Gandalf/sofarr
1
0
Fork 0
Code Issues 1 Pull Requests Actions 1 Packages Projects Releases 15 Wiki Activity

security: fix issues #1-4 from security audit
All checks were successful
Build and Push Docker Image / build (push) Successful in 39s
Details

Browse Source 
#1 Session cookie: add secure (production-only) and sameSite=strict
    to prevent transmission over HTTP and cross-site request abuse.
#2 Remove Emby AccessToken from cookie payload — it was stored in
    the browser cookie but is never needed client-side; reduces blast
    radius if cookie is ever exposed.
#3 Add requireAuth middleware to all proxy routes (/api/emby,
    /api/sabnzbd, /api/sonarr, /api/radarr) — previously unauthenticated,
    now require a valid emby_user session cookie.
#4 Remove open CORS wildcard (cors() with no options). The frontend
    is served from the same origin so no CORS headers are required.
    Also update clearCookie() to include matching cookie options.
This commit is contained in:
Gronod
2026-05-16 15:07:50 +01:00
parent 2137f65766
commit 83049786eb
8 changed files with 36 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
server/routes/auth.js
View File

@@ -37,14 +37,16 @@ router.post('/login', async (req, res) => {
console.log(`[Auth] Login successful for user: ${user.Name}`);
// Set authentication cookie
// Note: token is intentionally excluded from the cookie — it is not needed client-side
const isAdmin = !!(user.Policy && user.Policy.IsAdministrator);
res.cookie('emby_user', JSON.stringify({
id: user.Id,
name: user.Name,
isAdmin: isAdmin,
token: authData.AccessToken
isAdmin: isAdmin
}), {
httpOnly: true,
secure: process.env.NODE_ENV === 'production',
sameSite: 'strict',
maxAge: 24 * 60 * 60 * 1000 // 24 hours
});
@@ -91,7 +93,11 @@ router.get('/me', (req, res) => {
// Logout
router.post('/logout', (req, res) => {
res.clearCookie('emby_user');
res.clearCookie('emby_user', {
httpOnly: true,
secure: process.env.NODE_ENV === 'production',
sameSite: 'strict'
});
res.json({ success: true });
});

3
server/routes/emby.js
View File

@@ -1,10 +1,13 @@
const express = require('express');
const axios = require('axios');
const router = express.Router();
const requireAuth = require('../middleware/requireAuth');
const EMBY_URL = process.env.EMBY_URL;
const EMBY_API_KEY = process.env.EMBY_API_KEY;
router.use(requireAuth);
// Get active sessions
router.get('/sessions', async (req, res) => {
try {

3
server/routes/radarr.js
View File

@@ -1,10 +1,13 @@
const express = require('express');
const axios = require('axios');
const router = express.Router();
const requireAuth = require('../middleware/requireAuth');
const RADARR_URL = process.env.RADARR_URL;
const RADARR_API_KEY = process.env.RADARR_API_KEY;
router.use(requireAuth);
// Get queue
router.get('/queue', async (req, res) => {
try {

3
server/routes/sabnzbd.js
View File

@@ -1,10 +1,13 @@
const express = require('express');
const axios = require('axios');
const router = express.Router();
const requireAuth = require('../middleware/requireAuth');
const SABNZBD_URL = process.env.SABNZBD_URL;
const SABNZBD_API_KEY = process.env.SABNZBD_API_KEY;
router.use(requireAuth);
// Get current queue
router.get('/queue', async (req, res) => {
try {

3
server/routes/sonarr.js
View File

@@ -1,10 +1,13 @@
const express = require('express');
const axios = require('axios');
const router = express.Router();
const requireAuth = require('../middleware/requireAuth');
const SONARR_URL = process.env.SONARR_URL;
const SONARR_API_KEY = process.env.SONARR_API_KEY;
router.use(requireAuth);
// Get queue
router.get('/queue', async (req, res) => {
try {