Files
alembic/app/routers/credentials.py
T
andrew b135f11557 Security hardening and first-run/portability improvements
Security (P0):
- Remove committed session-secret default; auto-generate and persist a
  random secret to the config volume when SESSION_SECRET is unset
  (prevents forgeable session cookies / auth bypass).
- Validate playlist names to a safe charset and render sldl configs via
  literal Python substitution instead of sed (closes a command-injection
  and path-traversal path through playlist names).
- shlex-quote credential values written to shell-sourced env files, and
  strip newlines from values patched into .conf files.
- Render playlist .conf files 0600; warn at startup if the master key is
  co-located with the config volume; document keeping it separate.

Portability:
- Configurable timezone via TZ (default UTC) instead of hardcoded Edmonton.
- Remove personal defaults (navidrome user "andrew", ephemeral.club URLs).
- Ship generic example seeds; move the cross-album dedup keep-list and the
  legacy playlist import to editable config files; drop the personal
  _upgrade.csv.
- Generic VPN reference in docker-compose.snippet.yml.

First-run experience:
- Redirect to /setup instead of 500 when OIDC is unconfigured; surface a
  missing master key inline; entrypoint exits with an actionable message
  when the config folder is not writable.
- Add unauthenticated /health (JSON) and /setup (checklist) diagnostics.

Docs:
- Write docs/ARCHITECTURE.md and docs/MIGRATION.md (previously referenced
  but missing); expand README with ownership, backups, advanced settings,
  and migration guidance.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-07-09 14:25:55 -06:00

69 lines
2.7 KiB
Python

from fastapi import APIRouter, Depends, HTTPException, Request
from fastapi.responses import RedirectResponse
from fastapi.templating import Jinja2Templates
from app.db import get_db
from app.security import crypto
from app.security.deps import require_auth
from app.services import credential_service
router = APIRouter(prefix="/settings/credentials", tags=["credentials"])
templates = Jinja2Templates(directory="app/templates")
@router.get("")
async def credentials_index(request: Request, user: dict = Depends(require_auth), db=Depends(get_db)):
# Write-only by design: never send a previously-saved secret value back
# to the browser. Each scope just reports which fields are already set.
configured = {
scope: set(credential_service.get_scope(db, scope).keys())
for scope in credential_service.SCOPE_FIELDS
}
enabled = {
scope: credential_service.is_scope_enabled(db, scope)
for scope in credential_service.SCOPE_FIELDS
}
return templates.TemplateResponse(
request,
"credentials/index.html",
{
"scope_fields": credential_service.SCOPE_FIELDS,
"scope_descriptions": credential_service.SCOPE_DESCRIPTIONS,
"core_scopes": credential_service.CORE_SCOPES,
"configured": configured,
"enabled": enabled,
"key_present": crypto.key_present(),
},
)
@router.post("/{scope}")
async def save_credentials(
scope: str, request: Request, user: dict = Depends(require_auth), db=Depends(get_db)
):
if scope not in credential_service.SCOPE_FIELDS:
raise HTTPException(404, "unknown credential scope")
form = await request.form()
values = {
field: value
for field, value in form.items()
if field in credential_service.SCOPE_FIELDS[scope] and value != ""
}
try:
credential_service.set_credentials(db, scope, values)
except RuntimeError:
# Almost always the encryption key is missing, so the value can't be
# encrypted. Redirect back; the page shows a key-missing banner with
# exactly what to do.
return RedirectResponse(url="/settings/credentials", status_code=303)
return RedirectResponse(url="/settings/credentials", status_code=303)
@router.post("/{scope}/toggle")
async def toggle_scope(scope: str, user: dict = Depends(require_auth), db=Depends(get_db)):
if scope not in credential_service.OPTIONAL_SCOPES:
raise HTTPException(404, "unknown or non-toggleable credential scope")
currently_enabled = credential_service.is_scope_enabled(db, scope)
credential_service.set_scope_enabled(db, scope, not currently_enabled)
return RedirectResponse(url="/settings/credentials", status_code=303)