Gandalf/sofarr
1
0
Fork 0
Code Issues 1 Pull Requests Actions 1 Packages Projects Releases 15 Wiki Activity
Files
031877e6a062c8ab99ba5b7280f446588509d0ce
sofarr/server/routes/auth.js
Gronod bdfb042527 fix(security #13,#14): revoke Emby token on logout; stable DeviceId prevents unbounded sessions 
#13 Logout doesn't revoke Emby token:
  - Added in-memory tokenStore (userId -> { accessToken })
  - AccessToken stored server-side after successful login; never sent
    to client
  - POST /logout calls Emby POST /Sessions/Logout with the stored
    token before clearing it; failure is warned but does not block
    the local cookie clear

#14 Unbounded Emby session creation per login:
  - DeviceId in the Emby auth request is now a stable SHA-256 hash
    of the lowercase username (sofarr-<16 hex chars>)
  - Emby treats the same DeviceId as the same device and reuses the
    existing session slot instead of creating a new one each login
2026-05-16 16:25:05 +01:00

147 lines
4.5 KiB
JavaScript
Raw Blame History

const express = require('express');
const axios = require('axios');
const crypto = require('crypto');
const rateLimit = require('express-rate-limit');
const router = express.Router();
const EMBY_URL = process.env.EMBY_URL;
// Server-side token store: userId -> { accessToken }
// Keeps AccessToken off the client; required for logout revocation.
const tokenStore = new Map();
function storeToken(userId, accessToken) {
tokenStore.set(userId, { accessToken });
}
function getToken(userId) {
return tokenStore.get(userId) || null;
}
function clearToken(userId) {
tokenStore.delete(userId);
}
const loginLimiter = rateLimit({
windowMs: 15 * 60 * 1000, // 15 minutes
max: 10,
standardHeaders: true,
legacyHeaders: false,
message: { success: false, error: 'Too many login attempts, please try again later' }
});
// Authenticate user with Emby
router.post('/login', loginLimiter, async (req, res) => {
try {
const { username, password } = req.body;
console.log(`[Auth] Attempting login for user: ${username}`);
// Authenticate with Emby using a stable DeviceId derived from the username.
// Using a deterministic DeviceId causes Emby to reuse the existing session
// for this device rather than creating a new one on each login.
const stableDeviceId = 'sofarr-' + crypto.createHash('sha256').update(username.toLowerCase()).digest('hex').slice(0, 16);
const authResponse = await axios.post(`${EMBY_URL}/Users/authenticatebyname`, {
Username: username,
Pw: password
}, {
headers: {
'X-Emby-Authorization': `MediaBrowser Client="sofarr", Device="sofarr", DeviceId="${stableDeviceId}", Version="1.0.0"`
}
});
const authData = authResponse.data;
// Get user info using the access token
const userResponse = await axios.get(`${EMBY_URL}/Users/${authData.User.Id || authData.User.id}`, {
headers: {
'X-MediaBrowser-Token': authData.AccessToken
}
});
const user = userResponse.data;
const isAdmin = !!(user.Policy && user.Policy.IsAdministrator);
console.log(`[Auth] Login successful for user: ${user.Name}, isAdmin: ${isAdmin}`);
// Store token server-side; it is never sent to the client.
storeToken(user.Id, authData.AccessToken);
// Set authentication cookie (signed when COOKIE_SECRET is set).
const cookiePayload = JSON.stringify({ id: user.Id, name: user.Name, isAdmin });
const signed = !!process.env.COOKIE_SECRET;
res.cookie('emby_user', cookiePayload, {
httpOnly: true,
secure: process.env.NODE_ENV === 'production',
sameSite: 'strict',
signed,
maxAge: 24 * 60 * 60 * 1000 // 24 hours
});
res.json({
success: true,
user: { id: user.Id, name: user.Name, isAdmin }
});
} catch (error) {
console.error(`[Auth] Login failed:`, error.message);
res.status(401).json({
success: false,
error: 'Invalid username or password'
});
}
});
function parseSessionCookie(req) {
const signed = !!process.env.COOKIE_SECRET;
const raw = signed ? req.signedCookies.emby_user : req.cookies.emby_user;
if (!raw || raw === false) return null; // false = tampered signed cookie
try {
const u = JSON.parse(raw);
// Schema validation: require id (string), name (string), isAdmin (boolean)
if (typeof u.id !== 'string' || !u.id) return null;
if (typeof u.name !== 'string' || !u.name) return null;
if (typeof u.isAdmin !== 'boolean') u.isAdmin = !!u.isAdmin;
return u;
} catch {
return null;
}
}
// Get current authenticated user
router.get('/me', (req, res) => {
const user = parseSessionCookie(req);
if (!user) return res.json({ authenticated: false });
res.json({
authenticated: true,
user: { id: user.id, name: user.name, isAdmin: user.isAdmin }
});
});
// Logout
router.post('/logout', async (req, res) => {
const user = parseSessionCookie(req);
if (user) {
const stored = getToken(user.id);
if (stored) {
try {
await axios.post(`${EMBY_URL}/Sessions/Logout`, {}, {
headers: { 'X-MediaBrowser-Token': stored.accessToken }
});
console.log(`[Auth] Revoked Emby token for user: ${user.name}`);
} catch (err) {
console.warn(`[Auth] Failed to revoke Emby token for ${user.name}:`, err.message);
}
clearToken(user.id);
}
}
res.clearCookie('emby_user', {
httpOnly: true,
secure: process.env.NODE_ENV === 'production',
sameSite: 'strict',
signed: !!process.env.COOKIE_SECRET
});
res.json({ success: true });
});
module.exports = router;
Reference in New Issue View Git Blame Copy Permalink