fix(security #15): read API keys from process.env at request time
Module-level const assignments (SONARR_API_KEY, RADARR_API_KEY, SABNZBD_API_KEY, EMBY_URL, EMBY_API_KEY) captured values at startup and would not pick up rotated credentials without a restart. Replaced all module-level captures in emby.js, sabnzbd.js, sonarr.js, radarr.js, and dashboard.js with inline process.env reads at each call site. A process restart is still needed for dotenv-loaded values but environment-injected vars (Docker, Kubernetes) are re-read live.
This commit is contained in:
@@ -9,8 +9,6 @@ const { pollAllServices, getLastPollTimings, POLLING_ENABLED } = require('../uti
|
|||||||
const { getSonarrInstances, getRadarrInstances } = require('../utils/config');
|
const { getSonarrInstances, getRadarrInstances } = require('../utils/config');
|
||||||
const sanitizeError = require('../utils/sanitizeError');
|
const sanitizeError = require('../utils/sanitizeError');
|
||||||
|
|
||||||
const EMBY_URL = process.env.EMBY_URL;
|
|
||||||
const EMBY_API_KEY = process.env.EMBY_API_KEY;
|
|
||||||
|
|
||||||
// Helper function to extract poster/cover art URL from a movie or series object
|
// Helper function to extract poster/cover art URL from a movie or series object
|
||||||
function getCoverArt(item) {
|
function getCoverArt(item) {
|
||||||
@@ -102,8 +100,8 @@ async function getEmbyUsers() {
|
|||||||
const cached = cache.get('emby:users');
|
const cached = cache.get('emby:users');
|
||||||
if (cached) return cached;
|
if (cached) return cached;
|
||||||
try {
|
try {
|
||||||
const response = await axios.get(`${EMBY_URL}/Users`, {
|
const response = await axios.get(`${process.env.EMBY_URL}/Users`, {
|
||||||
headers: { 'X-MediaBrowser-Token': EMBY_API_KEY }
|
headers: { 'X-MediaBrowser-Token': process.env.EMBY_API_KEY }
|
||||||
});
|
});
|
||||||
// Build map: both raw lowercase and sanitized form -> display name
|
// Build map: both raw lowercase and sanitized form -> display name
|
||||||
const map = new Map();
|
const map = new Map();
|
||||||
@@ -624,8 +622,8 @@ router.get('/user-summary', requireAuth, async (req, res) => {
|
|||||||
const radarrInstances = getRadarrInstances();
|
const radarrInstances = getRadarrInstances();
|
||||||
|
|
||||||
// Get all Emby users
|
// Get all Emby users
|
||||||
const usersResponse = await axios.get(`${EMBY_URL}/Users`, {
|
const usersResponse = await axios.get(`${process.env.EMBY_URL}/Users`, {
|
||||||
headers: { 'X-MediaBrowser-Token': EMBY_API_KEY }
|
headers: { 'X-MediaBrowser-Token': process.env.EMBY_API_KEY }
|
||||||
});
|
});
|
||||||
|
|
||||||
// Get all series, movies, and tags from all instances
|
// Get all series, movies, and tags from all instances
|
||||||
|
|||||||
@@ -4,16 +4,13 @@ const router = express.Router();
|
|||||||
const requireAuth = require('../middleware/requireAuth');
|
const requireAuth = require('../middleware/requireAuth');
|
||||||
const sanitizeError = require('../utils/sanitizeError');
|
const sanitizeError = require('../utils/sanitizeError');
|
||||||
|
|
||||||
const EMBY_URL = process.env.EMBY_URL;
|
|
||||||
const EMBY_API_KEY = process.env.EMBY_API_KEY;
|
|
||||||
|
|
||||||
router.use(requireAuth);
|
router.use(requireAuth);
|
||||||
|
|
||||||
// Get active sessions
|
// Get active sessions
|
||||||
router.get('/sessions', async (req, res) => {
|
router.get('/sessions', async (req, res) => {
|
||||||
try {
|
try {
|
||||||
const response = await axios.get(`${EMBY_URL}/Sessions`, {
|
const response = await axios.get(`${process.env.EMBY_URL}/Sessions`, {
|
||||||
headers: { 'X-MediaBrowser-Token': EMBY_API_KEY }
|
headers: { 'X-MediaBrowser-Token': process.env.EMBY_API_KEY }
|
||||||
});
|
});
|
||||||
res.json(response.data);
|
res.json(response.data);
|
||||||
} catch (error) {
|
} catch (error) {
|
||||||
@@ -24,8 +21,8 @@ router.get('/sessions', async (req, res) => {
|
|||||||
// Get user by ID
|
// Get user by ID
|
||||||
router.get('/users/:id', async (req, res) => {
|
router.get('/users/:id', async (req, res) => {
|
||||||
try {
|
try {
|
||||||
const response = await axios.get(`${EMBY_URL}/Users/${req.params.id}`, {
|
const response = await axios.get(`${process.env.EMBY_URL}/Users/${req.params.id}`, {
|
||||||
headers: { 'X-MediaBrowser-Token': EMBY_API_KEY }
|
headers: { 'X-MediaBrowser-Token': process.env.EMBY_API_KEY }
|
||||||
});
|
});
|
||||||
res.json(response.data);
|
res.json(response.data);
|
||||||
} catch (error) {
|
} catch (error) {
|
||||||
@@ -36,8 +33,8 @@ router.get('/users/:id', async (req, res) => {
|
|||||||
// Get all users
|
// Get all users
|
||||||
router.get('/users', async (req, res) => {
|
router.get('/users', async (req, res) => {
|
||||||
try {
|
try {
|
||||||
const response = await axios.get(`${EMBY_URL}/Users`, {
|
const response = await axios.get(`${process.env.EMBY_URL}/Users`, {
|
||||||
headers: { 'X-MediaBrowser-Token': EMBY_API_KEY }
|
headers: { 'X-MediaBrowser-Token': process.env.EMBY_API_KEY }
|
||||||
});
|
});
|
||||||
res.json(response.data);
|
res.json(response.data);
|
||||||
} catch (error) {
|
} catch (error) {
|
||||||
@@ -48,8 +45,8 @@ router.get('/users', async (req, res) => {
|
|||||||
// Get current user by session ID
|
// Get current user by session ID
|
||||||
router.get('/session/:sessionId/user', async (req, res) => {
|
router.get('/session/:sessionId/user', async (req, res) => {
|
||||||
try {
|
try {
|
||||||
const response = await axios.get(`${EMBY_URL}/Sessions`, {
|
const response = await axios.get(`${process.env.EMBY_URL}/Sessions`, {
|
||||||
headers: { 'X-MediaBrowser-Token': EMBY_API_KEY }
|
headers: { 'X-MediaBrowser-Token': process.env.EMBY_API_KEY }
|
||||||
});
|
});
|
||||||
|
|
||||||
const session = response.data.find(s => s.Id === req.params.sessionId);
|
const session = response.data.find(s => s.Id === req.params.sessionId);
|
||||||
@@ -57,8 +54,8 @@ router.get('/session/:sessionId/user', async (req, res) => {
|
|||||||
return res.status(404).json({ error: 'Session not found' });
|
return res.status(404).json({ error: 'Session not found' });
|
||||||
}
|
}
|
||||||
|
|
||||||
const userResponse = await axios.get(`${EMBY_URL}/Users/${session.UserId}`, {
|
const userResponse = await axios.get(`${process.env.EMBY_URL}/Users/${session.UserId}`, {
|
||||||
headers: { 'X-MediaBrowser-Token': EMBY_API_KEY }
|
headers: { 'X-MediaBrowser-Token': process.env.EMBY_API_KEY }
|
||||||
});
|
});
|
||||||
|
|
||||||
res.json(userResponse.data);
|
res.json(userResponse.data);
|
||||||
|
|||||||
@@ -4,16 +4,13 @@ const router = express.Router();
|
|||||||
const requireAuth = require('../middleware/requireAuth');
|
const requireAuth = require('../middleware/requireAuth');
|
||||||
const sanitizeError = require('../utils/sanitizeError');
|
const sanitizeError = require('../utils/sanitizeError');
|
||||||
|
|
||||||
const RADARR_URL = process.env.RADARR_URL;
|
|
||||||
const RADARR_API_KEY = process.env.RADARR_API_KEY;
|
|
||||||
|
|
||||||
router.use(requireAuth);
|
router.use(requireAuth);
|
||||||
|
|
||||||
// Get queue
|
// Get queue
|
||||||
router.get('/queue', async (req, res) => {
|
router.get('/queue', async (req, res) => {
|
||||||
try {
|
try {
|
||||||
const response = await axios.get(`${RADARR_URL}/api/v3/queue`, {
|
const response = await axios.get(`${process.env.RADARR_URL}/api/v3/queue`, {
|
||||||
headers: { 'X-Api-Key': RADARR_API_KEY }
|
headers: { 'X-Api-Key': process.env.RADARR_API_KEY }
|
||||||
});
|
});
|
||||||
res.json(response.data);
|
res.json(response.data);
|
||||||
} catch (error) {
|
} catch (error) {
|
||||||
@@ -24,8 +21,8 @@ router.get('/queue', async (req, res) => {
|
|||||||
// Get history
|
// Get history
|
||||||
router.get('/history', async (req, res) => {
|
router.get('/history', async (req, res) => {
|
||||||
try {
|
try {
|
||||||
const response = await axios.get(`${RADARR_URL}/api/v3/history`, {
|
const response = await axios.get(`${process.env.RADARR_URL}/api/v3/history`, {
|
||||||
headers: { 'X-Api-Key': RADARR_API_KEY },
|
headers: { 'X-Api-Key': process.env.RADARR_API_KEY },
|
||||||
params: { pageSize: req.query.pageSize || 50 }
|
params: { pageSize: req.query.pageSize || 50 }
|
||||||
});
|
});
|
||||||
res.json(response.data);
|
res.json(response.data);
|
||||||
@@ -37,8 +34,8 @@ router.get('/history', async (req, res) => {
|
|||||||
// Get movie details
|
// Get movie details
|
||||||
router.get('/movies/:id', async (req, res) => {
|
router.get('/movies/:id', async (req, res) => {
|
||||||
try {
|
try {
|
||||||
const response = await axios.get(`${RADARR_URL}/api/v3/movie/${req.params.id}`, {
|
const response = await axios.get(`${process.env.RADARR_URL}/api/v3/movie/${req.params.id}`, {
|
||||||
headers: { 'X-Api-Key': RADARR_API_KEY }
|
headers: { 'X-Api-Key': process.env.RADARR_API_KEY }
|
||||||
});
|
});
|
||||||
res.json(response.data);
|
res.json(response.data);
|
||||||
} catch (error) {
|
} catch (error) {
|
||||||
@@ -49,8 +46,8 @@ router.get('/movies/:id', async (req, res) => {
|
|||||||
// Get all movies with tags
|
// Get all movies with tags
|
||||||
router.get('/movies', async (req, res) => {
|
router.get('/movies', async (req, res) => {
|
||||||
try {
|
try {
|
||||||
const response = await axios.get(`${RADARR_URL}/api/v3/movie`, {
|
const response = await axios.get(`${process.env.RADARR_URL}/api/v3/movie`, {
|
||||||
headers: { 'X-Api-Key': RADARR_API_KEY }
|
headers: { 'X-Api-Key': process.env.RADARR_API_KEY }
|
||||||
});
|
});
|
||||||
res.json(response.data);
|
res.json(response.data);
|
||||||
} catch (error) {
|
} catch (error) {
|
||||||
|
|||||||
@@ -4,18 +4,15 @@ const router = express.Router();
|
|||||||
const requireAuth = require('../middleware/requireAuth');
|
const requireAuth = require('../middleware/requireAuth');
|
||||||
const sanitizeError = require('../utils/sanitizeError');
|
const sanitizeError = require('../utils/sanitizeError');
|
||||||
|
|
||||||
const SABNZBD_URL = process.env.SABNZBD_URL;
|
|
||||||
const SABNZBD_API_KEY = process.env.SABNZBD_API_KEY;
|
|
||||||
|
|
||||||
router.use(requireAuth);
|
router.use(requireAuth);
|
||||||
|
|
||||||
// Get current queue
|
// Get current queue
|
||||||
router.get('/queue', async (req, res) => {
|
router.get('/queue', async (req, res) => {
|
||||||
try {
|
try {
|
||||||
const response = await axios.get(`${SABNZBD_URL}/api`, {
|
const response = await axios.get(`${process.env.SABNZBD_URL}/api`, {
|
||||||
params: {
|
params: {
|
||||||
mode: 'queue',
|
mode: 'queue',
|
||||||
apikey: SABNZBD_API_KEY,
|
apikey: process.env.SABNZBD_API_KEY,
|
||||||
output: 'json'
|
output: 'json'
|
||||||
}
|
}
|
||||||
});
|
});
|
||||||
@@ -28,10 +25,10 @@ router.get('/queue', async (req, res) => {
|
|||||||
// Get history
|
// Get history
|
||||||
router.get('/history', async (req, res) => {
|
router.get('/history', async (req, res) => {
|
||||||
try {
|
try {
|
||||||
const response = await axios.get(`${SABNZBD_URL}/api`, {
|
const response = await axios.get(`${process.env.SABNZBD_URL}/api`, {
|
||||||
params: {
|
params: {
|
||||||
mode: 'history',
|
mode: 'history',
|
||||||
apikey: SABNZBD_API_KEY,
|
apikey: process.env.SABNZBD_API_KEY,
|
||||||
output: 'json',
|
output: 'json',
|
||||||
limit: req.query.limit || 50
|
limit: req.query.limit || 50
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -4,16 +4,13 @@ const router = express.Router();
|
|||||||
const requireAuth = require('../middleware/requireAuth');
|
const requireAuth = require('../middleware/requireAuth');
|
||||||
const sanitizeError = require('../utils/sanitizeError');
|
const sanitizeError = require('../utils/sanitizeError');
|
||||||
|
|
||||||
const SONARR_URL = process.env.SONARR_URL;
|
|
||||||
const SONARR_API_KEY = process.env.SONARR_API_KEY;
|
|
||||||
|
|
||||||
router.use(requireAuth);
|
router.use(requireAuth);
|
||||||
|
|
||||||
// Get queue
|
// Get queue
|
||||||
router.get('/queue', async (req, res) => {
|
router.get('/queue', async (req, res) => {
|
||||||
try {
|
try {
|
||||||
const response = await axios.get(`${SONARR_URL}/api/v3/queue`, {
|
const response = await axios.get(`${process.env.SONARR_URL}/api/v3/queue`, {
|
||||||
headers: { 'X-Api-Key': SONARR_API_KEY }
|
headers: { 'X-Api-Key': process.env.SONARR_API_KEY }
|
||||||
});
|
});
|
||||||
res.json(response.data);
|
res.json(response.data);
|
||||||
} catch (error) {
|
} catch (error) {
|
||||||
@@ -24,8 +21,8 @@ router.get('/queue', async (req, res) => {
|
|||||||
// Get history
|
// Get history
|
||||||
router.get('/history', async (req, res) => {
|
router.get('/history', async (req, res) => {
|
||||||
try {
|
try {
|
||||||
const response = await axios.get(`${SONARR_URL}/api/v3/history`, {
|
const response = await axios.get(`${process.env.SONARR_URL}/api/v3/history`, {
|
||||||
headers: { 'X-Api-Key': SONARR_API_KEY },
|
headers: { 'X-Api-Key': process.env.SONARR_API_KEY },
|
||||||
params: { pageSize: req.query.pageSize || 50 }
|
params: { pageSize: req.query.pageSize || 50 }
|
||||||
});
|
});
|
||||||
res.json(response.data);
|
res.json(response.data);
|
||||||
@@ -37,8 +34,8 @@ router.get('/history', async (req, res) => {
|
|||||||
// Get series details
|
// Get series details
|
||||||
router.get('/series/:id', async (req, res) => {
|
router.get('/series/:id', async (req, res) => {
|
||||||
try {
|
try {
|
||||||
const response = await axios.get(`${SONARR_URL}/api/v3/series/${req.params.id}`, {
|
const response = await axios.get(`${process.env.SONARR_URL}/api/v3/series/${req.params.id}`, {
|
||||||
headers: { 'X-Api-Key': SONARR_API_KEY }
|
headers: { 'X-Api-Key': process.env.SONARR_API_KEY }
|
||||||
});
|
});
|
||||||
res.json(response.data);
|
res.json(response.data);
|
||||||
} catch (error) {
|
} catch (error) {
|
||||||
@@ -49,8 +46,8 @@ router.get('/series/:id', async (req, res) => {
|
|||||||
// Get all series with tags
|
// Get all series with tags
|
||||||
router.get('/series', async (req, res) => {
|
router.get('/series', async (req, res) => {
|
||||||
try {
|
try {
|
||||||
const response = await axios.get(`${SONARR_URL}/api/v3/series`, {
|
const response = await axios.get(`${process.env.SONARR_URL}/api/v3/series`, {
|
||||||
headers: { 'X-Api-Key': SONARR_API_KEY }
|
headers: { 'X-Api-Key': process.env.SONARR_API_KEY }
|
||||||
});
|
});
|
||||||
res.json(response.data);
|
res.json(response.data);
|
||||||
} catch (error) {
|
} catch (error) {
|
||||||
|
|||||||
Reference in New Issue
Block a user