security: harden webhook endpoint and fix multiple security findings#73
Merged
retardgerman merged 14 commits intomainfrom Mar 14, 2026
Merged
security: harden webhook endpoint and fix multiple security findings#73retardgerman merged 14 commits intomainfrom
retardgerman merged 14 commits intomainfrom
Conversation
…ok endpoint - Auto-generate and persist WEBHOOK_SECRET on first start - Reject webhook requests missing or with invalid X-Webhook-Secret header (401) - Add rate limiter (60 req/min) to the webhook endpoint to prevent flooding - Expose secret in dashboard with copy button and setup instructions - Preserve WEBHOOK_SECRET across config saves - Add X-Webhook-Secret header step to plugin setup guide in dashboard and README Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…c hosting warning - Replace !== with crypto.timingSafeEqual to prevent timing attacks on X-Webhook-Secret - Add⚠️ Security Notice section to README warning against public internet exposure Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
… validation - Remove debug logs that exposed DISCORD_TOKEN prefix to log files - buildJellyfinUrl now always uses configured JELLYFIN_BASE_URL, ignoring the webhook-provided ServerUrl to prevent URL injection via poisoned metadata - Validate config schema on startup using Joi (warn-only, non-fatal) - Fix USER_MAPPINGS schema type (array of objects, not key-value object) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
retardgerman
changed the title
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…irement Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Sensitive fields (DISCORD_TOKEN, JELLYSEERR_API_KEY, JELLYFIN_API_KEY, WEBHOOK_SECRET, JWT_SECRET, TMDB_API_KEY, OMDB_API_KEY) are now stored with a "b64:" prefix and base64-encoded value. readConfig() decodes them transparently; writeConfig() encodes them before writing. Backwards-compatible: plain-text values (existing configs) are decoded as-is until the next save, at which point they are automatically encoded. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
retardgerman
force-pushed
the
fix/webhook-security
branch
2 times, most recently
from
9228444 to
7790230
Compare
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Add data-i18n attributes and locale keys for strings introduced in this branch: webhook secret description, Copy URL/Copy Secret buttons, Headers setup step, and notification testing info note. Translations added for EN, DE, and SV. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Security Fixes
This PR addresses several security vulnerabilities. Details will be disclosed after this PR is merged.
Changes
utils/auth.jsWEBHOOK_SECRETon first startapp.jsX-Webhook-Secretheader required)crypto.timingSafeEqualWEBHOOK_SECRETacross config savesjellyfinWebhook.jsbuildJellyfinUrlnow always uses configuredJELLYFIN_BASE_URL, ignoring the webhook-providedServerUrlto prevent URL injection via poisoned metadatautils/configFile.jsutils/validation.jsWEBHOOK_SECRETto schemaUSER_MAPPINGSschema typelib/config.jsWEBHOOK_SECRETto config templateweb/index.html+web/script.jsREADME.md⚠️ Security Noticewarning against public internet exposureMigration
Existing installations will have a secret auto-generated on next startup — no manual action required. Users only need to copy the secret from the dashboard and add it as a custom HTTP header (
X-Webhook-Secret) in their Jellyfin webhook plugin settings.🤖 Generated with Claude Code