.path.join(album_dir, f"{vid}.mp4")
-        await download_file(
-            f"https://{asset['url_location']}{asset['url_path']}", video_path
-        )
-        thumb = ""
-        pf = p["derivatives"].get("PosterFrame")
         if pf:
-            a = assets.get(pf["checksum"])
-            if a:
-                thumb = os.path.join(album_dir, f"{vid}.jpg")
-                await download_file(
-                    f"https://{a['url_location']}{a['url_path']}", thumb
-                )
-        index["videos"].append({
             "id": vid,
-            "name": p.get("caption") or "Untitled",
             "video_url": f"/media/{token}/{vid}.mp4",
-            "thumbnail": f"/media/{token}/{vid}.jpg" if thumb else "",
-            "upload_date": p.get("creationDate") or datetime.now(timezone.utc).isoformat(),
-            "category": ALBUM_CATEGORIES.get(token, "Uncategorized"),
-            "publisher": ALBUM_PUBLISHERS.get(token, "Unknown"),
             "source_album": token,
         })
-    save_index(index)
 @app.on_event("startup")
 async def start_polling():
     async def loop():
         while True:
-            for token in ALBUM_PUBLISHERS:
                 try:
                     await poll_album(token)
                 except Exception:
-                    logging.exception("Polling failed")
             await asyncio.sleep(60)
     asyncio.create_task(loop())
 # ==================================================
 # FEED
 # ==================================================
 @app.get("/feed/videos")
-async def feed():
-    return load_index()
 # ==================================================
-# ADMIN AUTH
 # ==================================================
-def is_admin(req: Request):
-    return req.cookies.get(ADMIN_COOKIE) in ADMIN_SESSIONS
 # ==================================================
-# ADMIN LOGIN
 # ==================================================
 @app.get("/admin/login", response_class=HTMLResponse)
 async def admin_login_page():
     return """
-    <form method="post">
-        <h2>Admin Login</h2>
-        <input name="pin" type="password"/>
-        <button>Enter</button>
-    </form>
     """
 @app.post("/admin/login")
 async def admin_login(pin: str = Form(...)):
     if pin != ADMIN_PIN:
         return HTMLResponse("Wrong PIN", status_code=401)
     session = secrets.token_hex(16)
     ADMIN_SESSIONS.add(session)
-    r = RedirectResponse("/admin", 302)
-    r.set_cookie(ADMIN_COOKIE, session, httponly=True)
-    return r
 # ==================================================
-# ADMIN DASHBOARD
 # ==================================================
-@app.get("/admin", response_class=HTMLResponse)
-async def admin(req: Request):
-    if not is_admin(req):
-        return RedirectResponse("/admin/login", 302)
-    idx = load_index()
-    rows = ""
-    for v in idx["videos"]:
-        rows += f"""
-        <tr>
-            <td>{v['id']}</td>
-            <td><input data-id="{v['id']}" data-field="name" value="{v['name']}"></td>
-            <td><input data-id="{v['id']}" data-field="upload_date" value="{v['upload_date']}"></td>
-            <td><input data-id="{v['id']}" data-field="category" value="{v['category']}"></td>
-            <td><input data-id="{v['id']}" data-field="publisher" value="{v['publisher']}"></td>
-            <td><input data-id="{v['id']}" data-field="thumbnail" value="{v['thumbnail']}"></td>
-        </tr>
-        """
-    return f"""
-    <table border=1>
-        <tr><th>ID</th><th>Name</th><th>Date</th><th>Category</th><th>Publisher</th><th>Thumb</th></tr>
-        {rows}
-    </table>
     <script>
-    document.querySelectorAll("input").forEach(i=>{
-        i.onchange=()=>fetch("/admin/update",{
-            method:"POST",
-            headers:{{"Content-Type":"application/json"}},
-            body:JSON.stringify({{
-                id:i.dataset.id,
-                field:i.dataset.field,
-                value:i.value
-            }})
-        })
-    })
     </script>
-    """
 # ==================================================
-# ADMIN UPDATE
 # ==================================================
 @app.post("/admin/update")
 async def admin_update(req: Request, payload: dict):
     if not is_admin(req):
-        return JSONResponse({"error":"unauthorized"},403)
-    idx = load_index()
-    for v in idx["videos"]:
-        if v["id"] == payload["id"]:
-            v[payload["field"]] = payload["value"]
-            save_index(idx)
-            return {"ok":True}
-    return {"error":"not found"}
 # ==================================================
-# MEDIA
 # ==================================================
 app.mount("/media", StaticFiles(directory=VIDEO_DIR), name="media")

 import os
 import asyncio
 import secrets
+import html as html_escape_lib
 from datetime import datetime, timezone
 # ==================================================
 # APP SETUP
 # ==================================================
 )
 # ==================================================
+# STORAGE
 # ==================================================
+DATA_ROOT = os.environ.get("PERSISTENT_DIR", "/data")
+VIDEO_DIR = os.path.join(DATA_ROOT, "videos")
+INDEX_FILE = os.path.join(DATA_ROOT, "index.json")
+ADMIN_CONFIG_FILE = os.path.join(DATA_ROOT, "admin_config.json")
+os.makedirs(VIDEO_DIR, exist_ok=True)
+# ==================================================
+# ADMIN AUTH (PIN)
+# ==================================================
+ADMIN_PIN = os.environ.get("ADMIN_PIN", "4286")  # CHANGE THIS
+ADMIN_COOKIE = "admin_session"
+ADMIN_SESSIONS = set()
+def is_admin(req: Request) -> bool:
+    return req.cookies.get(ADMIN_COOKIE) in ADMIN_SESSIONS
+# ==================================================
+# DEFAULT ALBUM MAPS (used only if admin_config.json missing)
+# ==================================================
+DEFAULT_ALBUM_PUBLISHERS = {
     "B2c5n8hH4uWRoAW": "Alex Rose",
     "B2c5yeZFhHXzdFg": "Central Space Program",
     "B2cGI9HKKtaAF3T": "Sam Holden",
     "B2c5ON9t3uz8kT7": "Cole Vandepoll",
 }
+DEFAULT_ALBUM_CATEGORIES = {
     "B2c5n8hH4uWRoAW": "Fun",
     "B2c5yeZFhHXzdFg": "Rockets",
     "B2cGI9HKKtaAF3T": "Sam Content Library",
     "B2c5ON9t3uz8kT7": "Cole Content Creator",
 }
+# In-memory config (loaded at startup)
+ALBUM_PUBLISHERS = dict(DEFAULT_ALBUM_PUBLISHERS)
+ALBUM_CATEGORIES = dict(DEFAULT_ALBUM_CATEGORIES)
+# ==================================================
+# LOCKS (avoid index.json corruption)
+# ==================================================
+INDEX_LOCK = asyncio.Lock()
+CONFIG_LOCK = asyncio.Lock()
 # ==================================================
+# HTTP CLIENT
 # ==================================================
+async def get_client() -> httpx.AsyncClient:
     if not hasattr(app.state, "client"):
+        app.state.client = httpx.AsyncClient(timeout=20.0)
     return app.state.client
 # ==================================================
+# JSON FILE HELPERS (atomic)
+# ==================================================
+def _atomic_write_json(path: str, data: dict):
+    tmp = path + ".tmp"
+    with open(tmp, "w", encoding="utf-8") as f:
+        json.dump(data, f, indent=2)
+    os.replace(tmp, path)
+def load_index_sync() -> dict:
+    if not os.path.exists(INDEX_FILE):
+        return {"videos": []}
+    with open(INDEX_FILE, "r", encoding="utf-8") as f:
+        return json.load(f)
+def save_index_sync(data: dict):
+    _atomic_write_json(INDEX_FILE, data)
+def load_admin_config_sync() -> dict:
+    if not os.path.exists(ADMIN_CONFIG_FILE):
+        return {
+            "album_publishers": dict(DEFAULT_ALBUM_PUBLISHERS),
+            "album_categories": dict(DEFAULT_ALBUM_CATEGORIES),
+        }
+    with open(ADMIN_CONFIG_FILE, "r", encoding="utf-8") as f:
+        return json.load(f)
+def save_admin_config_sync(cfg: dict):
+    _atomic_write_json(ADMIN_CONFIG_FILE, cfg)
+async def load_admin_config():
+    async with CONFIG_LOCK:
+        return load_admin_config_sync()
+async def write_admin_config(cfg: dict):
+    async with CONFIG_LOCK:
+        save_admin_config_sync(cfg)
+async def refresh_album_maps_from_disk():
+    global ALBUM_PUBLISHERS, ALBUM_CATEGORIES
+    cfg = await load_admin_config()
+    ALBUM_PUBLISHERS = dict(cfg.get("album_publishers", {}))
+    ALBUM_CATEGORIES = dict(cfg.get("album_categories", {}))
+# ==================================================
+# BACKFILL CATEGORIES/PUBLISHERS (fix old cached entries)
+# ==================================================
+async def backfill_index_categories():
+    try:
+        async with INDEX_LOCK:
+            idx = load_index_sync()
+            changed = False
+            for v in idx.get("videos", []):
+                token = v.get("source_album", "")
+                correct_category = ALBUM_CATEGORIES.get(token, "Uncategorized")
+                correct_publisher = ALBUM_PUBLISHERS.get(token, "Unknown")
+                # Fix publisher if missing
+                if v.get("publisher") in (None, "", "Unknown") and correct_publisher != "Unknown":
+                    v["publisher"] = correct_publisher
+                    changed = True
+                # Fix category if missing or wrong
+                if v.get("category") in (None, "", v.get("publisher")) or v.get("category") != correct_category:
+                    v["category"] = correct_category
+                    changed = True
+            if changed:
+                save_index_sync(idx)
+                logging.info("Backfilled index.json categories/publishers")
+    except Exception:
+        logging.exception("Backfill failed (non-fatal)")
+# ==================================================
+# BASE62 HELPERS
 # ==================================================
 BASE_62_MAP = {c: i for i, c in enumerate(
     "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
     return n
 # ==================================================
+# iCLOUD HELPERS
 # ==================================================
 ICLOUD_HEADERS = {
     "Origin": "https://www.icloud.com",
 ICLOUD_PAYLOAD = '{"streamCtag":null}'
 async def get_base_url(token: str) -> str:
+    # Keep your original logic
+    if token and token[0] == "A":
+        n = base62_to_int(token[1])
+    else:
+        n = base62_to_int(token[1:3])
     return f"https://p{n:02d}-sharedstreams.icloud.com/{token}/sharedstreams/"
 async def get_redirected_base_url(base_url: str, token: str) -> str:
         data=ICLOUD_PAYLOAD,
         follow_redirects=False,
     )
     if r.status_code == 330:
+        host = r.json().get("X-Apple-MMe-Host")
+        if not host:
+            raise RuntimeError("Missing redirect host")
         return f"https://{host}/{token}/sharedstreams/"
+    if r.status_code == 200:
+        return base_url
+    r.raise_for_status()
+async def post_json(path: str, base_url: str, payload: str) -> dict:
     client = await get_client()
+    r = await client.post(
+        f"{base_url}{path}",
+        headers=ICLOUD_HEADERS,
+        data=payload,
+    )
     r.raise_for_status()
     return r.json()
+async def get_metadata(base_url: str) -> list:
     return (await post_json("webstream", base_url, ICLOUD_PAYLOAD)).get("photos", [])
+async def get_asset_urls(base_url: str, guids: list) -> dict:
+    payload = json.dumps({"photoGuids": guids})
+    return (await post_json("webasseturls", base_url, payload)).get("items", {})
 # ==================================================
 # DOWNLOADER
 # ==================================================
+async def download_file(url: str, path: str):
     client = await get_client()
     async with client.stream("GET", url) as r:
         r.raise_for_status()
                 f.write(chunk)
 # ==================================================
+# POLL + INGEST ALBUM
 # ==================================================
+async def poll_album(token: str):
+    base_url = await get_base_url(token)
+    base_url = await get_redirected_base_url(base_url, token)
+    metadata = await get_metadata(base_url)
     guids = [p["photoGuid"] for p in metadata]
+    assets = await get_asset_urls(base_url, guids)
+    # Snapshot known IDs under lock (so we don't race writes)
+    async with INDEX_LOCK:
+        index = load_index_sync()
+        known = {v["id"] for v in index.get("videos", [])}
+    publisher = ALBUM_PUBLISHERS.get(token, "Unknown")
+    category = ALBUM_CATEGORIES.get(token, "Uncategorized")
     album_dir = os.path.join(VIDEO_DIR, token)
     os.makedirs(album_dir, exist_ok=True)
+    new_entries = []
+    for photo in metadata:
+        if photo.get("mediaAssetType", "").lower() != "video":
             continue
+        vid = photo["photoGuid"]
         if vid in known:
             continue
+        derivatives = photo.get("derivatives", {})
         best = max(
+            (d for k, d in derivatives.items() if k.lower() != "posterframe"),
             key=lambda d: int(d.get("fileSize") or 0),
             default=None,
         )
         if not asset:
             continue
+        video_url = f"https://{asset['url_location']}{asset['url_path']}"
         video_path = os.path.join(album_dir, f"{vid}.mp4")
+        await download_file(video_url, video_path)
+        thumb_path = ""
+        pf = derivatives.get("PosterFrame")
         if pf:
+            pf_asset = assets.get(pf.get("checksum"))
+            if pf_asset:
+                poster_url = f"https://{pf_asset['url_location']}{pf_asset['url_path']}"
+                thumb_path = os.path.join(album_dir, f"{vid}.jpg")
+                await download_file(poster_url, thumb_path)
+        new_entries.append({
             "id": vid,
+            "name": photo.get("caption") or "Untitled",
             "video_url": f"/media/{token}/{vid}.mp4",
+            "thumbnail": f"/media/{token}/{vid}.jpg" if thumb_path else "",
+            "upload_date": photo.get("creationDate") or datetime.now(timezone.utc).isoformat(),
+            "category": category,
+            "publisher": publisher,
             "source_album": token,
         })
+    if new_entries:
+        async with INDEX_LOCK:
+            idx = load_index_sync()
+            existing = {v["id"] for v in idx.get("videos", [])}
+            for e in new_entries:
+                if e["id"] not in existing:
+                    idx["videos"].append(e)
+            save_index_sync(idx)
+# ==================================================
+# STARTUP: LOAD CONFIG + BACKFILL + START POLLER
+# ==================================================
 @app.on_event("startup")
 async def start_polling():
+    # Ensure config exists
+    if not os.path.exists(ADMIN_CONFIG_FILE):
+        save_admin_config_sync({
+            "album_publishers": dict(DEFAULT_ALBUM_PUBLISHERS),
+            "album_categories": dict(DEFAULT_ALBUM_CATEGORIES),
+        })
+    await refresh_album_maps_from_disk()
+    await backfill_index_categories()
     async def loop():
         while True:
+            # Iterate dynamic albums from config
+            tokens = list(ALBUM_PUBLISHERS.keys())
+            for token in tokens:
                 try:
                     await poll_album(token)
                 except Exception:
+                    logging.exception(f"Polling failed for {token}")
             await asyncio.sleep(60)
     asyncio.create_task(loop())
 # ==================================================
 # FEED
 # ==================================================
 @app.get("/feed/videos")
+async def get_video_feed():
+    async with INDEX_LOCK:
+        return load_index_sync()
 # ==================================================
+# LEGACY ENDPOINTS (unchanged)
 # ==================================================
+@app.get("/album/{token}")
+async def legacy_album(token: str):
+    base_url = await get_base_url(token)
+    base_url = await get_redirected_base_url(base_url, token)
+    metadata = await get_metadata(base_url)
+    guids = [p["photoGuid"] for p in metadata]
+    assets = await get_asset_urls(base_url, guids)
+    videos = []
+    for photo in metadata:
+        if photo.get("mediaAssetType", "").lower() != "video":
+            continue
+        derivatives = photo.get("derivatives", {})
+        best = max(
+            (d for k, d in derivatives.items() if k.lower() != "posterframe"),
+            key=lambda d: int(d.get("fileSize") or 0),
+            default=None,
+        )
+        if not best:
+            continue
+        asset = assets.get(best["checksum"])
+        if not asset:
+            continue
+        videos.append({
+            "caption": photo.get("caption", ""),
+            "url": f"https://{asset['url_location']}{asset['url_path']}",
+        })
+    return {"videos": videos}
+@app.get("/album/{token}/raw")
+async def legacy_album_raw(token: str):
+    base_url = await get_base_url(token)
+    base_url = await get_redirected_base_url(base_url, token)
+    metadata = await get_metadata(base_url)
+    guids = [p["photoGuid"] for p in metadata]
+    assets = await get_asset_urls(base_url, guids)
+    return {"metadata": metadata, "asset_urls": assets}
 # ==================================================
+# ADMIN: LOGIN
 # ==================================================
 @app.get("/admin/login", response_class=HTMLResponse)
 async def admin_login_page():
+    # No f-string here -> no brace issues
     return """
+    <html>
+      <head>
+        <title>Admin Login</title>
+        <meta name="viewport" content="width=device-width, initial-scale=1" />
+        <style>
+          body { font-family: system-ui, sans-serif; background:#111; color:#fff; display:flex; min-height:100vh; align-items:center; justify-content:center; }
+          .card { width: 360px; padding: 18px; border: 1px solid #333; border-radius: 12px; background:#161616; }
+          input, button { width:100%; padding:12px; font-size:16px; border-radius:10px; border:1px solid #333; background:#0f0f0f; color:#fff; }
+          button { background:#2a2a2a; cursor:pointer; margin-top:10px; }
+          button:hover { background:#3a3a3a; }
+        </style>
+      </head>
+      <body>
+        <form class="card" method="post">
+          <h2 style="margin:0 0 10px 0;">Admin Panel</h2>
+          <input type="password" name="pin" placeholder="PIN" autofocus />
+          <button type="submit">Enter</button>
+        </form>
+      </body>
+    </html>
     """
 @app.post("/admin/login")
 async def admin_login(pin: str = Form(...)):
     if pin != ADMIN_PIN:
         return HTMLResponse("Wrong PIN", status_code=401)
     session = secrets.token_hex(16)
     ADMIN_SESSIONS.add(session)
+    resp = RedirectResponse("/admin", status_code=302)
+    resp.set_cookie(ADMIN_COOKIE, session, httponly=True)
+    return resp
+@app.get("/admin/logout")
+async def admin_logout(req: Request):
+    session = req.cookies.get(ADMIN_COOKIE)
+    if session in ADMIN_SESSIONS:
+        ADMIN_SESSIONS.remove(session)
+    resp = RedirectResponse("/admin/login", status_code=302)
+    resp.delete_cookie(ADMIN_COOKIE)
+    return resp
 # ==================================================
+# ADMIN: DASHBOARD (VIDEOS + ALBUMS)
 # ==================================================
+def esc(v) -> str:
+    return html_escape_lib.escape("" if v is None else str(v), quote=True)
+ADMIN_TEMPLATE = """
+<html>
+  <head>
+    <title>Admin</title>
+    <meta name="viewport" content="width=device-width, initial-scale=1" />
+    <style>
+      body { font-family: system-ui, sans-serif; background:#111; color:#fff; margin:0; padding:16px; }
+      a { color:#9ad; }
+      h1 { margin: 0 0 10px 0; }
+      .row { display:flex; gap:10px; align-items:center; margin-bottom:12px; flex-wrap:wrap; }
+      .pill { padding:6px 10px; border:1px solid #333; border-radius:999px; background:#161616; }
+      .card { border:1px solid #333; border-radius:12px; background:#161616; padding:12px; margin: 14px 0; }
+      table { width:100%; border-collapse: collapse; }
+      th, td { border-bottom:1px solid #2a2a2a; padding:8px; vertical-align: top; }
+      th { text-align:left; position:sticky; top:0; background:#161616; }
+      input { width:100%; padding:8px; border-radius:10px; border:1px solid #333; background:#0f0f0f; color:#fff; }
+      button { padding:10px 12px; border-radius:10px; border:1px solid #333; background:#2a2a2a; color:#fff; cursor:pointer; }
+      button:hover { background:#3a3a3a; }
+      .small { font-size:12px; opacity:0.85; }
+      .grid2 { display:grid; grid-template-columns: 1fr 1fr; gap:10px; }
+      @media (max-width: 900px) { .grid2 { grid-template-columns: 1fr; } }
+    </style>
+  </head>
+  <body>
+    <div class="row">
+      <h1 style="margin-right:auto;">Admin</h1>
+      <span class="pill">PIN session active</span>
+      <a href="/admin/logout" class="pill">Logout</a>
+    </div>
+    <div class="card">
+      <h2 style="margin:0 0 8px 0;">Albums</h2>
+      <div class="small">Add/edit albums here. Polling loop uses this list.</div>
+      <table>
+        <thead>
+          <tr>
+            <th style="width:28%;">Album Token</th>
+            <th>Publisher</th>
+            <th>Category</th>
+          </tr>
+        </thead>
+        <tbody>
+          __ALBUM_ROWS__
+          <tr>
+            <td><input id="new_token" placeholder="New token"></td>
+            <td><input id="new_publisher" placeholder="Publisher"></td>
+            <td>
+              <div class="grid2">
+                <input id="new_category" placeholder="Category">
+                <button onclick="addAlbum()">Add Album</button>
+              </div>
+            </td>
+          </tr>
+        </tbody>
+      </table>
+    </div>
+    <div class="card">
+      <h2 style="margin:0 0 8px 0;">Videos</h2>
+      <div class="small">Edits save to index.json instantly on field change.</div>
+      <table>
+        <thead>
+          <tr>
+            <th style="width:13%;">ID</th>
+            <th style="width:16%;">Name</th>
+            <th style="width:16%;">Upload Date</th>
+            <th style="width:10%;">Category</th>
+            <th style="width:12%;">Publisher</th>
+            <th style="width:18%;">Thumbnail</th>
+            <th style="width:15%;">Source Album</th>
+          </tr>
+        </thead>
+        <tbody>
+          __VIDEO_ROWS__
+        </tbody>
+      </table>
+    </div>
     <script>
+      async function postJSON(url, obj) {
+        const r = await fetch(url, {
+          method: "POST",
+          headers: { "Content-Type": "application/json" },
+          body: JSON.stringify(obj),
+        });
+        return r.json();
+      }
+      // autosave video fields
+      document.addEventListener("change", async (e) => {
+        const t = e.target;
+        if (!t || !t.dataset || !t.dataset.id) return;
+        const id = t.dataset.id;
+        const field = t.dataset.field;
+        const value = t.value;
+        await postJSON("/admin/update", { id, field, value });
+      });
+      // autosave album fields
+      document.addEventListener("change", async (e) => {
+        const t = e.target;
+        if (!t || !t.dataset || !t.dataset.album) return;
+        const token = t.dataset.album;
+        const field = t.dataset.field;
+        const value = t.value;
+        await postJSON("/admin/albums/update", { token, field, value });
+      });
+      async function addAlbum() {
+        const token = document.getElementById("new_token").value.trim();
+        const publisher = document.getElementById("new_publisher").value.trim();
+        const category = document.getElementById("new_category").value.trim();
+        if (!token) return alert("Token required");
+        const out = await postJSON("/admin/albums/add", { token, publisher, category });
+        if (out && out.ok) location.reload();
+        else alert(out.error || "failed");
+      }
     </script>
+  </body>
+</html>
+"""
+@app.get("/admin", response_class=HTMLResponse)
+async def admin_dashboard(req: Request):
+    if not is_admin(req):
+        return RedirectResponse("/admin/login", status_code=302)
+    async with INDEX_LOCK:
+        idx = load_index_sync()
+    cfg = await load_admin_config()
+    # Build album rows
+    ap = cfg.get("album_publishers", {})
+    ac = cfg.get("album_categories", {})
+    album_tokens = sorted(set(ap.keys()) | set(ac.keys()))
+    album_rows = ""
+    for token in album_tokens:
+        album_rows += (
+            "<tr>"
+            f"<td><input data-album=\"{esc(token)}\" data-field=\"token\" value=\"{esc(token)}\" disabled></td>"
+            f"<td><input data-album=\"{esc(token)}\" data-field=\"publisher\" value=\"{esc(ap.get(token, ''))}\"></td>"
+            f"<td><input data-album=\"{esc(token)}\" data-field=\"category\" value=\"{esc(ac.get(token, ''))}\"></td>"
+            "</tr>"
+        )
+    # Build video rows
+    video_rows = ""
+    for v in idx.get("videos", []):
+        vid = esc(v.get("id", ""))
+        video_rows += (
+            "<tr>"
+            f"<td class='small'>{vid}</td>"
+            f"<td><input data-id=\"{vid}\" data-field=\"name\" value=\"{esc(v.get('name',''))}\"></td>"
+            f"<td><input data-id=\"{vid}\" data-field=\"upload_date\" value=\"{esc(v.get('upload_date',''))}\"></td>"
+            f"<td><input data-id=\"{vid}\" data-field=\"category\" value=\"{esc(v.get('category',''))}\"></td>"
+            f"<td><input data-id=\"{vid}\" data-field=\"publisher\" value=\"{esc(v.get('publisher',''))}\"></td>"
+            f"<td><input data-id=\"{vid}\" data-field=\"thumbnail\" value=\"{esc(v.get('thumbnail',''))}\"></td>"
+            f"<td><input data-id=\"{vid}\" data-field=\"source_album\" value=\"{esc(v.get('source_album',''))}\"></td>"
+            "</tr>"
+        )
+    page = ADMIN_TEMPLATE.replace("__ALBUM_ROWS__", album_rows).replace("__VIDEO_ROWS__", video_rows)
+    return HTMLResponse(page)
 # ==================================================
+# ADMIN: UPDATE VIDEO METADATA
 # ==================================================
+ALLOWED_VIDEO_FIELDS = {
+    "name", "upload_date", "category", "publisher", "thumbnail", "source_album",
+    # (Optional) allow these if you want:
+    # "video_url",
+}
 @app.post("/admin/update")
 async def admin_update(req: Request, payload: dict):
     if not is_admin(req):
+        return JSONResponse({"error": "unauthorized"}, status_code=403)
+    vid = str(payload.get("id", "")).strip()
+    field = str(payload.get("field", "")).strip()
+    value = payload.get("value", "")
+    if not vid or field not in ALLOWED_VIDEO_FIELDS:
+        return JSONResponse({"error": "bad request"}, status_code=400)
+    async with INDEX_LOCK:
+        idx = load_index_sync()
+        for v in idx.get("videos", []):
+            if v.get("id") == vid:
+                v[field] = value
+                save_index_sync(idx)
+                return {"ok": True}
+    return JSONResponse({"error": "video not found"}, status_code=404)
+# ==================================================
+# ADMIN: ALBUM MANAGEMENT (persisted)
+# ==================================================
+@app.post("/admin/albums/add")
+async def admin_albums_add(req: Request, payload: dict):
+    if not is_admin(req):
+        return JSONResponse({"error": "unauthorized"}, status_code=403)
+    token = str(payload.get("token", "")).strip()
+    publisher = str(payload.get("publisher", "")).strip() or "Unknown"
+    category = str(payload.get("category", "")).strip() or "Uncategorized"
+    if not token:
+        return JSONResponse({"error": "token required"}, status_code=400)
+    cfg = await load_admin_config()
+    cfg.setdefault("album_publishers", {})
+    cfg.setdefault("album_categories", {})
+    cfg["album_publishers"][token] = publisher
+    cfg["album_categories"][token] = category
+    await write_admin_config(cfg)
+    await refresh_album_maps_from_disk()
+    await backfill_index_categories()
+    return {"ok": True}
+@app.post("/admin/albums/update")
+async def admin_albums_update(req: Request, payload: dict):
+    if not is_admin(req):
+        return JSONResponse({"error": "unauthorized"}, status_code=403)
+    token = str(payload.get("token", "")).strip()
+    field = str(payload.get("field", "")).strip()
+    value = str(payload.get("value", "")).strip()
+    if not token or field not in ("publisher", "category"):
+        return JSONResponse({"error": "bad request"}, status_code=400)
+    cfg = await load_admin_config()
+    cfg.setdefault("album_publishers", {})
+    cfg.setdefault("album_categories", {})
+    if field == "publisher":
+        cfg["album_publishers"][token] = value or "Unknown"
+    else:
+        cfg["album_categories"][token] = value or "Uncategorized"
+    await write_admin_config(cfg)
+    await refresh_album_maps_from_disk()
+    await backfill_index_categories()
+    return {"ok": True}
 # ==================================================
+# STATIC MEDIA
 # ==================================================
 app.mount("/media", StaticFiles(directory=VIDEO_DIR), name="media")