From 655e1f2708ff83fbce250a5b69d1da515e4e8a6d Mon Sep 17 00:00:00 2001
From: fallenbagel <98979876+Fallenbagel@users.noreply.github.com>
Date: Sat, 13 Dec 2025 09:33:31 +0800
Subject: [PATCH] refactor(quickconnect): validate secret length and format in
 quick connect check

---
 server/routes/auth.ts | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/server/routes/auth.ts b/server/routes/auth.ts
index af8e615a3..d34265f4d 100644
--- a/server/routes/auth.ts
+++ b/server/routes/auth.ts
@@ -623,10 +623,16 @@ authRoutes.post('/jellyfin/quickconnect/initiate', async (req, res, next) => {
 authRoutes.get('/jellyfin/quickconnect/check', async (req, res, next) => {
   const secret = req.query.secret as string;
 
-  if (!secret || typeof secret !== 'string') {
+  if (
+    !secret ||
+    typeof secret !== 'string' ||
+    secret.length < 8 ||
+    secret.length > 128 ||
+    !/^[A-Za-z0-9]+$/.test(secret)
+  ) {
     return next({
       status: 400,
-      message: 'Secret required',
+      message: 'Invalid secret',
     });
   }