Find a file
Deluan Quintão edffca24b1
Some checks are pending
Pipeline: Test, Lint, Build / Check Docker configuration (push) Waiting to run
Pipeline: Test, Lint, Build / Build (push) Blocked by required conditions
Pipeline: Test, Lint, Build / Test Go code (push) Waiting to run
Pipeline: Test, Lint, Build / Upload Linux PKG (push) Blocked by required conditions
Pipeline: Test, Lint, Build / Test JS code (push) Waiting to run
Pipeline: Test, Lint, Build / Lint i18n files (push) Waiting to run
Pipeline: Test, Lint, Build / Test Go code (Windows) (push) Waiting to run
Pipeline: Test, Lint, Build / Get version info (push) Waiting to run
Pipeline: Test, Lint, Build / Lint Go code (push) Waiting to run
Pipeline: Test, Lint, Build / Build-1 (push) Blocked by required conditions
Pipeline: Test, Lint, Build / Build-2 (push) Blocked by required conditions
Pipeline: Test, Lint, Build / Build-3 (push) Blocked by required conditions
Pipeline: Test, Lint, Build / Build-4 (push) Blocked by required conditions
Pipeline: Test, Lint, Build / Build Windows installers (push) Blocked by required conditions
Pipeline: Test, Lint, Build / Build-5 (push) Blocked by required conditions
Pipeline: Test, Lint, Build / Build-6 (push) Blocked by required conditions
Pipeline: Test, Lint, Build / Build-7 (push) Blocked by required conditions
Pipeline: Test, Lint, Build / Build-8 (push) Blocked by required conditions
Pipeline: Test, Lint, Build / Package/Release (push) Blocked by required conditions
Pipeline: Test, Lint, Build / Build-9 (push) Blocked by required conditions
Pipeline: Test, Lint, Build / Build-10 (push) Blocked by required conditions
Pipeline: Test, Lint, Build / Push to GHCR (push) Blocked by required conditions
Pipeline: Test, Lint, Build / Push to Docker Hub (push) Blocked by required conditions
Pipeline: Test, Lint, Build / Cleanup digest artifacts (push) Blocked by required conditions
fix(lastfm): require signed state token on link callback (#5521)
* fix(lastfm): require signed state token on link callback

The Last.fm OAuth callback at /api/lastfm/link/callback trusted a raw
\`uid\` query parameter and wrote the resulting Last.fm session key under
that user with no ownership check. Any authenticated user who learned a
victim's internal user ID (e.g. from playlist ownerId) could redirect the
victim's scrobbles to an attacker-controlled Last.fm account by calling
the callback directly with the victim's uid and a Last.fm token obtained
for their own account.

The callback cannot use the regular auth middleware because it is reached
via a browser redirect from Last.fm, which cannot carry a JWT header.
Instead, GET /api/lastfm/link (authenticated) now also returns a short-
lived (5 min) HMAC-signed link token bound to the requesting user, with a
dedicated "lastfm-link" scope claim. The callback verifies the signature,
scope and expiry before deriving the user ID from the token; the \`uid\`
query value is no longer trusted as a user identifier. The UI fetches
this token at link-flow start and passes it in place of the raw user ID.

Reuses the existing HS256 secret via auth.EncodeToken/DecodeAndVerifyToken
so no new key management is introduced.

* fix(ui): keep Last.fm popup tied to user gesture for Safari

Opening the Last.fm OAuth tab after an awaited fetch causes the popup to
be blocked on Safari and on Firefox with strict popup blocking enabled,
because the browser's transient-activation window has already elapsed by
the time window.open is reached. Linking became impossible on those
browsers in the previous commit.

Move the click handler up to the parent component and open a placeholder
about:blank tab synchronously from the click; the linkToken fetch then
runs in parallel and we redirect the existing tab to Last.fm's auth URL
once it resolves. The user gesture stays attached to the window.open
call, so popup blockers no longer fire.

The polling/progress UI is unchanged; it now receives the openedTab ref
from the parent instead of owning it.

* fix(lastfm): require exp claim on link tokens

jwtauth.VerifyToken treats a JWT without an exp claim as non-expiring, so
verifyLinkToken used to delegate expiry handling entirely. A future
regression in createLinkToken that dropped the exp field would silently
turn link tokens into permanent bearer credentials.

Assert presence of an exp claim explicitly and add a regression test
covering the missing-exp case. Also tightens the wrong-scope test to use
a freshly-minted token with all claims present except the scope, instead
of relying on auth.CreatePublicToken which happens to also be missing
exp.

* style(lastfm): simplify comments in link token code

Trim doc comments on createLinkToken/verifyLinkToken/callback/startLink
to the load-bearing lines: keep the non-obvious 'jwtauth treats missing
exp as non-expiring' note and the popup-blocker hint, drop the rest
since the function names already describe behavior.

Signed-off-by: Deluan <deluan@navidrome.org>

* fix(lastfm): address review feedback on link token PR

- Wrap openInNewTab in a try/catch in startLink: openInNewTab calls
  win.focus() unconditionally, so if the browser blocks the popup
  (window.open returns null) it throws a TypeError synchronously,
  before the catch() on the link-token fetch is attached. The throw
  used to escape the click handler, leaving the UI without a
  notification. Now the failure is surfaced as lastfmLinkFailure and
  the toggle stays usable.
- Rename the link-token "subject" rejection message to "user ID" since
  the claim is uid, not the JWT sub field.

---------

Signed-off-by: Deluan <deluan@navidrome.org>
2026-05-23 12:16:15 -03:00
.devcontainer chore(deps): upgrade Go to 1.26 (#5361) 2026-04-14 19:31:01 -04:00
.github ci: fix input parameter name for GitHub token 2026-05-06 00:16:09 -04:00
adapters fix(lastfm): require signed state token on link callback (#5521) 2026-05-23 12:16:15 -03:00
cmd fix(cli): restore int cast for syscall.Stdin on Windows 2026-05-20 19:33:42 -03:00
conf refactor: more warnings clean up 2026-05-20 17:43:12 -03:00
consts fix(transcoding): place -ss before -i for fast input seeking (#5492) 2026-05-13 17:17:20 -03:00
contrib build: add packages for deb and rpm to release (#3202) 2024-10-26 13:31:45 -04:00
core refactor: more warnings clean up 2026-05-20 17:43:12 -03:00
db fix(smartplaylists): optimize smart playlist performance for role and tag criteria (#5515) 2026-05-22 18:00:13 -03:00
git feat(plugins): experimental support for plugins (#3998) 2025-06-22 20:45:38 -04:00
log feat(server): add syslog priority prefixes for systemd-journald (#5192) 2026-03-15 14:14:05 -04:00
model refactor: more warnings clean up 2026-05-20 17:43:12 -03:00
persistence fix(smartplaylists): optimize smart playlist performance for role and tag criteria (#5515) 2026-05-22 18:00:13 -03:00
plugins refactor: more warnings clean up 2026-05-20 17:43:12 -03:00
release fix(transcoding): include ffprobe in MSI and fall back gracefully when absent (#5326) 2026-04-07 20:11:38 -04:00
resources fix(ui): update Serbian translation (#5444) 2026-05-19 14:50:34 -03:00
scanner refactor: more warnings clean up 2026-05-20 17:43:12 -03:00
scheduler test: fix flaky watcher and scheduler tests on Windows CI 2026-05-03 11:26:07 -04:00
scripts build(worktree): add script for setting up git worktrees 2026-03-17 21:34:00 -04:00
server fix(subsonic): mark AlbumID3 songCount and created as required 2026-05-22 18:42:17 -03:00
tests refactor: multiple syntax updates for Go 1.26 2026-05-19 18:02:36 -03:00
ui fix(lastfm): require signed state token on link callback (#5521) 2026-05-23 12:16:15 -03:00
utils refactor: more warnings clean up 2026-05-20 17:43:12 -03:00
.dockerignore fix: add music.old to .dockerignore and .gitignore 2026-02-06 07:40:05 -05:00
.git-blame-ignore-revs Move project to Navidrome GitHub organization 2021-02-06 21:47:19 -05:00
.gitignore refactor: multiple syntax updates for Go 1.26 2026-05-19 18:02:36 -03:00
.golangci.yml chore(ui): regenerate package-lock.json to have integrity fields (#5276) 2026-04-05 11:37:50 -04:00
.nvmrc chore(deps): update all dependencies (#4618) 2025-10-25 17:05:16 -04:00
CODE_OF_CONDUCT.md Use Contributor Covenant v2.0 2020-07-21 14:40:21 -04:00
context7.json Add context7.json with URL and public key 2026-04-14 19:19:42 -04:00
CONTRIBUTING.md docs: update commit message format in CONTRIBUTING.md 2026-02-20 11:00:34 -05:00
Dockerfile chore(docker): add app directory to PATH in Dockerfile 2026-04-30 16:55:10 -04:00
go.mod refactor(conf): replace eager dir creation with lazy Dir type (#5495) 2026-05-13 17:44:22 -03:00
go.sum chore(deps): update dependencies to latest versions 2026-05-11 20:34:04 -03:00
LICENSE Change license to GPLv3 2020-01-22 14:48:38 -05:00
main.go feat(server): implement FTS5-based full-text search (#5079) 2026-02-21 17:52:42 -05:00
Makefile chore(lint): upgrade golangci-lint, fix/ignore new errors 2026-05-01 14:22:51 -04:00
Procfile.dev chore(deps): upgrade to Go 1.24.1 (#3851) 2025-03-17 21:08:10 -04:00
README.md feat: add Navidrome Guru on Gurubase.io (#3491) 2024-11-23 17:29:00 -05:00
reflex.conf feat(server): implement FTS5-based full-text search (#5079) 2026-02-21 17:52:42 -05:00

Navidrome logo

Navidrome Music Server  Tweet

Last Release Build Downloads Docker Pulls Dev Chat Subreddit Contributor Covenant Gurubase

Navidrome is an open source web-based music collection server and streamer. It gives you freedom to listen to your music collection from any browser or mobile device. It's like your personal Spotify!

Note: The master branch may be in an unstable or even broken state during development. Please use releases instead of the master branch in order to get a stable set of binaries.

Check out our Live Demo!

Any feedback is welcome! If you need/want a new feature, find a bug or think of any way to improve Navidrome, please file a GitHub issue or join the discussion in our Subreddit. If you want to contribute to the project in any other way (ui/backend dev, translations, themes), please join the chat in our Discord server.

Installation

See instructions on the project's website

Cloud Hosting

PikaPods has partnered with us to offer you an officially supported, cloud-hosted solution. A share of the revenue helps fund the development of Navidrome at no additional cost for you.

PikaPods

Features

  • Handles very large music collections
  • Streams virtually any audio format available
  • Reads and uses all your beautifully curated metadata
  • Great support for compilations (Various Artists albums) and box sets (multi-disc albums)
  • Multi-user, each user has their own play counts, playlists, favourites, etc...
  • Very low resource usage
  • Multi-platform, runs on macOS, Linux and Windows. Docker images are also provided
  • Ready to use binaries for all major platforms, including Raspberry Pi
  • Automatically monitors your library for changes, importing new files and reloading new metadata
  • Themeable, modern and responsive Web interface based on Material UI
  • Compatible with all Subsonic/Madsonic/Airsonic clients
  • Transcoding on the fly. Can be set per user/player. Opus encoding is supported
  • Translated to various languages

Translations

Navidrome uses POEditor for translations, and we are always looking for more contributors

Documentation

All documentation can be found in the project's website: https://www.navidrome.org/docs. Here are some useful direct links:

Screenshots