mirror of
https://github.com/navidrome/navidrome.git
synced 2026-05-19 16:26:12 +00:00
5c4f0298a6
* fix(sharing): validate JWT expiration and share existence on stream endpoint
The public stream endpoint (/public/s/{token}) was using
TokenAuth.Decode() which only verifies the JWT signature but skips
exp claim validation. This allowed expired share stream URLs to remain
functional indefinitely. Additionally, deleting a share did not revoke
previously issued stream tokens since the handler never performed a
server-side share lookup.
Fixed by switching decodeStreamInfo() to use auth.Validate() which
properly checks the exp claim, and by embedding the share ID ("sid")
in stream tokens so the handler can verify the share still exists.
Old tokens without the sid claim remain backward compatible but still
benefit from expiration validation.
* fix(sharing): check share expiration on stream requests
Replace the lightweight Exists() check with Get() + expiration
validation, so that shares whose ExpiresAt was updated to an earlier
time after token issuance are also rejected (410 Gone). Reuses the
existing checkShareError handler for consistent error responses.
|
||
|---|---|---|
| .. | ||
| fixtures | ||
| fake_http_client.go | ||
| init_tests.go | ||
| mock_album_repo.go | ||
| mock_artist_repo.go | ||
| mock_data_store.go | ||
| mock_ffmpeg.go | ||
| mock_genre_repo.go | ||
| mock_library_repo.go | ||
| mock_library_service.go | ||
| mock_mediafile_repo.go | ||
| mock_playlist_repo.go | ||
| mock_playlist_track_repo.go | ||
| mock_playqueue_repo.go | ||
| mock_plugin_manager.go | ||
| mock_plugin_repo.go | ||
| mock_property_repo.go | ||
| mock_radio_repository.go | ||
| mock_scanner.go | ||
| mock_scrobble_buffer_repo.go | ||
| mock_scrobble_repo.go | ||
| mock_share_repo.go | ||
| mock_transcoding_repo.go | ||
| mock_user_props_repo.go | ||
| mock_user_repo.go | ||
| mock_user_service.go | ||
| navidrome-test.toml | ||
| test_helpers.go | ||