Skip to content
mybibli
v1.7.10 · current

Your home library, properly cataloged.

mybibli is a self-hosted web app to catalog, locate, and loan your personal library. Barcode-first, multi-media, multi-role — and your data never leaves your network.

View on GitHub See the roadmap
140+
volumes in prod
~900
tests green
8
metadata providers
4
languages (EN/FR/DE/IT)
In the wild

Live in production.

Screenshots from the household NAS install that drives the project — same code that's on Docker Hub right now.

mybibli home page — search bar, genre filters, dashboard counters, and a recent-additions strip with cover thumbnails.
Home. Search, genre filters, dashboard counters and a recent-additions strip with cover thumbnails fetched through the metadata-provider chain.
mybibli locations page — hierarchical tree of rooms, bookcases and shelves with per-node volume counts and edit/delete affordances.
Locations. Configurable hierarchy (room → bookcase → shelf …) with per-node volume counts, inline create / edit / delete, and a barcode-on-shelf workflow.
mybibli shelf-audit page — list of volumes flagged for physical verification, with resolved location and V-code per row.
Shelf-audit. Volumes flagged "À contrôler" — single or in bulk for an entire shelf — sorted by location → V-code with a one-click clear affordance once they're back in place.
mybibli admin Health tab — entity counts, MariaDB version, disk usage, and per-provider reachability probes.
Admin > Health. Entity counts, MariaDB version, disk usage, and per-provider reachability probes refreshed every 5 minutes in the background.

More than a spreadsheet.

Built for collectors who want their library to actually work. Scan a barcode, find a book on a shelf, lend it to a friend — and see what's missing in a series.

Barcode-first cataloging

Scan an ISBN or EAN-13. Title metadata resolves asynchronously through a chain of eight providers — BnF, Google Books, Open Library, Library of Congress, MusicBrainz, OMDb, TMDb, BDGest — with cover-image download.

Multi-media support

Books, BD/comics with multi-position omnibus volumes, audio releases, films and series — each typed correctly with the right provider chain selected automatically.

Series & gap detection

See which volumes are missing in your series at a glance. The dashboard surfaces "series with gaps" alongside Dewey-based browsing and a similar-titles section.

Storage-location tracking

Configurable hierarchy — room → shelf → row, or whatever fits your home. Each shelf gets a barcode; scan the shelf, scan the volume, done.

Loan management

Borrower CRUD, loan registration, automatic location restoration on return, admin-configurable overdue threshold, per-borrower history.

Multi-role access

Anonymous (read-only), Librarian (catalog + loans), Admin (everything). Session inactivity timeout with keep-alive toast. EN / FR language toggle, per-user.

Hardened by construction

Security that sleeps next to your front door.

Self-hosted means your home network. So mybibli is built defensively from day one — not as an afterthought.

  • CSP

    Strict Content Security Policy

    No unsafe-inline, no unsafe-eval. Every template — server-rendered or HTMX fragment — is audited for inline script and style attributes.

  • CSRF

    Per-session synchronizer token

    Constant-time compare on every state-changing request. Forms inject the token automatically; HTMX inherits via a small JS listener. Exempt-route allowlist is frozen and policed by tests.

  • Scanner-guard

    A USB barcode burst that arrives while a modal is open is intercepted at document-capture phase — no leakage into background scan fields, no accidental Cancel/Confirm activation.

  • Data stays at home

    No cloud sync, no telemetry, no analytics. Argon2 password hashing, HttpOnly + SameSite cookies, soft-delete with 30-day auto-purge.

Boring stack, on purpose.

Server-rendered HTML, type-checked templates, no SPA framework. The whole UI talks to the server with HTMX over the same routes that serve the pages.

Backend
Rust 2024 + Axum 0.8

Compiled binary, async tokio runtime, zero-cost middleware tower stack.

Database
MariaDB + SQLx 0.8

Compile-time query checking via the offline cache. Versioned migrations checked into the repo.

Templates
Askama 0.15

Compile-time type-checked Jinja-style templates. Auto HTML-escaping, no surprises.

Frontend
HTMX 2 + Tailwind 4

No build step beyond Tailwind. Server-rendered HTML; small ES modules where the UX needs it.

Auth
Sessions + Argon2

Cookie-based sessions, per-session CSRF synchronizer token, role-based access control.

i18n
rust-i18n

English + French today, key-by-key parity enforced by tests. New languages drop in as a single YAML file.

Testing
cargo + Playwright

~525 unit, ~95 DB integration, ~160 Playwright E2E across two CI lanes (seeded + wizard).

CI/CD
GitHub Actions

Rust tests + clippy + sqlx-prepare check, DB integration, Playwright E2E and wizard E2E — gated on every PR.

v1.7.10 is live.

v1.7.10 — "protect manual covers" is a single-fix patch closing a silent-data-loss vulnerability. A manually uploaded cover (the v1.7.6 #335 safety net for titles no provider has) was being silently overwritten by the async metadata-fetch chain because update_cover_image_url did an unconditional UPDATE that ignored manually_edited_fields. The fix is a 22-line guard pattern identical to do_update's, with 4 integration tests covering success / download-failure / regression / specificity (#347). Pre-built Docker images on Docker Hub.

Star on GitHub See the roadmap Browse issues