Gronod
83049786eb
All checks were successful
Build and Push Docker Image / build (push) Successful in 39s
#1 Session cookie: add secure (production-only) and sameSite=strict to prevent transmission over HTTP and cross-site request abuse. #2 Remove Emby AccessToken from cookie payload — it was stored in the browser cookie but is never needed client-side; reduces blast radius if cookie is ever exposed. #3 Add requireAuth middleware to all proxy routes (/api/emby, /api/sabnzbd, /api/sonarr, /api/radarr) — previously unauthenticated, now require a valid emby_user session cookie. #4 Remove open CORS wildcard (cors() with no options). The frontend is served from the same origin so no CORS headers are required. Also update clearCookie() to include matching cookie options.
70 lines
2.0 KiB
JavaScript
70 lines
2.0 KiB
JavaScript
const express = require('express');
|
|
const axios = require('axios');
|
|
const router = express.Router();
|
|
const requireAuth = require('../middleware/requireAuth');
|
|
|
|
const EMBY_URL = process.env.EMBY_URL;
|
|
const EMBY_API_KEY = process.env.EMBY_API_KEY;
|
|
|
|
router.use(requireAuth);
|
|
|
|
// Get active sessions
|
|
router.get('/sessions', async (req, res) => {
|
|
try {
|
|
const response = await axios.get(`${EMBY_URL}/Sessions`, {
|
|
headers: { 'X-MediaBrowser-Token': EMBY_API_KEY }
|
|
});
|
|
res.json(response.data);
|
|
} catch (error) {
|
|
res.status(500).json({ error: 'Failed to fetch Emby sessions', details: error.message });
|
|
}
|
|
});
|
|
|
|
// Get user by ID
|
|
router.get('/users/:id', async (req, res) => {
|
|
try {
|
|
const response = await axios.get(`${EMBY_URL}/Users/${req.params.id}`, {
|
|
headers: { 'X-MediaBrowser-Token': EMBY_API_KEY }
|
|
});
|
|
res.json(response.data);
|
|
} catch (error) {
|
|
res.status(500).json({ error: 'Failed to fetch user details', details: error.message });
|
|
}
|
|
});
|
|
|
|
// Get all users
|
|
router.get('/users', async (req, res) => {
|
|
try {
|
|
const response = await axios.get(`${EMBY_URL}/Users`, {
|
|
headers: { 'X-MediaBrowser-Token': EMBY_API_KEY }
|
|
});
|
|
res.json(response.data);
|
|
} catch (error) {
|
|
res.status(500).json({ error: 'Failed to fetch users', details: error.message });
|
|
}
|
|
});
|
|
|
|
// Get current user by session ID
|
|
router.get('/session/:sessionId/user', async (req, res) => {
|
|
try {
|
|
const response = await axios.get(`${EMBY_URL}/Sessions`, {
|
|
headers: { 'X-MediaBrowser-Token': EMBY_API_KEY }
|
|
});
|
|
|
|
const session = response.data.find(s => s.Id === req.params.sessionId);
|
|
if (!session) {
|
|
return res.status(404).json({ error: 'Session not found' });
|
|
}
|
|
|
|
const userResponse = await axios.get(`${EMBY_URL}/Users/${session.UserId}`, {
|
|
headers: { 'X-MediaBrowser-Token': EMBY_API_KEY }
|
|
});
|
|
|
|
res.json(userResponse.data);
|
|
} catch (error) {
|
|
res.status(500).json({ error: 'Failed to fetch user from session', details: error.message });
|
|
}
|
|
});
|
|
|
|
module.exports = router;
|