fix: comprehensive security, bug, performance, and UI/UX audit
Lint & Test / test (push) Successful in 20s
Lint & Test / test (push) Successful in 20s
Security
- Default bind 127.0.0.1; first-run bootstrap generates random api_token
and refuses to bind non-loopback without auth unless explicitly opted in
- Path-traversal hardened: BrowserService.validate_path rejects absolute
paths, drive letters, UNC, NUL bytes. /api/browser/{play,metadata,
thumbnail} now require folder_id and a folder-relative path
- Pydantic validators on links: http(s) URLs only, mdi:<slug> icons only
- Scripts/callbacks/links create/update/delete gated by *_management flags
- Strict CSP, X-Frame-Options DENY, Referrer-Policy no-referrer,
X-Content-Type-Options nosniff
- CORS locked to localhost:<port> + 127.0.0.1:<port> by default; configurable
- config.yaml writes atomic (tmp + os.replace) and 0o600 on POSIX
- Subprocesses spawned in their own process group / new session so timeout
kills the whole tree (Windows CREATE_NEW_PROCESS_GROUP, POSIX
start_new_session=True)
- Frontend XSS: monitor name + details escapeHtml'd; power button moved to
delegated data-action handler; remote MDI SVGs parsed and sanitized
(strip script/foreignObject/on*/javascript: hrefs) before innerHTML
- All dynamic URL segments now wrapped in encodeURIComponent
Bugs
- WebSocket reconnect: close previous socket before opening new, clear
ping interval per-socket, clear reconnectTimeout up-front, retry on
online/visibilitychange, try/catch JSON.parse
- Artwork fetch race: AbortController + generation guard
- _broadcast_after_open: initialize status, swallow per-poll errors,
background tasks tracked in a strong-ref set with done-callback cleanup
- Audio analyzer: sticky _unavailable flag prevents infinite start/stop
spin when no loopback device exists; cleared by set_device()
- Volume short-circuit cache invalidated when server reports remote volume
- Browser thumbnail race: per-folder generation counter + isConnected
checks; aborts in-flight fetches on navigation
- Track-skip uses cached title instead of full WinRT status round-trip
Performance
- Linux MPRIS/pactl and /api/display DDC-CI handlers wrapped in
asyncio.to_thread so blocking IO never stalls the event loop
- browse_directory moved off the event loop (SMB shares could freeze it)
- Windows status poll caches one asyncio loop per worker thread via
threading.local instead of new_event_loop/close on every 0.5s tick
- broadcast() serializes JSON once and uses send_text to all clients
- Hourly thumbnail cache cleanup scheduled in lifespan (was never invoked
— cache grew unbounded)
- Progress drag listeners attached only while dragging
Quality
- All asyncio.get_event_loop() in coroutines → get_running_loop()
- ThreadPoolExecutors shut down cleanly during lifespan teardown
- config_manager dedup: 12 near-identical methods collapsed onto generic
_upsert/_delete helpers (~290 lines removed)
- Service worker no longer pass-throughs every fetch
- M3U playlist written via NamedTemporaryFile (no fixed-path symlink
clobber race)
- __version__ now prefers live pyproject.toml in dev checkouts so
pip install -e . users see the source-of-truth version, not the stale
package-metadata version baked in at install time
UI/UX (Studio Reference)
- Green leftover focus rings (rgba(29,185,84,...)) all replaced with
copper accent (rgba(var(--copper-rgb),...))
- Dialogs: square corners, copper top hairline, unified with editorial
chrome
- .browser-item: transparent with copper hover border (was filled card)
- Audio device select uses var(--sans) instead of generic system font
- Mobile container padding tuned for ≤480px screens
- Breadcrumb home is a real <button> with aria-label; aria-current on root
- i18n: filled display.msg.power_*, execution.*, scripts.params.execute,
callbacks.empty in both en + ru
This commit is contained in:
+69
-22
@@ -1,6 +1,8 @@
|
||||
"""Configuration management for the media server."""
|
||||
|
||||
import logging
|
||||
import os
|
||||
import secrets
|
||||
from pathlib import Path
|
||||
from typing import Optional
|
||||
|
||||
@@ -8,6 +10,8 @@ import yaml
|
||||
from pydantic import BaseModel, Field
|
||||
from pydantic_settings import BaseSettings, SettingsConfigDict
|
||||
|
||||
logger = logging.getLogger(__name__)
|
||||
|
||||
|
||||
class MediaFolderConfig(BaseModel):
|
||||
"""Configuration for a media folder."""
|
||||
@@ -81,8 +85,35 @@ class Settings(BaseSettings):
|
||||
)
|
||||
|
||||
# Server settings
|
||||
host: str = Field(default="0.0.0.0", description="Server bind address")
|
||||
host: str = Field(
|
||||
default="127.0.0.1",
|
||||
description=(
|
||||
"Server bind address. Use 127.0.0.1 for loopback-only (default, safest),"
|
||||
" or 0.0.0.0 to expose on the LAN (requires api_tokens to be set)."
|
||||
),
|
||||
)
|
||||
port: int = Field(default=8765, description="Server port")
|
||||
allow_lan_without_auth: bool = Field(
|
||||
default=False,
|
||||
description=(
|
||||
"Allow binding to a non-loopback address with no api_tokens configured."
|
||||
" Off by default to prevent unauthenticated LAN exposure."
|
||||
),
|
||||
)
|
||||
cors_origins: list[str] = Field(
|
||||
default_factory=list,
|
||||
description=(
|
||||
"Allowed CORS origins. Empty (default) means only same-origin requests"
|
||||
" from http://localhost:<port> and http://127.0.0.1:<port>."
|
||||
),
|
||||
)
|
||||
|
||||
# Admin-grade operations (script / callback / link / folder create/update/delete).
|
||||
# When True the same token used for read/play can also persist arbitrary shell
|
||||
# commands. Disable to make the API read+execute only.
|
||||
scripts_management: bool = Field(default=True, description="Allow scripts CRUD via API")
|
||||
callbacks_management: bool = Field(default=True, description="Allow callbacks CRUD via API")
|
||||
links_management: bool = Field(default=True, description="Allow links CRUD via API")
|
||||
|
||||
# Authentication (empty = auth disabled, anyone can access the API)
|
||||
api_tokens: dict[str, str] = Field(
|
||||
@@ -218,21 +249,25 @@ def get_config_dir() -> Path:
|
||||
|
||||
|
||||
def generate_default_config(path: Optional[Path] = None) -> Path:
|
||||
"""Generate a default configuration file with a new API token."""
|
||||
"""Generate a default configuration file with a freshly generated API token.
|
||||
|
||||
The token is written into ``api_tokens.default`` and printed to the logger
|
||||
so first-run users can copy it. Subsequent runs preserve whatever the user
|
||||
has set.
|
||||
"""
|
||||
if path is None:
|
||||
path = get_config_dir() / "config.yaml"
|
||||
|
||||
default_token = secrets.token_urlsafe(32)
|
||||
|
||||
config = {
|
||||
"host": "0.0.0.0",
|
||||
"host": "127.0.0.1",
|
||||
"port": 8765,
|
||||
# "api_tokens": {
|
||||
# "default": "your-secret-token-here",
|
||||
# },
|
||||
"api_tokens": {
|
||||
"default": default_token,
|
||||
},
|
||||
"poll_interval": 1.0,
|
||||
"log_level": "INFO",
|
||||
# Audio device to control (use GET /api/audio/devices to list available devices)
|
||||
# Set to null or remove to use default device
|
||||
# "audio_device": "Speakers (Realtek",
|
||||
"scripts": {
|
||||
"example_script": {
|
||||
"command": "echo Hello from Media Server!",
|
||||
@@ -240,26 +275,38 @@ def generate_default_config(path: Optional[Path] = None) -> Path:
|
||||
"timeout": 10,
|
||||
"shell": True,
|
||||
},
|
||||
# Add your custom scripts here:
|
||||
# "shutdown": {
|
||||
# "command": "shutdown /s /t 60",
|
||||
# "description": "Shutdown computer in 60 seconds",
|
||||
# "timeout": 5,
|
||||
# },
|
||||
# "lock_screen": {
|
||||
# "command": "rundll32.exe user32.dll,LockWorkStation",
|
||||
# "description": "Lock the workstation",
|
||||
# "timeout": 5,
|
||||
# },
|
||||
},
|
||||
}
|
||||
|
||||
path.parent.mkdir(parents=True, exist_ok=True)
|
||||
with open(path, "w", encoding="utf-8") as f:
|
||||
yaml.dump(config, f, default_flow_style=False, sort_keys=False)
|
||||
_write_yaml_atomic(path, config)
|
||||
_restrict_config_perms(path)
|
||||
|
||||
logger.info("Generated default config at %s", path)
|
||||
logger.info("API token (label=default): %s", default_token)
|
||||
|
||||
return path
|
||||
|
||||
|
||||
def _write_yaml_atomic(path: Path, data: dict) -> None:
|
||||
"""Write YAML to disk atomically via tmp file + rename, with restricted perms."""
|
||||
tmp = path.with_suffix(path.suffix + ".tmp")
|
||||
with open(tmp, "w", encoding="utf-8") as f:
|
||||
yaml.dump(data, f, default_flow_style=False, sort_keys=False)
|
||||
_restrict_config_perms(tmp)
|
||||
os.replace(tmp, path)
|
||||
|
||||
|
||||
def _restrict_config_perms(path: Path) -> None:
|
||||
"""On POSIX, ensure config file is readable only by owner (0600)."""
|
||||
if os.name == "nt":
|
||||
return
|
||||
try:
|
||||
os.chmod(path, 0o600)
|
||||
os.chmod(path.parent, 0o700)
|
||||
except OSError:
|
||||
logger.debug("Could not chmod %s", path, exc_info=True)
|
||||
|
||||
|
||||
# Global settings instance
|
||||
settings = Settings.load_from_yaml()
|
||||
|
||||
Reference in New Issue
Block a user