This PR fixes a security issue where authenticated users could access and modify data belonging to
other users. The isOwnProfileOrAdmin() middleware was missing from several push subscription API
routes. As a result, any authenticated user on the instance could manipulate the userId parameter in
the URL to view or delete the push subscriptions of other users.
Add ownership check to GET /api/v1/user/:id so the full user object(including eager-loaded settings
with notification credentials) is onlyreturned to the user themselves or MANAGE_USERS admins. All
otherauthenticated users receive a stripped response (which is the intended behaviour as
https://github.com/sct/overseerr/pull/3695#issuecomment-1817827774). Also expands
User.filteredFields to strip sensitive fileds to prevent leaking credentials
Fix a logic flaw in the jellyfin auth guard that allowed unauthenticated users to register accounts
on Plex-configured instances by authenticating against an attacker-controlled Jellyfin server.
* fix(servarr): add timeout to Radarr/Sonarr API requests to prevent infinite loading
Adds a 5-second timeout to all Radarr/Sonarr API requests and displays a warning banner when
services are unreachable. This prevents the Recent Requests section and request list pages from
hanging indefinitely when a configured service has connection issues.
fix#2374
* fix(requests): only show service error banner to users with advanced permissions
* chore(deps): update dependencies and fix security vulnerabilities
Update TypeScript 4.9 → 5.4. Update Zod 3 → 4. Update nodemailer 6 → 7. Update @typescript-eslint
packages to v7. Update xml2js, undici, lodash, axios, swr, winston- Add pnpm.overrides for
transitive dependency vulnerabilities
* chore: fix import ordering for TypeScript 5.4 compatibility
prettier-plugin-organize-imports behaves differently with TypeScript 5.4 vs 4.9, causing CI
formatting checks to fail. This reformats imports to match the ordering expected by the plugin with
the upgraded TS version.
Removed redundant Plex user discovery logic that applies to all media servers currently. This is now
handled explicitly via linked accounts settings page. Also changed the successful logout log level
from info to debug since its routine behaviour
This PR fixes an issue where removing 4K movies from Radarr failed when multiple Radarr instances were configured. The backend was misparsing boolean query parameters and using string slugs instead of TMDB IDs. The fix ensures that the correct 4K Radarr instance is targeted and that TMDB IDs are used for movie removal.
Signed-off-by: 0xsysr3ll <0xsysr3ll@pm.me>
* refactor(adds package): this adds the validator package and removes email-validator from dependencys
* refactor(auth.ts and email.ts): migrates from EmailValidator to validator
* feat(notifications): make images optional
* fix(notifications): added en i18n config
* fix: prettify
* fix(notifications): added embedImage support for ntfy
* fix(frontend): update embedImage on form state change and submission
* fix(locale): updated locale for embedImage
* fix: renamed embedImage to embedPoster
* feat(dns): implement dns caching
* feat: simple implementation of dnscaching
* feat: dynamic ttl which is revalidated while using stale dns cache
This is done as tmdb ttl is very less like 40 seconds so to make sure
any issues wont be caused due to cached dns (previously we were caching
for 5 minutes no matter what ttl)
* feat(dns): improve DNS cache with multi-strategy fallback system
- multiple DNS resolution strategie
- graceful fallbacks between IPv6 and IPv4 addresses
- network error reporting in fetch fix
- compatibility with cypress testing (I HOPE)
* fix: typos
* feat: dns cache stats in jobs & cache page (and cleanup)
* feat(networksettings): cache dns off by default
* feat: make dnsCache optional and enable-able through network settings
* chore(i18n): extract translation keys
* test(cypress): fix cypress testing
* feat(dnscache): dns cache entries are now flushable
* style(cypress): run prettier
* chore(cypresssettings): git ignore cypress json settings
* chore: ignore cypress/config/settings.json
* fix(dnscache): use entry specific hits and misses not global
* refactor: clean up console logs
* fix(dnscache): fix miss counter
* feat(dnscache): global stats
* chore(i18n): extract translation keys
* refactor: use date-fns for formatting age and remove useless code
* refactor: remove cypress testing options in dnsCacheManager
* refactor: remove console logs
* refactor: removed useless condition when its always truthy
* fix: remove FetchAPI-related code
* fix: remove old ipv4first setting
* refactor: use our own dns-caching package instead
* fix: correct dns-caching module configuration
* fix: correct dns-caching module configuration
* fix: remove useless lru-cache dependency
* fix: update dns-caching to v0.2.0
* fix: add env variable for min/max ttl & update dns-caching
* fix: update dns-caching package
* fix: add force min/max TTL in network settings
* docs: add docs for dns caching
---------
Co-authored-by: Gauthier <mail@gauthierth.fr>
* fix(blacklist): handle invalid keywords gracefully
* fix(blacklist): only remove keywords on 404 errors
* fix(blacklist): remove non-null assertion and add proper type annotation
* refactor(blacklist): return null instead of 404 for missing keywords
* fix(blacklist): add type annotation for validKeywords
* fix(selector): update type annotation for validKeywords
