refactor(quickconnect): improve secret validation for quick connect endpoints

server/routes/auth.ts

@@ -629,11 +629,11 @@ authRoutes.get('/jellyfin/quickconnect/check', async (req, res, next) => {
     typeof secret !== 'string' ||
     secret.length < 8 ||
     secret.length > 128 ||
-    !/^[A-Za-z0-9]+$/.test(secret)
+    !/^[A-Fa-f0-9]+$/.test(secret)
   ) {
     return next({
       status: 400,
-      message: 'Invalid secret',
+      message: 'Invalid secret format',
     });
   }
 
@@ -663,7 +663,13 @@ authRoutes.post(
     const userRepository = getRepository(User);
     const body = req.body as { secret?: string };
 
-    if (!body.secret) {
+    if (
+      !body.secret ||
+      typeof body.secret !== 'string' ||
+      body.secret.length < 8 ||
+      body.secret.length > 128 ||
+      !/^[A-Fa-f0-9]+$/.test(body.secret)
+    ) {
       return next({
         status: 400,
         message: 'Secret required',

server/routes/user/usersettings.ts

@@ -554,6 +554,17 @@ userSettingsRoutes.post<{ secret: string }>(
       return res.status(401).json({ code: ApiErrorCode.Unauthorized });
     }
 
+    const secret = req.body.secret;
+    if (
+      !secret ||
+      typeof secret !== 'string' ||
+      secret.length < 8 ||
+      secret.length > 128 ||
+      !/^[A-Fa-f0-9]+$/.test(secret)
+    ) {
+      return res.status(400).json({ message: 'Invalid secret format' });
+    }
+
     if (
       settings.main.mediaServerType !== MediaServerType.JELLYFIN &&
       settings.main.mediaServerType !== MediaServerType.EMBY
@@ -567,9 +578,7 @@ userSettingsRoutes.post<{ secret: string }>(
     const jellyfinServer = new JellyfinAPI(hostname);
 
     try {
-      const account = await jellyfinServer.authenticateQuickConnect(
-        req.body.secret
-      );
+      const account = await jellyfinServer.authenticateQuickConnect(secret);
 
       if (
         await userRepository.exist({