From f2c771727ce128c312e2225ce5ba775be07b5523 Mon Sep 17 00:00:00 2001
From: fallenbagel <98979876+Fallenbagel@users.noreply.github.com>
Date: Sat, 13 Dec 2025 09:43:01 +0800
Subject: [PATCH] refactor(quickconnect): improve secret validation for quick
 connect endpoints

---
 server/routes/auth.ts              | 12 +++++++++---
 server/routes/user/usersettings.ts | 15 ++++++++++++---
 2 files changed, 21 insertions(+), 6 deletions(-)

diff --git a/server/routes/auth.ts b/server/routes/auth.ts
index feb4a6a7..d4f5a0d3 100644
--- a/server/routes/auth.ts
+++ b/server/routes/auth.ts
@@ -629,11 +629,11 @@ authRoutes.get('/jellyfin/quickconnect/check', async (req, res, next) => {
     typeof secret !== 'string' ||
     secret.length < 8 ||
     secret.length > 128 ||
-    !/^[A-Za-z0-9]+$/.test(secret)
+    !/^[A-Fa-f0-9]+$/.test(secret)
   ) {
     return next({
       status: 400,
-      message: 'Invalid secret',
+      message: 'Invalid secret format',
     });
   }
 
@@ -663,7 +663,13 @@ authRoutes.post(
     const userRepository = getRepository(User);
     const body = req.body as { secret?: string };
 
-    if (!body.secret) {
+    if (
+      !body.secret ||
+      typeof body.secret !== 'string' ||
+      body.secret.length < 8 ||
+      body.secret.length > 128 ||
+      !/^[A-Fa-f0-9]+$/.test(body.secret)
+    ) {
       return next({
         status: 400,
         message: 'Secret required',
diff --git a/server/routes/user/usersettings.ts b/server/routes/user/usersettings.ts
index 416ce831..4cf69dde 100644
--- a/server/routes/user/usersettings.ts
+++ b/server/routes/user/usersettings.ts
@@ -554,6 +554,17 @@ userSettingsRoutes.post<{ secret: string }>(
       return res.status(401).json({ code: ApiErrorCode.Unauthorized });
     }
 
+    const secret = req.body.secret;
+    if (
+      !secret ||
+      typeof secret !== 'string' ||
+      secret.length < 8 ||
+      secret.length > 128 ||
+      !/^[A-Fa-f0-9]+$/.test(secret)
+    ) {
+      return res.status(400).json({ message: 'Invalid secret format' });
+    }
+
     if (
       settings.main.mediaServerType !== MediaServerType.JELLYFIN &&
       settings.main.mediaServerType !== MediaServerType.EMBY
@@ -567,9 +578,7 @@ userSettingsRoutes.post<{ secret: string }>(
     const jellyfinServer = new JellyfinAPI(hostname);
 
     try {
-      const account = await jellyfinServer.authenticateQuickConnect(
-        req.body.secret
-      );
+      const account = await jellyfinServer.authenticateQuickConnect(secret);
 
       if (
         await userRepository.exist({