sofarr/server/middleware/requireAuth.js at c0dd93a1ab66b6a1661ff0318c550641ec3bdeac

Files

Gronod d8584d0511 fix(security #7,#8,#9): signed cookies, isAdmin tamper-proof, schema validation

#7 isAdmin trusted from unsigned cookie:
  - isAdmin is derived server-side from Emby Policy at login time
  - Cookie is now signed (HMAC) when COOKIE_SECRET env var is set;
    Express rejects tampered signatures (signedCookies returns false)
  - dashboard.js /user-downloads and /status now use requireAuth
    middleware (req.user) instead of re-parsing cookie directly

#8 cookie-parser used without signing secret:
  - cookieParser(COOKIE_SECRET) in index.js when env var is set
  - Hard-fails at startup in production if COOKIE_SECRET unset
  - Warns in development

#9 Cookie JSON parsed without schema validation:
  - parseSessionCookie() in auth.js and requireAuth.js both validate:
    id (non-empty string), name (non-empty string), isAdmin (boolean)
  - Invalid/tampered cookies return null / 401 respectively

2026-05-16 16:20:37 +01:00

731 B

Raw Blame History

View Raw

731 B Raw Blame History

731 B

Raw Blame History