Merge branch 'advplyr:master' into master

2026-01-02 17:19:36 +00:00 · 2025-07-28 21:08:52 +02:00 · 2025-07-28 21:08:52 +02:00 · 8321ba6291
commit 8321ba6291
parent f1a0e54c04 0107cb4782
138 changed files with 6154 additions and 1541 deletions
--- a/server/controllers/ApiKeyController.js
+++ b/server/controllers/ApiKeyController.js
@ -0,0 +1,207 @@
+const { Request, Response, NextFunction } = require('express')
+const uuidv4 = require('uuid').v4
+const Logger = require('../Logger')
+const Database = require('../Database')
+
+/**
+ * @typedef RequestUserObject
+ * @property {import('../models/User')} user
+ *
+ * @typedef {Request & RequestUserObject} RequestWithUser
+ */
+
+class ApiKeyController {
+  constructor() {}
+
+  /**
+   * GET: /api/api-keys
+   *
+   * @param {RequestWithUser} req
+   * @param {Response} res
+   */
+  async getAll(req, res) {
+    const apiKeys = await Database.apiKeyModel.findAll({
+      include: [
+        {
+          model: Database.userModel,
+          attributes: ['id', 'username', 'type']
+        },
+        {
+          model: Database.userModel,
+          as: 'createdByUser',
+          attributes: ['id', 'username', 'type']
+        }
+      ]
+    })
+
+    return res.json({
+      apiKeys: apiKeys.map((a) => a.toJSON())
+    })
+  }
+
+  /**
+   * POST: /api/api-keys
+   *
+   * @this {import('../routers/ApiRouter')}
+   *
+   * @param {RequestWithUser} req
+   * @param {Response} res
+   */
+  async create(req, res) {
+    if (!req.body.name || typeof req.body.name !== 'string') {
+      Logger.warn(`[ApiKeyController] create: Invalid name: ${req.body.name}`)
+      return res.sendStatus(400)
+    }
+    if (req.body.expiresIn && (typeof req.body.expiresIn !== 'number' || req.body.expiresIn <= 0)) {
+      Logger.warn(`[ApiKeyController] create: Invalid expiresIn: ${req.body.expiresIn}`)
+      return res.sendStatus(400)
+    }
+    if (!req.body.userId || typeof req.body.userId !== 'string') {
+      Logger.warn(`[ApiKeyController] create: Invalid userId: ${req.body.userId}`)
+      return res.sendStatus(400)
+    }
+    const user = await Database.userModel.getUserById(req.body.userId)
+    if (!user) {
+      Logger.warn(`[ApiKeyController] create: User not found: ${req.body.userId}`)
+      return res.sendStatus(400)
+    }
+    if (user.type === 'root' && !req.user.isRoot) {
+      Logger.warn(`[ApiKeyController] create: Root user API key cannot be created by non-root user`)
+      return res.sendStatus(403)
+    }
+
+    const keyId = uuidv4() // Generate key id ahead of time to use in JWT
+    const apiKey = await Database.apiKeyModel.generateApiKey(this.auth.tokenManager.TokenSecret, keyId, req.body.name, req.body.expiresIn)
+
+    if (!apiKey) {
+      Logger.error(`[ApiKeyController] create: Error generating API key`)
+      return res.sendStatus(500)
+    }
+
+    // Calculate expiration time for the api key
+    const expiresAt = req.body.expiresIn ? new Date(Date.now() + req.body.expiresIn * 1000) : null
+
+    const apiKeyInstance = await Database.apiKeyModel.create({
+      id: keyId,
+      name: req.body.name,
+      expiresAt,
+      userId: req.body.userId,
+      isActive: !!req.body.isActive,
+      createdByUserId: req.user.id
+    })
+    apiKeyInstance.dataValues.user = await apiKeyInstance.getUser({
+      attributes: ['id', 'username', 'type']
+    })
+
+    Logger.info(`[ApiKeyController] Created API key "${apiKeyInstance.name}"`)
+    return res.json({
+      apiKey: {
+        apiKey, // Actual key only shown to user on creation
+        ...apiKeyInstance.toJSON()
+      }
+    })
+  }
+
+  /**
+   * PATCH: /api/api-keys/:id
+   * Only isActive and userId can be updated because name and expiresIn are in the JWT
+   *
+   * @param {RequestWithUser} req
+   * @param {Response} res
+   */
+  async update(req, res) {
+    const apiKey = await Database.apiKeyModel.findByPk(req.params.id, {
+      include: {
+        model: Database.userModel
+      }
+    })
+    if (!apiKey) {
+      return res.sendStatus(404)
+    }
+    // Only root user can update root user API keys
+    if (apiKey.user.type === 'root' && !req.user.isRoot) {
+      Logger.warn(`[ApiKeyController] update: Root user API key cannot be updated by non-root user`)
+      return res.sendStatus(403)
+    }
+
+    let hasUpdates = false
+    if (req.body.userId !== undefined) {
+      if (typeof req.body.userId !== 'string') {
+        Logger.warn(`[ApiKeyController] update: Invalid userId: ${req.body.userId}`)
+        return res.sendStatus(400)
+      }
+      const user = await Database.userModel.getUserById(req.body.userId)
+      if (!user) {
+        Logger.warn(`[ApiKeyController] update: User not found: ${req.body.userId}`)
+        return res.sendStatus(400)
+      }
+      if (user.type === 'root' && !req.user.isRoot) {
+        Logger.warn(`[ApiKeyController] update: Root user API key cannot be created by non-root user`)
+        return res.sendStatus(403)
+      }
+      if (apiKey.userId !== req.body.userId) {
+        apiKey.userId = req.body.userId
+        hasUpdates = true
+      }
+    }
+
+    if (req.body.isActive !== undefined) {
+      if (typeof req.body.isActive !== 'boolean') {
+        return res.sendStatus(400)
+      }
+      if (apiKey.isActive !== req.body.isActive) {
+        apiKey.isActive = req.body.isActive
+        hasUpdates = true
+      }
+    }
+
+    if (hasUpdates) {
+      await apiKey.save()
+      apiKey.dataValues.user = await apiKey.getUser({
+        attributes: ['id', 'username', 'type']
+      })
+      Logger.info(`[ApiKeyController] Updated API key "${apiKey.name}"`)
+    } else {
+      Logger.info(`[ApiKeyController] No updates needed to API key "${apiKey.name}"`)
+    }
+
+    return res.json({
+      apiKey: apiKey.toJSON()
+    })
+  }
+
+  /**
+   * DELETE: /api/api-keys/:id
+   *
+   * @param {RequestWithUser} req
+   * @param {Response} res
+   */
+  async delete(req, res) {
+    const apiKey = await Database.apiKeyModel.findByPk(req.params.id)
+    if (!apiKey) {
+      return res.sendStatus(404)
+    }
+
+    await apiKey.destroy()
+    Logger.info(`[ApiKeyController] Deleted API key "${apiKey.name}"`)
+
+    return res.sendStatus(200)
+  }
+
+  /**
+   *
+   * @param {RequestWithUser} req
+   * @param {Response} res
+   * @param {NextFunction} next
+   */
+  middleware(req, res, next) {
+    if (!req.user.isAdminOrUp) {
+      Logger.error(`[ApiKeyController] Non-admin user "${req.user.username}" attempting to access api keys`)
+      return res.sendStatus(403)
+    }
+
+    next()
+  }
+}
+
+module.exports = new ApiKeyController()
--- a/server/controllers/FileSystemController.js
+++ b/server/controllers/FileSystemController.js
@ -84,49 +84,73 @@ class FileSystemController {
   */
  async checkPathExists(req, res) {
    if (!req.user.canUpload) {
-      Logger.error(`[FileSystemController] Non-admin user "${req.user.username}" attempting to check path exists`)
+      Logger.error(`[FileSystemController] User "${req.user.username}" without upload permissions attempting to check path exists`)
      return res.sendStatus(403)
    }

-    const { filepath, directory, folderPath } = req.body
+    const { directory, folderPath } = req.body
+    if (!directory?.length || typeof directory !== 'string' || !folderPath?.length || typeof folderPath !== 'string') {
+      Logger.error(`[FileSystemController] Invalid request body: ${JSON.stringify(req.body)}`)
+      return res.status(400).json({
+        error: 'Invalid request body'
+      })
+    }

-    if (!filepath?.length || typeof filepath !== 'string') {
+    // Check that library folder exists
+    const libraryFolder = await Database.libraryFolderModel.findOne({
+      where: {
+        path: folderPath
+      }
+    })
+
+    if (!libraryFolder) {
+      Logger.error(`[FileSystemController] Library folder not found: ${folderPath}`)
+      return res.sendStatus(404)
+    }
+
+    if (!req.user.checkCanAccessLibrary(libraryFolder.libraryId)) {
+      Logger.error(`[FileSystemController] User "${req.user.username}" attempting to check path exists for library "${libraryFolder.libraryId}" without access`)
+      return res.sendStatus(403)
+    }
+
+    let filepath = Path.join(libraryFolder.path, directory)
+    filepath = fileUtils.filePathToPOSIX(filepath)
+
+    // Ensure filepath is inside library folder (prevents directory traversal)
+    if (!filepath.startsWith(libraryFolder.path)) {
+      Logger.error(`[FileSystemController] Filepath is not inside library folder: ${filepath}`)
      return res.sendStatus(400)
    }

-    const exists = await fs.pathExists(filepath)
-
-    if (exists) {
+    if (await fs.pathExists(filepath)) {
      return res.json({
        exists: true
      })
    }

-    // If directory and folderPath are passed in, check if a library item exists in a subdirectory
+    // Check if a library item exists in a subdirectory
    // See: https://github.com/advplyr/audiobookshelf/issues/4146
-    if (typeof directory === 'string' && typeof folderPath === 'string' && directory.length > 0 && folderPath.length > 0) {
-      const cleanedDirectory = directory.split('/').filter(Boolean).join('/')
-      if (cleanedDirectory.includes('/')) {
-        // Can only be 2 levels deep
-        const possiblePaths = []
-        const subdir = Path.dirname(directory)
-        possiblePaths.push(fileUtils.filePathToPOSIX(Path.join(folderPath, subdir)))
-        if (subdir.includes('/')) {
-          possiblePaths.push(fileUtils.filePathToPOSIX(Path.join(folderPath, Path.dirname(subdir))))
-        }
+    const cleanedDirectory = directory.split('/').filter(Boolean).join('/')
+    if (cleanedDirectory.includes('/')) {
+      // Can only be 2 levels deep
+      const possiblePaths = []
+      const subdir = Path.dirname(directory)
+      possiblePaths.push(fileUtils.filePathToPOSIX(Path.join(folderPath, subdir)))
+      if (subdir.includes('/')) {
+        possiblePaths.push(fileUtils.filePathToPOSIX(Path.join(folderPath, Path.dirname(subdir))))
+      }

-        const libraryItem = await Database.libraryItemModel.findOne({
-          where: {
-            path: possiblePaths
-          }
+      const libraryItem = await Database.libraryItemModel.findOne({
+        where: {
+          path: possiblePaths
+        }
+      })
+
+      if (libraryItem) {
+        return res.json({
+          exists: true,
+          libraryItemTitle: libraryItem.title
        })
-
-        if (libraryItem) {
-          return res.json({
-            exists: true,
-            libraryItemTitle: libraryItem.title
-          })
-        }
      }
    }

--- a/server/controllers/MeController.js
+++ b/server/controllers/MeController.js
@ -273,12 +273,24 @@ class MeController {
   * @param {RequestWithUser} req
   * @param {Response} res
   */
-  updatePassword(req, res) {
+  async updatePassword(req, res) {
    if (req.user.isGuest) {
      Logger.error(`[MeController] Guest user "${req.user.username}" attempted to change password`)
-      return res.sendStatus(500)
+      return res.sendStatus(403)
    }
-    this.auth.userChangePassword(req, res)
+
+    const { password, newPassword } = req.body
+    if ((typeof password !== 'string' && password !== null) || (typeof newPassword !== 'string' && newPassword !== null)) {
+      return res.status(400).send('Missing or invalid password or new password')
+    }
+
+    const result = await this.auth.localAuthStrategy.changePassword(req.user, password, newPassword)
+
+    if (result.error) {
+      return res.status(400).send(result.error)
+    }
+
+    res.sendStatus(200)
  }

  /**
@ -438,7 +450,7 @@ class MeController {
    if (updated) {
      await Database.updateSetting(Database.emailSettings)
      SocketAuthority.clientEmitter(req.user.id, 'ereader-devices-updated', {
-        ereaderDevices: Database.emailSettings.ereaderDevices
+        ereaderDevices: Database.emailSettings.getEReaderDevices(req.user)
      })
    }
    res.json({
--- a/server/controllers/MiscController.js
+++ b/server/controllers/MiscController.js
@ -59,6 +59,12 @@ class MiscController {
    if (!library) {
      return res.status(404).send('Library not found')
    }
+
+    if (!req.user.checkCanAccessLibrary(library.id)) {
+      Logger.error(`[MiscController] User "${req.user.username}" attempting to upload to library "${library.id}" without access`)
+      return res.sendStatus(403)
+    }
+
    const folder = library.libraryFolders.find((fold) => fold.id === folderId)
    if (!folder) {
      return res.status(404).send('Folder not found')
--- a/server/controllers/PodcastController.js
+++ b/server/controllers/PodcastController.js
@ -9,6 +9,7 @@ const fs = require('../libs/fsExtra')
 const { getPodcastFeed, findMatchingEpisodes } = require('../utils/podcastUtils')
 const { getFileTimestampsWithIno, filePathToPOSIX } = require('../utils/fileUtils')
 const { validateUrl } = require('../utils/index')
+const htmlSanitizer = require('../utils/htmlSanitizer')

 const Scanner = require('../scanner/Scanner')
 const CoverManager = require('../managers/CoverManager')
@ -404,6 +405,15 @@ class PodcastController {
    const supportedStringKeys = ['title', 'subtitle', 'description', 'pubDate', 'episode', 'season', 'episodeType']
    for (const key in req.body) {
      if (supportedStringKeys.includes(key) && typeof req.body[key] === 'string') {
+        // Sanitize description HTML
+        if (key === 'description' && req.body[key]) {
+          const sanitizedDescription = htmlSanitizer.sanitize(req.body[key])
+          if (sanitizedDescription !== req.body[key]) {
+            Logger.debug(`[PodcastController] Sanitized description from "${req.body[key]}" to "${sanitizedDescription}"`)
+            req.body[key] = sanitizedDescription
+          }
+        }
+
        updatePayload[key] = req.body[key]
      } else if (key === 'chapters' && Array.isArray(req.body[key]) && req.body[key].every((ch) => typeof ch === 'object' && ch.title && ch.start)) {
        updatePayload[key] = req.body[key]
--- a/server/controllers/SessionController.js
+++ b/server/controllers/SessionController.js
@ -57,26 +57,24 @@ class SessionController {
    }

    let where = null
-    const include = [
-      {
-        model: Database.models.device
-      }
-    ]

    if (userId) {
      where = {
        userId
      }
-    } else {
-      include.push({
-        model: Database.userModel,
-        attributes: ['id', 'username']
-      })
    }

    const { rows, count } = await Database.playbackSessionModel.findAndCountAll({
      where,
-      include,
+      include: [
+        {
+          model: Database.deviceModel
+        },
+        {
+          model: Database.userModel,
+          attributes: ['id', 'username']
+        }
+      ],
      order: [[orderKey, orderDesc]],
      limit: itemsPerPage,
      offset: itemsPerPage * page
@ -290,7 +288,12 @@ class SessionController {
      return res.sendStatus(404)
    }

-    const audioTrack = playbackSession.audioTracks.find((t) => t.index === audioTrackIndex)
+    let audioTrack = playbackSession.audioTracks.find((t) => toNumber(t.index, 1) === audioTrackIndex)
+
+    // Support clients passing 0 or 1 for podcast episode audio track index (handles old episodes pre-v2.21.0 having null index)
+    if (!audioTrack && playbackSession.mediaType === 'podcast' && audioTrackIndex === 0) {
+      audioTrack = playbackSession.audioTracks[0]
+    }
    if (!audioTrack) {
      Logger.error(`[SessionController] Unable to find audio track with index=${audioTrackIndex}`)
      return res.sendStatus(404)
--- a/server/controllers/UserController.js
+++ b/server/controllers/UserController.js
@ -127,8 +127,8 @@ class UserController {
    }

    const userId = uuidv4()
-    const pash = await this.auth.hashPass(req.body.password)
-    const token = await this.auth.generateAccessToken({ id: userId, username: req.body.username })
+    const pash = await this.auth.localAuthStrategy.hashPassword(req.body.password)
+    const token = this.auth.generateAccessToken({ id: userId, username: req.body.username })
    const userType = req.body.type || 'user'

    // librariesAccessible and itemTagsSelected can be on req.body or req.body.permissions
@ -237,6 +237,7 @@ class UserController {

    let hasUpdates = false
    let shouldUpdateToken = false
+    let shouldInvalidateJwtSessions = false
    // When changing username create a new API token
    if (updatePayload.username && updatePayload.username !== user.username) {
      const usernameExists = await Database.userModel.checkUserExistsWithUsername(updatePayload.username)
@ -245,12 +246,13 @@ class UserController {
      }
      user.username = updatePayload.username
      shouldUpdateToken = true
+      shouldInvalidateJwtSessions = true
      hasUpdates = true
    }

    // Updating password
    if (updatePayload.password) {
-      user.pash = await this.auth.hashPass(updatePayload.password)
+      user.pash = await this.auth.localAuthStrategy.hashPassword(updatePayload.password)
      hasUpdates = true
    }

@ -325,9 +327,24 @@ class UserController {

    if (hasUpdates) {
      if (shouldUpdateToken) {
-        user.token = await this.auth.generateAccessToken(user)
+        user.token = this.auth.generateAccessToken(user)
        Logger.info(`[UserController] User ${user.username} has generated a new api token`)
      }
+
+      // Handle JWT session invalidation for username changes
+      if (shouldInvalidateJwtSessions) {
+        const newAccessToken = await this.auth.invalidateJwtSessionsForUser(user, req, res)
+        if (newAccessToken) {
+          user.accessToken = newAccessToken
+          // Refresh tokens are only returned for mobile clients
+          // Mobile apps currently do not use this API endpoint so always set to null
+          user.refreshToken = null
+          Logger.info(`[UserController] Invalidated JWT sessions for user ${user.username} and rotated tokens for current session`)
+        } else {
+          Logger.info(`[UserController] Invalidated JWT sessions for user ${user.username}`)
+        }
+      }
+
      await user.save()
      SocketAuthority.clientEmitter(req.user.id, 'user_updated', user.toOldJSONForBrowser())
    }
@ -422,7 +439,16 @@ class UserController {
    const page = toNumber(req.query.page, 0)

    const start = page * itemsPerPage
-    const sessions = listeningSessions.slice(start, start + itemsPerPage)
+    // Map user to sessions to match the format of the sessions endpoint
+    const sessions = listeningSessions.slice(start, start + itemsPerPage).map((session) => {
+      return {
+        ...session,
+        user: {
+          id: req.reqUser.id,
+          username: req.reqUser.username
+        }
+      }
+    })

    const payload = {
      total: listeningSessions.length,