refactor(quickconnect): validate secret length and format in quick connect check

2026-04-18 06:18:17 -04:00 · 2025-12-13 09:33:31 +08:00
parent 4aac476137
commit 655e1f2708
1 changed files with 8 additions and 2 deletions
--- a/server/routes/auth.ts
+++ b/server/routes/auth.ts
@@ -623,10 +623,16 @@ authRoutes.post('/jellyfin/quickconnect/initiate', async (req, res, next) => {
 authRoutes.get('/jellyfin/quickconnect/check', async (req, res, next) => {
  const secret = req.query.secret as string;

-  if (!secret || typeof secret !== 'string') {
+  if (
+    !secret ||
+    typeof secret !== 'string' ||
+    secret.length < 8 ||
+    secret.length > 128 ||
+    !/^[A-Za-z0-9]+$/.test(secret)
+  ) {
    return next({
      status: 400,
-      message: 'Secret required',
+      message: 'Invalid secret',
    });
  }