mirrors/navidrome
1
0
Fork 0
mirror of https://github.com/navidrome/navidrome.git synced 2025-04-04 21:17:37 +03:00
Code Issues Projects Releases Packages Wiki Activity
4095 commits 27 branches 102 tags 76 MiB
Commit graph

43 commits

Author SHA1 Message Date
Deluan
09ae41a2da sec(subsonic): authentication bypass in Subsonic API with non-existent username 
Signed-off-by: Deluan <deluan@navidrome.org>
 2025-02-20 20:14:19 -05:00
Deluan Quintão
47e3fdb1b8
fix(server): do not try to validate credentials if the request is canceled (#3650) 
Signed-off-by: Deluan <deluan@navidrome.org>
 2025-01-16 20:32:11 -05:00
Deluan Quintão
a9334b7787
feat(ui): show user's lastAccess (#3342) 
* feat(server): update user's lastAccess

* feat(ui): show user's lastAccess
 2024-09-30 20:46:10 -04:00
Deluan
b4ef1b1e38 Replace gg.If with cmp.Or 2024-06-05 22:48:00 -04:00
crazygolem
1e96b858a9
Add support for Reverse Proxy auth in Subsonic endpoints (#2558) 
* feat(subsonic): Add support for Reverse Proxy auth - #2557

Signed-off-by: Jeremiah Menétrey <superjun1@gmail.com>

* Small refactoring

---------

Signed-off-by: Jeremiah Menétrey <superjun1@gmail.com>
Co-authored-by: Deluan Quintão <deluan@navidrome.org>
 2024-04-27 13:47:42 -04:00
crazygolem
18143fa5a1
Use the RealIP middleware also behind a reverse proxy (#2858) 
* Use the RealIP middleware only behind a reverse proxy

* Fix proxy ip source in tests

* Fix test for PR#2087

The PR did not update the test after changing the behavior, but the test still
passed because another condition was preventing the user from being created in
the test.

* Use RealIP even without a trusted reverse proxy

* Use own type for context key

* Fix casing to follow go's conventions

* Do not apply RealIP middleware twice

* Fix IP source in logs

The most interesting data point in the log message is the proxy's IP, but
having the client IP too can help identify integration issues.
 2024-04-25 20:43:58 -04:00
Deluan
dfcc189cff Replace all utils.Param* with req.Params 2023-12-21 17:41:09 -05:00
Deluan
b998c05ca0 Some refactorings 2023-03-26 21:28:37 -04:00
Deluan
10108c63c9 Allow BaseURL to contain full server url, including scheme and host. Fix #2183 2023-02-15 21:13:38 -05:00
Deluan
aac6e2cb07 Add path to cookies. Fix #1580 2023-02-15 20:23:32 -05:00
Deluan
6489dd4478 Fix overriding previous logger in context 2022-12-14 11:50:16 -05:00
Deluan
982b604500 Add username to authenticated log messages 2022-12-14 09:35:30 -05:00
Deluan
9c433b5d68 Add missing context to logger calls 2022-11-04 11:30:12 -04:00
Deluan
db67c1277e Fix error comparisons 2022-09-30 18:54:25 -04:00
Manuel
72cde6dfde
fix:(middlewares.go) - Set Cookie SameSite mode to Strict - 1776 (#1777) 
* None is deprecated and will fallback to Lax in the future.
* Using Strict is future proof and provides additional CSR protection

Signed-off-by: Manuel Kroeber <manuel.kroeber@gmail.com>

Signed-off-by: Manuel Kroeber <manuel.kroeber@gmail.com>
 2022-09-27 17:58:47 -04:00
Deluan
8cd405d15e Add IP to Subsonic API's invalid login log messages. Closes #1814 2022-07-25 23:54:49 -04:00
Deluan
97434c1789 Fix GetNowPlaying endpoint showing only the last play 2021-06-20 10:39:19 -04:00
Deluan Quintão
66b74c81f1
Encrypt passwords in DB (#1187) 
* Encode/Encrypt passwords in DB

* Only decrypts passwords if it is necessary

* Add tests for encryption functions
 2021-06-18 18:38:38 -04:00
Deluan
b65e76293a Only send events to clients who need it 
- User events (star, rating, plays) only sent to same user
- Don't send to the client (browser window) that originated the event
 2021-06-15 18:59:26 -04:00
Deluan
6ee45a9ccc Move project to Navidrome GitHub organization 2021-02-06 21:46:35 -05:00
Deluan
4777cf0aba Simplify error responses 2020-10-27 15:33:28 -04:00
Deluan
d0bf37a8a9 Move mock datastore to tests package 2020-10-27 15:23:49 -04:00
Deluan
596a4897a3 Do not force username to always be lowercase in the DB 2020-09-01 18:00:19 -04:00
Deluan
100f6a0645 Removed engine.Users 2020-08-14 12:10:37 -04:00
Deluan
c271aa24d1 Make all Subsonic helper functions private 2020-08-14 12:10:37 -04:00
Deluan
df05760769 Move engine package under subsonic, as it should only be used by the Subsonic API.master 
The idea is to move reusable code from `engine` to `core`, in future refactorings
 2020-08-04 21:29:35 -04:00
Deluan
a6af46dbad Always use lowercase username, as it is used for referential integrity. Fixes #352 2020-06-14 20:20:10 -04:00
Deluan
f8362a4acb Fix staticcheck's SA1029 2020-05-13 16:49:55 -04:00
Deluan
a17a98a75f Log API requests and responses at Debug level 2020-04-05 23:57:04 -04:00
Deluan
0ba5840a65 Don't set a playerId cookie it cannot register the player 2020-04-04 20:26:36 -04:00
Deluan
39993810b3 feat: add transcodedSuffix to Subsonic API responses 2020-03-17 15:20:35 -04:00
Deluan
da36941252 feat: better getPlayer middleware setup 2020-03-17 15:20:35 -04:00
Deluan
8ec78900c5 feat: transcoding and player datastores and configuration 2020-03-17 15:20:35 -04:00
Deluan
fc06163b5a refactor: remove superfluous (and untested) code 2020-03-02 09:37:47 -05:00
Deluan
8673533cd4 refactor: move request param extractors to utils 2020-02-06 18:55:38 -05:00
Deluan
abb99a8501 feat: add authentication via JWT token 2020-02-06 18:41:34 -05:00
Deluan
203754726b refactor: better request logging 2020-02-01 20:07:15 -05:00
Deluan
1278863416 feat: support clients that send the API params as a x-www-form-urlencoded POST 2020-01-27 15:10:46 -05:00
Deluan
bee55c04c8 Rename project to Navidrome 2020-01-23 19:44:08 -05:00
Deluan
f0ee41a8af Add context to all methods in engine layer 2020-01-22 08:39:57 -05:00
Deluan
2cc983638c Add authenticated user to context 2020-01-20 18:12:17 -05:00
Deluan
99c28731d4 Authenticate Subsonic API calls using the DB 2020-01-20 13:42:43 -05:00
Deluan
7610b42f4b Moved package api to subsonic under server 2020-01-19 18:23:09 -05:00
Renamed from api/middlewares.go (Browse further)