fix(security #7,#8,#9): signed cookies, isAdmin tamper-proof, schema validation

#7 isAdmin trusted from unsigned cookie: - isAdmin is derived server-side from Emby Policy at login time - Cookie is now signed (HMAC) when COOKIE_SECRET env var is set; Express rejects tampered signatures (signedCookies returns false) - dashboard.js /user-downloads and /status now use requireAuth middleware (req.user) instead of re-parsing cookie directly #8 cookie-parser used without signing secret: - cookieParser(COOKIE_SECRET) in index.js when env var is set - Hard-fails at startup in production if COOKIE_SECRET unset - Warns in development #9 Cookie JSON parsed without schema validation: - parseSessionCookie() in auth.js and requireAuth.js both validate: id (non-empty string), name (non-empty string), isAdmin (boolean) - Invalid/tampered cookies return null / 401 respectively
2026-05-16 16:20:37 +01:00
parent 1eadb30481
commit d8584d0511
4 changed files with 55 additions and 47 deletions
--- a/server/routes/auth.js
+++ b/server/routes/auth.js
@@ -40,17 +40,17 @@ router.post('/login', loginLimiter, async (req, res) => {
    const user = userResponse.data;
    console.log(`[Auth] Login successful for user: ${user.Name}, isAdmin: ${!!(user.Policy && user.Policy.IsAdministrator)}`);
    
-    // Set authentication cookie
-    // Note: token is intentionally excluded from the cookie — it is not needed client-side
+    // Set authentication cookie.
+    // Note: token is intentionally excluded from the cookie — it is not needed client-side.
+    // Cookie is signed when COOKIE_SECRET is set (recommended in production).
    const isAdmin = !!(user.Policy && user.Policy.IsAdministrator);
-    res.cookie('emby_user', JSON.stringify({
-      id: user.Id,
-      name: user.Name,
-      isAdmin: isAdmin
-    }), {
+    const cookiePayload = JSON.stringify({ id: user.Id, name: user.Name, isAdmin });
+    const signed = !!process.env.COOKIE_SECRET;
+    res.cookie('emby_user', cookiePayload, {
      httpOnly: true,
      secure: process.env.NODE_ENV === 'production',
      sameSite: 'strict',
+      signed,
      maxAge: 24 * 60 * 60 * 1000 // 24 hours
    });
    
@@ -71,28 +71,30 @@ router.post('/login', loginLimiter, async (req, res) => {
  }
 });

+function parseSessionCookie(req) {
+  const signed = !!process.env.COOKIE_SECRET;
+  const raw = signed ? req.signedCookies.emby_user : req.cookies.emby_user;
+  if (!raw || raw === false) return null; // false = tampered signed cookie
+  try {
+    const u = JSON.parse(raw);
+    // Schema validation: require id (string), name (string), isAdmin (boolean)
+    if (typeof u.id !== 'string' || !u.id) return null;
+    if (typeof u.name !== 'string' || !u.name) return null;
+    if (typeof u.isAdmin !== 'boolean') u.isAdmin = !!u.isAdmin;
+    return u;
+  } catch {
+    return null;
+  }
+}
+
 // Get current authenticated user
 router.get('/me', (req, res) => {
-  try {
-    const userCookie = req.cookies.emby_user;
-    
-    if (!userCookie) {
-      return res.json({ authenticated: false });
-    }
-    
-    const user = JSON.parse(userCookie);
-    res.json({
-      authenticated: true,
-      user: {
-        id: user.id,
-        name: user.name,
-        isAdmin: !!user.isAdmin
-      }
-    });
-  } catch (error) {
-    console.error(`[Auth] Error getting current user:`, error.message);
-    res.json({ authenticated: false });
-  }
+  const user = parseSessionCookie(req);
+  if (!user) return res.json({ authenticated: false });
+  res.json({
+    authenticated: true,
+    user: { id: user.id, name: user.name, isAdmin: user.isAdmin }
+  });
 });

 // Logout
@@ -100,7 +102,8 @@ router.post('/logout', (req, res) => {
  res.clearCookie('emby_user', {
    httpOnly: true,
    secure: process.env.NODE_ENV === 'production',
-    sameSite: 'strict'
+    sameSite: 'strict',
+    signed: !!process.env.COOKIE_SECRET
  });
  res.json({ success: true });
 });