Gronod
bdbbcabfbc
Container (Dockerfile):
- Multi-stage build (deps + runtime) for minimal attack surface
- Upgrade base image from node:18-alpine to node:22-alpine
- Run as non-root 'node' user (UID 1000); source files owned by root
- /app/data directory owned by node for SQLite + logs
- Docker HEALTHCHECK: wget /health every 30s
docker-compose.yaml:
- Port bound to 127.0.0.1 only (expose via reverse proxy)
- read_only: true filesystem; /tmp tmpfs for Node.js
- no-new-privileges:true, cap_drop: ALL
- Named volume sofarr-data for persistent data
- TRUST_PROXY, COOKIE_SECRET, NODE_ENV added
Helmet v7 + CSP nonce:
- Upgrade helmet@4 → helmet@7, express-rate-limit@6 → @7
- CSP with per-request nonce injected into index.html script/link tags
(replaces blanket unsafe-inline; nonce changes every request)
- HSTS: max-age=1yr, includeSubDomains, preload
- Referrer-Policy: strict-origin-when-cross-origin
- Permissions-Policy: camera/mic/geolocation/payment/usb all off
- index.html served dynamically with nonce injection; static assets
served normally via express.static({index:false})
Trust proxy:
- TRUST_PROXY env var configures app.set('trust proxy') so rate
limiting and secure cookies work correctly behind Nginx/Caddy
Session & auth:
- Token store migrated from in-memory Map to SQLite via better-sqlite3
(server/utils/tokenStore.js): survives restarts, WAL mode, 31-day TTL
- CSRF double-submit cookie pattern (server/middleware/verifyCsrf.js):
POST/PUT/PATCH/DELETE on /api/* require X-CSRF-Token header matching
the csrf_token cookie; timing-safe comparison
- CSRF token issued on login + GET /api/auth/csrf; cleared on logout
- Login input validation: username/password length + type checked before
hitting Emby
- skipSuccessfulRequests:true on login rate limiter (only count failures)
- express.json({ limit: '64kb' }) to reject oversized payloads
Rate limiting:
- General API limiter: 300 req/15min per IP on all /api/* routes
- Login limiter unchanged (10 failures/15min) but now only counts fails
Logging:
- Log file moved from /app/server.log to DATA_DIR/server.log (writable
by non-root node user in container)
- Size-based rotation: rotate at 10 MB, keep 3 files (server.log.1-3)
- DATA_DIR defaults to ./data locally, /app/data in container
Error handling:
- Global Express error handler: catches unhandled errors, logs message,
returns generic 500 (no stack traces to clients)
Health/readiness:
- GET /health: returns {status:'ok', uptime:N} — used by HEALTHCHECK
- GET /ready: returns 503 if EMBY_URL not configured
Error sanitization (sanitizeError.js):
- Added patterns for password= params, bearer tokens, Basic auth in URLs
Supply chain:
- Remove unused cors dependency
- add better-sqlite3@^9
- CI: upgrade to Node 22, raise audit level to --audit-level=high
- .gitignore: add data/, *.db, *.db-wal, *.db-shm
Docs:
- SECURITY.md: threat model, hardening checklist, proxy examples,
header table, rate limit table, Docker secrets guidance
- .env.example + .env.sample: TRUST_PROXY, DATA_DIR documented
183 lines
6.3 KiB
JavaScript
183 lines
6.3 KiB
JavaScript
const express = require('express');
|
|
const axios = require('axios');
|
|
const crypto = require('crypto');
|
|
const rateLimit = require('express-rate-limit');
|
|
const router = express.Router();
|
|
|
|
// Persistent SQLite-backed token store — survives restarts
|
|
const { storeToken, getToken, clearToken } = require('../utils/tokenStore');
|
|
|
|
const EMBY_URL = process.env.EMBY_URL;
|
|
|
|
|
|
// Strict login limiter: 10 attempts per 15 min, then locked for the window
|
|
const loginLimiter = rateLimit({
|
|
windowMs: 15 * 60 * 1000,
|
|
max: 10,
|
|
standardHeaders: true,
|
|
legacyHeaders: false,
|
|
skipSuccessfulRequests: true, // only count failures toward the limit
|
|
message: { success: false, error: 'Too many login attempts, please try again later' }
|
|
});
|
|
|
|
// Authenticate user with Emby
|
|
router.post('/login', loginLimiter, async (req, res) => {
|
|
try {
|
|
const { username, password, rememberMe } = req.body;
|
|
|
|
// Input validation — reject obviously invalid inputs before hitting Emby
|
|
if (typeof username !== 'string' || username.trim().length === 0 || username.length > 128) {
|
|
return res.status(400).json({ success: false, error: 'Invalid username' });
|
|
}
|
|
if (typeof password !== 'string' || password.length === 0 || password.length > 256) {
|
|
return res.status(400).json({ success: false, error: 'Invalid password' });
|
|
}
|
|
|
|
console.log(`[Auth] Attempting login for user: ${username.trim()}`);
|
|
|
|
// Authenticate with Emby using a stable DeviceId derived from the username.
|
|
// Using a deterministic DeviceId causes Emby to reuse the existing session
|
|
// for this device rather than creating a new one on each login.
|
|
const stableDeviceId = 'sofarr-' + crypto.createHash('sha256').update(username.trim().toLowerCase()).digest('hex').slice(0, 16);
|
|
const authResponse = await axios.post(`${EMBY_URL}/Users/authenticatebyname`, {
|
|
Username: username.trim(),
|
|
Pw: password
|
|
}, {
|
|
headers: {
|
|
'X-Emby-Authorization': `MediaBrowser Client="sofarr", Device="sofarr", DeviceId="${stableDeviceId}", Version="1.0.0"`
|
|
}
|
|
});
|
|
|
|
const authData = authResponse.data;
|
|
|
|
// Get user info using the access token
|
|
const userResponse = await axios.get(`${EMBY_URL}/Users/${authData.User.Id || authData.User.id}`, {
|
|
headers: {
|
|
'X-MediaBrowser-Token': authData.AccessToken
|
|
}
|
|
});
|
|
|
|
const user = userResponse.data;
|
|
const isAdmin = !!(user.Policy && user.Policy.IsAdministrator);
|
|
console.log(`[Auth] Login successful for user: ${user.Name}, isAdmin: ${isAdmin}`);
|
|
|
|
// Store token server-side; it is never sent to the client.
|
|
storeToken(user.Id, authData.AccessToken);
|
|
|
|
// Set authentication cookie (signed when COOKIE_SECRET is set).
|
|
// rememberMe=true → persistent cookie, expires in 30 days
|
|
// rememberMe=false → session cookie, expires when browser closes
|
|
// secure is always true — the app should sit behind HTTPS in production;
|
|
// behind a reverse proxy set TRUST_PROXY=1 so req.secure works correctly.
|
|
const cookiePayload = JSON.stringify({ id: user.Id, name: user.Name, isAdmin });
|
|
const signed = !!process.env.COOKIE_SECRET;
|
|
const cookieOptions = {
|
|
httpOnly: true,
|
|
secure: process.env.NODE_ENV === 'production',
|
|
sameSite: 'strict',
|
|
signed,
|
|
path: '/'
|
|
};
|
|
if (rememberMe) {
|
|
cookieOptions.maxAge = 30 * 24 * 60 * 60 * 1000; // 30 days
|
|
}
|
|
res.cookie('emby_user', cookiePayload, cookieOptions);
|
|
|
|
// Issue a CSRF token tied to this session so state-changing endpoints
|
|
// can validate the double-submit cookie pattern
|
|
const csrfToken = crypto.randomBytes(32).toString('hex');
|
|
res.cookie('csrf_token', csrfToken, {
|
|
httpOnly: false, // intentionally readable by JS for the double-submit pattern
|
|
secure: process.env.NODE_ENV === 'production',
|
|
sameSite: 'strict',
|
|
path: '/'
|
|
});
|
|
|
|
res.json({
|
|
success: true,
|
|
user: { id: user.Id, name: user.Name, isAdmin },
|
|
csrfToken
|
|
});
|
|
} catch (error) {
|
|
console.error(`[Auth] Login failed:`, error.message);
|
|
res.status(401).json({
|
|
success: false,
|
|
error: 'Invalid username or password'
|
|
});
|
|
}
|
|
});
|
|
|
|
function parseSessionCookie(req) {
|
|
const signed = !!process.env.COOKIE_SECRET;
|
|
const raw = signed ? req.signedCookies.emby_user : req.cookies.emby_user;
|
|
if (!raw || raw === false) return null; // false = tampered signed cookie
|
|
try {
|
|
const u = JSON.parse(raw);
|
|
// Schema validation: require id (string), name (string), isAdmin (boolean)
|
|
if (typeof u.id !== 'string' || !u.id) return null;
|
|
if (typeof u.name !== 'string' || !u.name) return null;
|
|
if (typeof u.isAdmin !== 'boolean') u.isAdmin = !!u.isAdmin;
|
|
return u;
|
|
} catch {
|
|
return null;
|
|
}
|
|
}
|
|
|
|
// Get current authenticated user
|
|
router.get('/me', (req, res) => {
|
|
const user = parseSessionCookie(req);
|
|
if (!user) return res.json({ authenticated: false });
|
|
res.json({
|
|
authenticated: true,
|
|
user: { id: user.id, name: user.name, isAdmin: user.isAdmin }
|
|
});
|
|
});
|
|
|
|
// CSRF token refresh — lets the SPA get a new token without re-logging-in
|
|
// (e.g. after a page reload where the JS variable was lost)
|
|
router.get('/csrf', (req, res) => {
|
|
const csrfToken = crypto.randomBytes(32).toString('hex');
|
|
res.cookie('csrf_token', csrfToken, {
|
|
httpOnly: false,
|
|
secure: process.env.NODE_ENV === 'production',
|
|
sameSite: 'strict',
|
|
path: '/'
|
|
});
|
|
res.json({ csrfToken });
|
|
});
|
|
|
|
// Logout
|
|
router.post('/logout', async (req, res) => {
|
|
const user = parseSessionCookie(req);
|
|
if (user) {
|
|
const stored = getToken(user.id);
|
|
if (stored) {
|
|
try {
|
|
await axios.post(`${EMBY_URL}/Sessions/Logout`, {}, {
|
|
headers: { 'X-MediaBrowser-Token': stored.accessToken }
|
|
});
|
|
console.log(`[Auth] Revoked Emby token for user: ${user.name}`);
|
|
} catch (err) {
|
|
console.warn(`[Auth] Failed to revoke Emby token for ${user.name}:`, err.message);
|
|
}
|
|
clearToken(user.id);
|
|
}
|
|
}
|
|
res.clearCookie('emby_user', {
|
|
httpOnly: true,
|
|
secure: process.env.NODE_ENV === 'production',
|
|
sameSite: 'strict',
|
|
signed: !!process.env.COOKIE_SECRET,
|
|
path: '/'
|
|
});
|
|
res.clearCookie('csrf_token', {
|
|
httpOnly: false,
|
|
secure: process.env.NODE_ENV === 'production',
|
|
sameSite: 'strict',
|
|
path: '/'
|
|
});
|
|
res.json({ success: true });
|
|
});
|
|
|
|
module.exports = router;
|