hardening

2026-05-16 10:44:20 +00:00
parent 52e3d680f7
commit cc26ed9b2c
18 changed files with 315 additions and 169 deletions
@@ -1,3 +1,5 @@
+from secrets import token_urlsafe
+
 from fastapi import APIRouter, HTTPException, status, Depends
 from fastapi.security import OAuth2PasswordRequestForm

@@ -21,6 +23,12 @@ router = APIRouter(prefix="/auth", tags=["auth"])
 async def login(form_data: OAuth2PasswordRequestForm = Depends()) -> dict:
    user = verify_user_password(form_data.username, form_data.password)
    if not user:
+        existing = get_user_by_username(form_data.username)
+        if existing and existing.get("auth_provider") != "local":
+            raise HTTPException(
+                status_code=status.HTTP_403_FORBIDDEN,
+                detail=f"Use the {existing.get('auth_provider')} sign-in flow for this account",
+            )
        raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid credentials")
    if user.get("is_blocked"):
        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="User is blocked")
@@ -45,10 +53,12 @@ async def jellyfin_login(form_data: OAuth2PasswordRequestForm = Depends()) -> di
        raise HTTPException(status_code=status.HTTP_502_BAD_GATEWAY, detail=str(exc)) from exc
    if not isinstance(response, dict) or not response.get("User"):
        raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid Jellyfin credentials")
-    create_user_if_missing(form_data.username, "jellyfin-user", role="user", auth_provider="jellyfin")
+    create_user_if_missing(form_data.username, token_urlsafe(32), role="user", auth_provider="jellyfin")
    user = get_user_by_username(form_data.username)
    if user and user.get("is_blocked"):
        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="User is blocked")
+    if user and user.get("auth_provider") == "jellyfin":
+        set_user_password(form_data.username, token_urlsafe(32))
    try:
        users = await client.get_users()
        if isinstance(users, list):
@@ -57,7 +67,7 @@ async def jellyfin_login(form_data: OAuth2PasswordRequestForm = Depends()) -> di
                    continue
                name = user.get("Name")
                if isinstance(name, str) and name:
-                    create_user_if_missing(name, "jellyfin-user", role="user", auth_provider="jellyfin")
+                    create_user_if_missing(name, token_urlsafe(32), role="user", auth_provider="jellyfin")
    except Exception:
        pass
    token = create_access_token(form_data.username, "user")
@@ -78,10 +88,12 @@ async def jellyseerr_login(form_data: OAuth2PasswordRequestForm = Depends()) ->
        raise HTTPException(status_code=status.HTTP_502_BAD_GATEWAY, detail=str(exc)) from exc
    if not isinstance(response, dict):
        raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid Jellyseerr credentials")
-    create_user_if_missing(form_data.username, "jellyseerr-user", role="user", auth_provider="jellyseerr")
+    create_user_if_missing(form_data.username, token_urlsafe(32), role="user", auth_provider="jellyseerr")
    user = get_user_by_username(form_data.username)
    if user and user.get("is_blocked"):
        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="User is blocked")
+    if user and user.get("auth_provider") == "jellyseerr":
+        set_user_password(form_data.username, token_urlsafe(32))
    token = create_access_token(form_data.username, "user")
    set_last_login(form_data.username)
    return {"access_token": token, "token_type": "bearer", "user": {"username": form_data.username, "role": "user"}}