chore(release): 1.9.2

Merge remote-tracking branch 'origin/develop'
fix(auth): improve login resilience with headerless fallback authentication (#814 )
2025-12-24 10:49:30 -05:00 · 2024-06-13 09:32:07 +00:00 · 2024-06-13 14:30:15 +05:00 · 2024-06-13 11:16:07 +02:00 · 2024-06-13 04:53:12 +05:00 · 2024-06-12 18:50:00 +05:00
5 changed files with 55 additions and 15 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,12 @@
+## [1.9.2](https://github.com/fallenbagel/jellyseerr/compare/v1.9.1...v1.9.2) (2024-06-13)
+
+
+### Bug Fixes
+
+* **auth:** improve login resilience with headerless fallback authentication ([#814](https://github.com/fallenbagel/jellyseerr/issues/814)) ([a9741fa](https://github.com/fallenbagel/jellyseerr/commit/a9741fa36d06710aa00d28db3dd2c29f2b0973d3))
+* **auth:** validation of ipv6/ipv4 ([#812](https://github.com/fallenbagel/jellyseerr/issues/812)) ([9aeb360](https://github.com/fallenbagel/jellyseerr/commit/9aeb3604e6498c388df1d30dd0b613ba84160fc0)), closes [#795](https://github.com/fallenbagel/jellyseerr/issues/795)
+* bypass cache-able lookups when resolving localhost ([#813](https://github.com/fallenbagel/jellyseerr/issues/813)) ([b5a0699](https://github.com/fallenbagel/jellyseerr/commit/b5a069901a9545772deaa9c491f2075261da0189))
+
 ## [1.9.1](https://github.com/fallenbagel/jellyseerr/compare/v1.9.0...v1.9.1) (2024-06-12)


--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
  "name": "jellyseerr",
-  "version": "1.9.1",
+  "version": "1.9.2",
  "private": true,
  "scripts": {
    "dev": "nodemon -e ts --watch server --watch overseerr-api.yml -e .json,.ts,.yml -x ts-node -r tsconfig-paths/register --files --project server/tsconfig.json server/index.ts",
--- a/server/api/jellyfin.ts
+++ b/server/api/jellyfin.ts
@@ -126,25 +126,31 @@ class JellyfinAPI extends ExternalAPI {
    Password?: string,
    ClientIP?: string
  ): Promise<JellyfinLoginResponse> {
-    try {
-      const headers = ClientIP
-        ? {
-            'X-Forwarded-For': ClientIP,
-          }
-        : {};
+    const authenticate = async (useHeaders: boolean) => {
+      const headers =
+        useHeaders && ClientIP ? { 'X-Forwarded-For': ClientIP } : {};

-      const authResponse = await this.post<JellyfinLoginResponse>(
+      return this.post<JellyfinLoginResponse>(
        '/Users/AuthenticateByName',
        {
-          Username: Username,
+          Username,
          Pw: Password,
        },
-        {
-          headers: headers,
-        }
+        { headers }
      );
+    };

-      return authResponse;
+    try {
+      return await authenticate(true);
+    } catch (e) {
+      logger.debug(`Failed to authenticate with headers: ${e.message}`, {
+        label: 'Jellyfin API',
+        ip: ClientIP,
+      });
+    }
+
+    try {
+      return await authenticate(false);
    } catch (e) {
      const status = e.response?.status;

--- a/server/index.ts
+++ b/server/index.ts
@@ -27,6 +27,7 @@ import type CacheableLookupType from 'cacheable-lookup';
 import { TypeormStore } from 'connect-typeorm/out';
 import cookieParser from 'cookie-parser';
 import csurf from 'csurf';
+import { lookup } from 'dns';
 import type { NextFunction, Request, Response } from 'express';
 import express from 'express';
 import * as OpenApiValidator from 'express-openapi-validator';
@@ -54,6 +55,19 @@ app
    const CacheableLookup = (await _importDynamic('cacheable-lookup'))
      .default as typeof CacheableLookupType;
    const cacheable = new CacheableLookup();
+
+    const originalLookup = cacheable.lookup;
+
+    // if hostname is localhost use dns.lookup instead of cacheable-lookup
+    cacheable.lookup = (...args: any) => {
+      const [hostname] = args;
+      if (hostname === 'localhost') {
+        lookup(...(args as Parameters<typeof lookup>));
+      } else {
+        originalLookup(...(args as Parameters<typeof originalLookup>));
+      }
+    };
+
    cacheable.install(http.globalAgent);
    cacheable.install(https.globalAgent);

--- a/server/routes/auth.ts
+++ b/server/routes/auth.ts
@@ -14,6 +14,7 @@ import { ApiError } from '@server/types/error';
 import * as EmailValidator from 'email-validator';
 import { Router } from 'express';
 import gravatarUrl from 'gravatar-url';
+import net from 'net';

 const authRoutes = Router();

@@ -271,11 +272,21 @@ authRoutes.post('/jellyfin', async (req, res, next) => {
      ? jellyfinHost.slice(0, -1)
      : jellyfinHost;

-    const ip = req.ip ? req.ip.split(':').reverse()[0] : undefined;
+    const ip = req.ip;
+    let clientIp;
+
+    if (ip) {
+      if (net.isIPv4(ip)) {
+        clientIp = ip;
+      } else if (net.isIPv6(ip)) {
+        clientIp = ip.startsWith('::ffff:') ? ip.substring(7) : ip;
+      }
+    }
+
    const account = await jellyfinserver.login(
      body.username,
      body.password,
-      ip
+      clientIp
    );

    // Next let's see if the user already exists
Author	SHA1	Message	Date
semantic-release-bot	65def9d20d	chore(release): 1.9.2	2024-06-13 09:32:07 +00:00
fallenbagel	a302929966	Merge remote-tracking branch 'origin/develop'	2024-06-13 14:30:15 +05:00
Fallenbagel	a9741fa36d	fix(auth): improve login resilience with headerless fallback authentication (#814 ) adds fallback to authenticate without headers to ensure and improve resilience across different browsers and client configurations.	2024-06-13 11:16:07 +02:00
Fallenbagel	b5a069901a	fix: bypass cache-able lookups when resolving localhost (#813 ) * fix: bypass cache-able lookups when resolving localhost * fix: bypass cacheable-lookup when resolving localhost --------- Co-authored-by: Gauthier <mail@gauthierth.fr>	2024-06-13 04:53:12 +05:00
Fallenbagel	9aeb3604e6	fix(auth): validation of ipv6/ipv4 (#812 ) validation for ipv6 was sort of broken where for example `::1` was being sent as `1`, therefore, logins were broken. This PR fixes it by using nodejs `net.isIPv4()` & `net.isIPv6` for ipv4 and ipv6 validation. possibly related to and fixes #795	2024-06-12 18:50:00 +05:00