A security-first database management platform that combines the power of Rust's performance with React's flexibility. LunarBase delivers reliable data management through an intuitive admin interface built entirely with the proprietary Nocta UI component library.
LunarBase is a comprehensive platform designed for organizations that prioritize security while requiring modern, real-time capabilities. Built with a security-first mindset, every component has been designed to protect your data while providing the flexibility and performance modern applications require.
Security isn't an afterthought in LunarBase—it's the foundation. Our multi-layered security architecture ensures your data remains protected at every level:
- Secure password hashing with Argon2id (65536 memory, 4 iterations, 2 parallelism)
- Password pepper protection with server-side secret salt to defend against rainbow table attacks
- Dynamic JWT system with configurable token lifetime and refresh token duration
- HttpOnly cookies with secure, SameSite=Lax configuration and path restrictions
- Comprehensive token blacklisting for immediate session revocation
- Configurable brute force protection with customizable lockout duration and maximum login attempts
- Dynamic rate limiting with configurable request limits per IP
- Timing attack protection with consistent response delays
- Real-time configuration management allowing administrators to adjust security settings without server restart
- Multi-level access control spanning collections, records, and individual fields
- Role-based hierarchy with user/admin distinction and custom permission overrides
- Ownership-based permissions with automatic owner privilege assignment
- Real-time permission validation for WebSocket connections and live data
- Admin self-protection mechanisms to prevent accidental privilege removal
- Database encryption at rest with SQLCipher providing transparent AES-256 encryption
- SQL injection prevention through parameterized queries and comprehensive input validation
- CSRF protection via SameSite cookie policies
- XSS prevention through httpOnly cookie storage and input sanitization
- Schema validation to prevent malicious data structure modifications
- Audit trails for all operations with comprehensive logging
The LunarBase admin panel showcases Nocta UI, our proprietary component library designed for modern web interfaces:
- Copy-paste philosophy - Components are copied directly into your project for complete customization control
- WCAG 2.1 AA compliance with full keyboard navigation and screen reader support
- First-class dark mode with automatic system detection and manual override
- TypeScript-native with intuitive APIs and comprehensive type safety
- Performance-optimized components with minimal complexity and maximum efficiency
- Form elements: Button, Input, Textarea, Checkbox, Select, Switch with advanced validation
- Layout components: Card, Sheet, Dialog, Tabs, Table, Breadcrumb for structured interfaces
- Feedback systems: Alert, Badge, Toast, Spinner, Progress, Tooltip for user communication
- Interactive elements: Popover and context-aware components for enhanced UX
- Flexible schema system supporting Text, Number, Boolean, Date, Email, URL, JSON, File, and Relation fields
- Real-time schema evolution with automatic table creation and validation
- Advanced field validation with min/max constraints, regex patterns, and enum values
- System field protection for created_at, updated_at, and other reserved fields
- Advanced filtering with comprehensive operators (eq, ne, gt, gte, lt, lte, like, in, null checks)
- Multi-field sorting with ascending/descending directions
- Full-text search across record fields with performance optimization
- Efficient pagination with offset/limit support for large datasets
- Schema-aware validation ensuring query safety and field checking
- Authenticated and anonymous connections with automatic UUID assignment
- Subscription-based architecture for collections, records, and custom queries
- Automatic CRUD event emission with before/after data for updates
- Permission-based event filtering ensuring users only receive authorized data
- Admin broadcasting capabilities for system-wide notifications
- Complete CRUD operations with admin-only access controls
- Advanced user filtering by email, username, verification status
- Account lock management with unlock capabilities
- Role assignment with dynamic permission inheritance
- Self-protection mechanisms preventing admin self-deletion
- Prometheus integration with comprehensive metrics collection
- Real-time performance monitoring for HTTP requests, WebSocket connections, and database operations
- Custom dashboard with live statistics and health indicators
- Activity logging with detailed audit trails and pagination
- Resource usage tracking with memory and connection pool monitoring
- Real-time settings management with immediate effect without server restart
- Database-backed configuration with automatic caching and cache invalidation
- Authentication settings control including JWT lifetime (1-168 hours), lockout duration (1-1440 minutes), and max login attempts (1-20)
- API rate limiting configuration with customizable requests per minute per IP
- CORS settings management with dynamic allowed origins configuration
- Admin interface integration providing intuitive controls for all configurable parameters
- Fallback to secure defaults ensuring system stability even with missing configuration
- Configuration validation with type checking and range constraints
- Scheduled database backups with configurable cron expressions (default: daily at 2 AM)
- S3 cloud storage integration for secure, off-site backup storage
- Gzip compression to minimize storage costs and transfer times
- Intelligent retention management with automatic cleanup of old backups based on configurable retention periods
- Backup validation with minimum size checks to prevent corrupted backup cleanup
- Comprehensive monitoring with Prometheus metrics for backup success/failure rates
- SQLCipher VACUUM INTO for atomic, consistent database snapshots
- Configurable backup settings including schedule, retention days, compression, and file naming
- Health monitoring with backup service status checks and S3 connectivity validation
- OAuth Authentication with Google and GitHub providers for seamless social login
- Resend Email Service for reliable verification email delivery
- S3 File Storage with secure file upload capabilities
- Axum 0.8.4 - High-performance async web framework
- Diesel 2.2.11 - Type-safe ORM with compile-time query validation
- SQLCipher - Encrypted embedded database with excellent performance characteristics and transparent encryption
- JWT + Argon2 - Industry-standard authentication with cryptographic security
- tokio-tungstenite - Async WebSocket implementation
- Prometheus - Production-ready metrics and monitoring
- utoipa - OpenAPI documentation generation
- React 19.1.0 - Latest React with concurrent features
- TanStack Router 1.128.0 - Type-safe routing with automatic code splitting
- Zustand 5.0.6 - Lightweight state management
- TanStack Query 5.83.0 - Powerful server state management with caching
- Tailwind CSS 4.1.11 - Utility-first CSS framework
- Vite 7.0.4 - Lightning-fast build tool with HMR
LunarBase uses environment variables for configuration. Create a .env file in the project root directory based on the provided env.example template.
SERVER_HOST=127.0.0.1 # Server bind address
SERVER_PORT=3000 # Server port
FRONTEND_URL=http://localhost:3000 # Frontend URL for CORS and redirectsDATABASE_URL=db.sqlite # SQLite database file path
SQLCIPHER_KEY=your-strong-encryption-password # Database encryption keyJWT_SECRET=your-super-secret-jwt-key-change-this-in-production
PASSWORD_PEPPER=your-super-secret-pepper-change-this-in-production-and-keep-it-secretLUNARBASE_ADMIN_EMAIL=admin@example.com # Initial admin email
LUNARBASE_ADMIN_USERNAME=admin # Initial admin username
LUNARBASE_ADMIN_PASSWORD=your-secure-admin-password # Initial admin passwordNote: These variables automatically create an admin user on first startup. Only the first admin can be created this way - subsequent admins must be created through the admin panel.
ENABLE_TLS=false # Enable HTTPS with HTTP/2 (set to true for production)
TLS_CERT_PATH=/path/to/your/certificate.pem # SSL certificate path (PEM format)
TLS_KEY_PATH=/path/to/your/private-key.pem # SSL private key path (PEM format)
# Examples:
# For Let's Encrypt: /etc/letsencrypt/live/yourdomain.com/fullchain.pem
# For self-signed: ./certs/localhost.pemRESEND_API_KEY=your-resend-api-key-from-resend-dashboard # Get from https://resend.com
EMAIL_FROM=onboarding@resend.dev # Sender email address# Google OAuth (from Google Cloud Console)
GOOGLE_CLIENT_ID=your-google-client-id-from-google-cloud-console
GOOGLE_CLIENT_SECRET=your-google-client-secret-from-google-cloud-console
# GitHub OAuth (from GitHub Developer Settings)
GITHUB_CLIENT_ID=your-github-client-id-from-github-developer-settings
GITHUB_CLIENT_SECRET=your-github-client-secret-from-github-developer-settingsS3_BUCKET_NAME=your-bucket-name # S3 bucket for file uploads
S3_REGION=us-east-1 # AWS region
S3_ACCESS_KEY_ID=your-access-key-id # AWS access key
S3_SECRET_ACCESS_KEY=your-secret-access-key # AWS secret key
# S3_ENDPOINT_URL=http://localhost:4566 # Optional: Custom endpoint (LocalStack)Note: All S3 variables are optional. If not set, file upload functionality will be disabled.
# Control logging levels (optional)
# Default: debug level in development, info level in release builds
RUST_LOG=lunarbase=info,tower_http=info # Info level and above
# RUST_LOG=lunarbase=warn,tower_http=warn # Warning level and above
# RUST_LOG=lunarbase=error # Error level only
# RUST_LOG=debug # Debug level for all modules
# RUST_LOG=lunarbase=debug,tower_http=info # Mixed levels
# RUST_LOG=off # Disable all loggingNote: The application automatically uses debug-level logging in development builds and info-level logging in release builds. Use the RUST_LOG environment variable to override these defaults.
- Use strong, unique passwords for
SQLCIPHER_KEY,JWT_SECRET, andPASSWORD_PEPPER - Never commit secrets to version control - use
.envfiles locally and secure environment variable management in production - Rotate secrets regularly especially JWT secrets and database encryption keys
- Use HTTPS in production by setting
ENABLE_TLS=trueand providing valid SSL certificates - Restrict CORS origins by configuring
FRONTEND_URLto match your actual domain
# Install dependencies
cargo build
# Start LocalStack for S3 testing (required for file upload functionality)
./start-with-localstack.sh
# Start the backend server
cargo run
# In a separate terminal, start the admin interface
cd admin-ui
npm install
npm run dev
# Test WebSocket connections (in another terminal)
# With TLS enabled:
wscat -c wss://localhost:3000/api/ws --no-check
# With TLS disabled:
wscat -c ws://localhost:3000/api/ws
# Run unit and integration tests (in another terminal)
cargo test -- --test-threads=1
# Format code after modifications:
# Frontend (use biome.js for linting and formatting)
cd admin-ui && npx @biomejs/biome check --write
# Backend (use cargo fmt for code formatting)
cargo fmt
# Stop LocalStack when done
./stop-localstack.shWith TLS enabled (ENABLE_TLS=true):
- Backend available at
https://localhost:3000/api/with HTTP/2 support - API documentation at
https://localhost:3000/docs/ - Admin interface at
http://localhost:5173/admin/(proxies API calls to HTTPS backend)
With TLS disabled (ENABLE_TLS=false):
- Backend available at
http://localhost:3000/api/with HTTP/1.1 - API documentation at
http://localhost:3000/docs/ - Admin interface at
http://localhost:5173/admin/
1. Environment Configuration
Create a .env file with required configuration. Copy from env.example and customize:
cp env.example .envRequired .env variables:
DATABASE_URL- SQLite database file pathSQLCIPHER_KEY- Strong encryption password for databaseJWT_SECRET- Secret key for JWT token signingPASSWORD_PEPPER- Additional security layer for password hashingLUNARBASE_ADMIN_EMAIL- Initial admin user emailLUNARBASE_ADMIN_USERNAME- Initial admin usernameLUNARBASE_ADMIN_PASSWORD- Initial admin password
Optional but recommended:
RESEND_API_KEY- For email verification (get from https://resend.com)EMAIL_FROM- Sender email address- OAuth credentials (Google/GitHub)
- S3 configuration for file uploads
2. TLS Certificate Setup (if ENABLE_TLS=true)
For production with TLS enabled, you need SSL certificates:
# Option 1: Use existing certificates
cp /path/to/your/cert.pem certs/localhost.pem
cp /path/to/your/key.pem certs/localhost-key.pem
# Option 2: Disable TLS (set ENABLE_TLS=false in .env)# Build the application with embedded admin UI
cargo build --release
# Start the production server (serves both API and embedded admin UI)
./target/release/lunarbaseNote: The admin UI is automatically built and embedded into the binary during compilation. No separate frontend build step is required.
With TLS enabled (ENABLE_TLS=true):
- Backend available at
https://localhost:3000/api/with HTTP/2 support - Admin interface at
https://localhost:3000/admin/ - API documentation at
https://localhost:3000/docs/
With TLS disabled (ENABLE_TLS=false):
- Backend available at
http://localhost:3000/api/with HTTP/1.1 - Admin interface at
http://localhost:3000/admin/ - API documentation at
http://localhost:3000/docs/
Every component has been designed with security as a primary concern. From the Argon2id password hashing to the comprehensive permission system, LunarBase helps protect your data against modern threats.
Built-in WebSocket support provides real-time updates across the entire system. Whether it's live data synchronization or instant permission changes, LunarBase keeps all clients synchronized without compromising security.
The Rust backend provides exceptional performance and memory safety, while the React frontend with Nocta UI delivers a responsive, accessible interface that scales from small teams to enterprise deployments. The single binary deployment with embedded assets simplifies production deployment and eliminates the need for separate frontend hosting.
With comprehensive TypeScript support, automatic API documentation, and the intuitive Nocta UI component library, LunarBase provides an exceptional developer experience without sacrificing functionality or security.
LunarBase provides secure, real-time database management—where robust security meets modern user experience, all powered by the Nocta UI component library.
We welcome contributions to LunarBase! Whether you're fixing bugs, adding features, or improving documentation, your help is appreciated.
- Fork the repository and create your feature branch from
main - Make your changes following the existing code style and conventions
- Add tests for any new functionality
- Ensure all tests pass by running
cargo test -- --test-threads=1 - Update documentation if you're adding new features
- Submit a pull request with a clear description of your changes
Please be respectful and constructive in all interactions. We're committed to providing a welcoming environment for all contributors.
This project is licensed under the MIT License - see the LICENSE file for details.