From 620135aeac6d9fc284a3daddcafd1964474d2789 Mon Sep 17 00:00:00 2001
From: Gauthier <mail@gauthierth.fr>
Date: Mon, 10 Feb 2025 00:17:11 +0100
Subject: [PATCH] fix: resolve a vulnerability with admin token (#1345)

By default, the jellyfinAuthToken of every user was always retrieved from the database, and
sometimes sent back to the client. Any logged-in user could retrieve this token via a request
containing admin user information, and use it to gain full access to Jellyfin. This PR removes the
auth token and the device ID from the fields selected by default by TypeORM.
---
 server/entity/User.ts | 6 +++---
 server/routes/auth.ts | 1 +
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/server/entity/User.ts b/server/entity/User.ts
index e4c8314c3..c8753bfe9 100644
--- a/server/entity/User.ts
+++ b/server/entity/User.ts
@@ -83,13 +83,13 @@ export class User {
   @Column({ nullable: true })
   public jellyfinUserId?: string;
 
-  @Column({ nullable: true })
+  @Column({ nullable: true, select: false })
   public jellyfinDeviceId?: string;
 
-  @Column({ nullable: true })
+  @Column({ nullable: true, select: false })
   public jellyfinAuthToken?: string;
 
-  @Column({ nullable: true })
+  @Column({ nullable: true, select: false })
   public plexToken?: string;
 
   @Column({ type: 'integer', default: 0 })
diff --git a/server/routes/auth.ts b/server/routes/auth.ts
index 5fe0174ee..cbfbc3f79 100644
--- a/server/routes/auth.ts
+++ b/server/routes/auth.ts
@@ -263,6 +263,7 @@ authRoutes.post('/jellyfin', async (req, res, next) => {
     // Try to find deviceId that corresponds to jellyfin user, else generate a new one
     let user = await userRepository.findOne({
       where: { jellyfinUsername: body.username },
+      select: { id: true, jellyfinDeviceId: true },
     });
 
     let deviceId = '';