search

jeffvli / feishin

A modern self-hosted music player.
https://feishin.vercel.app
GNU General Public License v3.0
2k stars 79 forks source link

Update anomaly using outdated cookies #578

Closed Chris-Gari closed 2 months ago

Chris-Gari commented 2 months ago

Expected Behavior

Not take outdated cookies upon updating the server

Current Behavior

Cookies still work upon updating the server, with SERVER_LOCK = true

Steps to Reproduce

  1. docker compose from old build from docker hub (v0.3.0), docker compose from this .yml file https://github.com/jeffvli/feishin/blob/2257e439a406f3785b098947c1d36353811e9d49/docker-compose.yaml replacing the image from the linked .yml file with kakoluz/feishin 

    version: '3.5'
services:
feishin:
    container_name: feishin
    image: kakoluz/feishin 
    restart: always
    ports:
        - 9180:9180
    environment:
        - SERVER_NAME=# pre defined server name
        - SERVER_LOCK=false# When true AND name/type/url are set, only username/password can be toggled
        - SERVER_TYPE=# navidrome also works
        - SERVER_URL=# http://address:port

  2. login from brave browser with cookies enabled, notice I have old build, delete container

  3. Run docker run --name feishin -p 9180:9180 ghcr.io/jeffvli/feishin:latest in the command line (no env variables),

  4. (With cookies enabled, no need to input my login credentials), notice the stream is taking unnecessary routes and I'm using cloudflare tunnels, (Request to feishin.mydomain.com -> jellyfin.mydomain.com -> jellyfin:192.168.1.105:8096 ) instead of (feishin.mydomain.com -> jellyfin:192.168.1.105:8096), delete container

  5. docker compose, the one I use for the update (latest) this time with the image: ghcr.io/jeffvli/feishin:latest, SERVER_LOCK = true

    version: '3.5'
services:
feishin:
    container_name: feishin
    image: ghcr.io/jeffvli/feishin:latest
    restart: always
    ports:
        - 9180:9180
    environment:
        - SERVER_NAME=mydomain.com# pre defined server name
        - SERVER_LOCK=true # When true AND name/type/url are set, only username/password can be toggled
        - SERVER_TYPE=jellyfin # navidrome also works
        - SERVER_URL=http://192.168.1.105:8096 # http://address:port

  6. login again with server lock, notice I am still logged in with my old SERVER_NAME, still pointing to jellyfin.mydomain.com.

  7. login from different browser, have to login using the SERVER_LOCK when adding a new server

Possible Solution (Not obligatory)

Context

I don't know the implications of this bug security wise, I just hoped to bring it into light. (this is my first git issue submitted in my life, sorry for being rough and I might have misremembered some small things)

Your Environment

kgarner7 commented 2 months ago

Are you saying on your first browser when you changed the server lock url and then added a new server, it was using the old credentials? Or are you saying that when you changed the server lock url and reused your old browser, it was still using the original domain?

If it's the latter, this is expected; SERVER_URL only affects new servers you add; it will not delete/change old server URLs.

Chris-Gari commented 2 months ago

Are you saying on your first browser when you changed the server lock url and then added a new server, it was using the old credentials? Or are you saying that when you changed the server lock url and reused your old browser, it was still using the original domain?

The latter statement is true, yes. For the first statement, from my understanding you mean that, "I have the old credentials on the new browser?" No. Edit: to explain further, when adding a new server on the old browser, the SERVER_LOCK functions as intended, just that additionally the old server pointing to the old URL still exists, as well as my login credentials still working for that old URL.

If it's the latter, this is expected; SERVER_URL only affects new servers you add; it will not delete/change old server URLs.

This is what I have observed and prompted me to make this issue. I see.