docs: add “internet-exposed self-hosted” hack (yes, it’s cursed)

[H1D]

What

Add README section showing how to expose a self-hosted instance and still use built‑in login. It’s hacky, but maybe usefull.

How

SELF_HOSTED_MODE=false, insert a user via SQL, fetch OTP from DB, sign in.

Why

Unblocks “public-ish” deployments without wiring full auth/reverse proxy. Cue the shame.

the change is limited to docs; no code changes or migrations.

[vas3k]

Very cursed :D Not sure it's needed right in README, maybe in docs directory

[H1D]

@vas3k done

[adryserage]

Code Review Analysis 🔍

This documentation PR for self-hosted public access looks good! A few suggestions:

✅ What looks good

• Clear disclaimer about security implications ("yes, it's cursed")
• Step-by-step instructions
• Appropriate warnings about the risks involved

💡 Suggestions for improvement

1. Security warning placement: Consider adding a more prominent warning at the top of the document, perhaps using a callout/admonition block:
   ```markdown

   ⚠️ WARNING: This setup exposes your instance to the internet.
   Only proceed if you understand the security implications.
   ```

2. Mention HTTPS: If users are exposing this to the internet, they should definitely use HTTPS. Consider adding a section about setting up SSL/TLS (e.g., using Let's Encrypt with Caddy or nginx).

3. Authentication recommendations: Since the app handles financial data, maybe mention that users should ensure strong authentication is enabled and consider additional protections like:

   • IP allowlisting if possible
   • Fail2ban for brute-force protection
   • Regular security updates

✅ Overall

Good documentation that fills a valid use case. The "cursed" humor appropriately conveys this is not the recommended setup while still helping users who need it.

---

Automated review by Aetheris