================================================================================ TECHNICAL ARCHITECTURE: SECURE MULTI-USER SQLITE ARCHITECTURE OVER THE INTERNET ================================================================================ AUTHOR: [Your Name/Handle] TARGET AUDIENCE: SQLite Developers, Desktop App Developers, Self-Hosters CONCURRENCY SCALE: Optimized for up to 10 Concurrent Users -------------------------------------------------------------------------------- 1. INTRODUCTION & ARCHITECTURAL PHILOSOPHY -------------------------------------------------------------------------------- A common misconception is that SQLite cannot be used for multi-user applications operating over the internet. While it is true that hosting an SQLite file directly on a network share (like SMB or NAS) will inevitably cause database locks and corruption due to broken network file-locking protocols, SQLite can handle multi-user traffic flawlessly when paired with an Application Server layer. By positioning a lightweight Python FastAPI server on the same physical machine as the SQLite database file and enabling Write-Ahead Logging (WAL) mode, we completely eliminate network file hazards. SQLite handles local WAL operations with extreme speed, serializing writes seamlessly while allowing unblocked parallel reads. This guide provides a complete production-grade blueprint for deploying a secure, compiled Windows 11 desktop GUI app backed by a self-hosted SQLite server. -------------------------------------------------------------------------------- 2. THE PRODUCTION TOPOLOGY -------------------------------------------------------------------------------- [Windows 11 Desktop GUI Client App (.exe)] │ │ (Encrypted HTTPS / Port 443 via Public Internet) ▼ [Abyss Web Server (Reverse Proxy)] │ * Manages automated Let's Encrypt SSL certificates. │ * Decrypts incoming web requests. │ * Forwards traffic locally to Port 8000. ▼ [Application Server (FastAPI / 127.0.0.1:8000)] │ * Validates secret X-API-KEY network headers to block malicious bots. │ * Hashes plain-text passwords using SHA-256. │ * Interacts locally with SQLite. ▼ [SQLite File (app_database.db)] ──> Configured permanently in WAL mode. -------------------------------------------------------------------------------- 3. THE COMPLETE CODEBASE -------------------------------------------------------------------------------- SCRIPT 1: ONE-TIME DATABASE INITIALIZATION (run_once.py) Run this script once on your server machine. It initializes your schema and locks the database file into WAL mode permanently. Because WAL mode is persistent on disk, you do not need to execute PRAGMA journal_mode=WAL on subsequent queries. import sqlite3 def initialize_database(): conn = sqlite3.connect("app_database.db") # Enable WAL mode permanently on the file structure conn.execute("PRAGMA journal_mode=WAL;") # Create a secure user registry table conn.execute(""" CREATE TABLE IF NOT EXISTS server_users ( id INTEGER PRIMARY KEY AUTOINCREMENT, username TEXT UNIQUE NOT NULL, password_hash TEXT NOT NULL ) """) conn.close() print("Database successfully locked into WAL mode and schema initialized.") if __name__ == "__main__": initialize_database() SCRIPT 2: THE SELF-HOSTED PRODUCTION BACKEND (main_server.py) This script runs continuously on your server hardware behind localhost. For up to 10 users, standard SQLite engine defaults are completely sufficient. import hashlib import sqlite3 from fastapi import FastAPI, HTTPException, Header, Depends from pydantic import BaseModel app = FastAPI() DB_FILE = "app_database.db" # A robust token embedded inside your server and compiled client application SECRET_APP_KEY = "YourSuperSecretAppKeyChangeThisToSomethingLong123!" # Global security handshake middleware def verify_api_key(x_api_key: str = Header(None)): if x_api_key != SECRET_APP_KEY: raise HTTPException(status_code=403, detail="Unauthorized client signature.") return x_api_key class UserCredentials(BaseModel): username: str password: str def hash_password(password: str) -> str: return hashlib.sha256(password.encode()).hexdigest() @app.post("/login", dependencies=[Depends(verify_api_key)]) def login_user(user: UserCredentials): hashed = hash_password(user.password) conn = sqlite3.connect(DB_FILE) cursor = conn.cursor() cursor.execute( "SELECT id FROM server_users WHERE username = ? AND password_hash = ?", (user.username, hashed) ) account = cursor.fetchone() conn.close() if account: return {"status": "Success", "message": "Access granted!"} else: raise HTTPException(status_code=401, detail="Invalid username or password.") # Run locally via terminal command: # uvicorn main_server:app --host 127.0.0.1 --port 8000 SCRIPT 3: THE DESKTOP CONTROLLER CLASS (client.py) This logic runs on the client machine, loading the visual XML layout generated by standalone Qt Designer. import requests from PyQt6 import uic from PyQt6.QtWidgets import QMainWindow, QMessageBox, QApplication class LoginWindow(QMainWindow): def __init__(self): super().__init__() # Load the layout blueprint generated via Qt Designer uic.loadUi("my_layout.ui", self) self.login_button.clicked.connect(self.attempt_login) def attempt_login(self): input_user = self.username_field.text() input_pass = self.password_field.text() if not input_user or not input_pass: QMessageBox.warning(self, "Input Warning", "All fields are required.") return payload = {"username": input_user, "password": input_pass} headers = {"X-API-KEY": "YourSuperSecretAppKeyChangeThisToSomethingLong123!"} try: # Points directly to your secure Abyss Web Server public routing server_url = "https://your-public-domain-or-ip/login" response = requests.post(server_url, json=payload, headers=headers) if response.status_code == 200: QMessageBox.information(self, "Granted", "Welcome to the system!") else: error_msg = response.json().get("detail", "Authentication failed.") QMessageBox.critical(self, "Denied", error_msg) except requests.exceptions.ConnectionError: QMessageBox.critical(self, "Network Error", "Unable to establish contact with server.") -------------------------------------------------------------------------------- 4. REVERSE PROXY LAYER (ABYSS WEB SERVER) -------------------------------------------------------------------------------- To make this network setup safe for the open internet, Abyss Web Server acts as a protective gateway layer. 1. CERTIFICATE MANAGEMENT: Enable SSL/TLS (HTTPS) within the Abyss Host console and use its native Let's Encrypt automated module to bind a free, valid SSL certificate to your public routing IP or domain. 2. REVERSE PROXY RULE: Map Virtual Path "/" to point directly to the internal loopback address: http://127.0.0. 3. FIREWALL/ROUTER CONSTRAINTS: Forward only public port 443 (HTTPS) from your network router directly to your server machine. Keep port 8000 completely blocked from external access. All internet passwords are now safely encrypted in transit via standard HTTPS. -------------------------------------------------------------------------------- 5. INTELLECTUAL PROPERTY PROTECTION (CYTHON + PYINSTALLER) -------------------------------------------------------------------------------- To protect your code from reverse-engineering on the client's PC, compile the python scripts into strict C machine binaries using Windows Command Prompt: Step 1: Write a minimal 'setup.py' compiler instruction: from setuptools import setup from Cython.Build import cythonize setup(ext_modules = cythonize("client.py", compiler_directives={'language_level': "3"})) Step 2: Compile the client script into a native Windows binary (.pyd file): python setup.py build_ext --inplace Step 3: Package the compiled binary and your Qt layout into a standalone executable: pyinstaller --onefile --windowed --add-data "my_layout.ui;." client.cp311-win_amd64.pyd The resulting standalone executable in your dist/ folder completely conceals your source code while communicating natively with your secure, self-hosted SQLite hub. ================================================================================