Commit graph

52 commits

Author SHA1 Message Date
SergeantPanda
c44cac2e9a fix(recording playback): Complete authentication handling for DVR recordings by allowing JWT tokens via query parameters for both native video and HLS segments. Updated API views to support token propagation in redirects and playlist rewrites. Enhanced tests to validate new authentication behavior across endpoints. 2026-06-25 11:27:57 -05:00
SergeantPanda
72d1520400 feat(auth): add QueryParamJWTAuthentication for token retrieval via query parameters
feat(vod): include token in stream URL for episode and movie requests (Fixes #1224)
2026-05-30 11:14:59 -05:00
SergeantPanda
dc649ffd88 Enhancement: Initial fmp4 support and major ts_proxy refactor 2026-05-08 17:46:47 -05:00
Seth Van Niekerk
dec92ecd31
bump MAX_CUSTOM_PROPS_SIZE to 100KB 2026-05-01 19:15:45 -04:00
Seth Van Niekerk
911644531b
add allowed_networks to ADMIN_ONLY_PROPS 2026-05-01 09:14:30 -04:00
Seth Van Niekerk
a01814069a
code review & pivot 2026-05-01 09:10:37 -04:00
Seth Van Niekerk
8894d51877
restrict XC access per user by configurable IP allowlist 2026-04-28 16:35:32 -04:00
SergeantPanda
8afaa01184 security: Extended rate limiting to the session-auth login alias (POST /api/accounts/auth/login/). It now delegates entirely to TokenObtainPairView, inheriting its throttle, network access check, and audit logging, and returns JWT tokens instead of a session cookie (the session-based response was unusable since SessionAuthentication is not in DEFAULT_AUTHENTICATION_CLASSES). Both endpoints share the same "login" throttle scope, so attempts across either path count against the same per-IP limit.
Some checks are pending
CI Pipeline / prepare (push) Waiting to run
CI Pipeline / docker (amd64, ubuntu-24.04) (push) Blocked by required conditions
CI Pipeline / docker (arm64, ubuntu-24.04-arm) (push) Blocked by required conditions
CI Pipeline / create-manifest (push) Blocked by required conditions
Build and Push Multi-Arch Docker Image / build-and-push (push) Waiting to run
2026-04-10 19:54:10 -05:00
SergeantPanda
e861fca092 Enhancement: Enhanced Swagger UI authorization dialog: registered a custom OpenApiAuthenticationExtension for ApiKeyAuthentication so drf-spectacular now generates an ApiKeyAuth (apiKey) entry alongside jwtAuth. Both entries include descriptive text linking to the relevant endpoints (/api/accounts/token/, /api/accounts/api-keys/generate/, /api/accounts/api-keys/revoke/). 2026-04-10 18:29:13 -05:00
SergeantPanda
fa9a7868ff security: proxy streaming endpoints (stream_ts, stream_xc, stream_vod, head_vod, stream_xc_movie, stream_xc_episode) use @permission_classes([AllowAny]) (access is controlled by the per-stream-type network allow-list inside the view body); the UserAgentViewSet, StreamProfileViewSet, CoreSettingsViewSet, and ProxySettingsViewSet gained get_permissions() methods mapping read actions to IsStandardUser and write actions to IsAdmin; and AuthViewSet.logout was updated to return [Authenticated()]. 2026-04-10 10:47:50 -05:00
SergeantPanda
b535f28ac5 security: Added rate limiting to the login endpoint (POST /api/accounts/token/) using DRF's built-in throttling. A LoginRateThrottle (3 requests/minute per IP, sliding window) is applied to the TokenObtainPairView. Repeated failed attempts from the same IP receive 429 Too Many Requests. 2026-04-09 21:46:50 -05:00
SergeantPanda
08545b8c92 security: Prevented users from setting xc_password (and other admin-managed keys) on their own account via the PATCH /api/accounts/users/me/ endpoint. 2026-04-09 21:31:38 -05:00
dekzter
a19be96ced fleshed out user limits and termination logic 2026-03-25 17:33:26 -04:00
dekzter
1dd368278c reverted value checking for consistency, added in user id to client info 2026-03-13 09:57:22 -04:00
dekzter
f69a462253 merged in dev 2026-03-13 08:22:44 -04:00
SergeantPanda
70a0b43c8a Cleanup frontend and backend if valid item ids change. 2026-03-08 17:05:26 -05:00
SergeantPanda
63234a4a46 Bug Fix: Restore integrations/system groups and fix channels reference after rebase 2026-03-08 16:35:34 -05:00
SergeantPanda
d5aaa0277c security: Do not allow user to give themselves admin or super_user privileges. 2026-03-08 16:30:48 -05:00
SergeantPanda
a4ad9a9135 Move python test into tests folder. Fix frontend test after merge changes. 2026-03-08 16:30:47 -05:00
SergeantPanda
cde39c0e13 Fixed logic with default orders. 2026-03-08 16:30:42 -05:00
Jeff Casimir
8fb88827ae Fix code review findings for navigation ordering PR
P1 (Critical):
- Replace undefined @swagger_auto_schema with @extend_schema
- Add custom_properties validation with size limits
- Add merge semantics in serializer update() to prevent data loss

P2 (Important):
- Add debouncing (800ms) for drag operations in NavOrderForm
- Add error handling with notifications for visibility toggle
- Use store getters in Sidebar instead of direct property access
- Cache hiddenNav before render loop

P3 (Nice-to-have):
- Add canHide: false to settings nav item
- Fix admin check to use >= instead of ==
- Fix ESLint unused variable warnings

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-03-08 16:28:29 -05:00
Jeff Casimir
edf81ef6c6 Add PATCH method to /me/ endpoint for user preferences
- Allow users to update their own profile via PATCH /api/accounts/users/me/
- Supports partial updates to custom_properties (including navOrder)
- Add comprehensive test coverage for the endpoint

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-03-08 16:25:47 -05:00
SergeantPanda
abba65816b Migrations: Add missing migrations. 2026-02-26 13:25:51 -06:00
dekzter
6f4665e6eb merged in dev 2026-02-26 08:20:20 -05:00
Matt Grutza
3ec62a3d52
Merge branch 'dev' into Feature/954-1004-user-account-management 2026-02-24 14:49:31 -06:00
None
54f3ee2185 Remove is_Active reference to user accounts
Removed is_active references and checks for users accounts as the functionality does not align with project direction
2026-02-23 18:39:54 -06:00
None
f453380f5c Remove user account disable/enable UI (keep backend guards)
Removed the frontend UI exposure
while keeping backend guards as defensive measures.

Removed:
- frontend/src/components/forms/User.jsx — Account Enabled switch
- frontend/src/components/tables/UsersTable.jsx — Status column
- apps/accounts/api_views.py — is_active check in TokenRefreshView
- apps/accounts/tests.py — related tests
2026-02-22 20:02:08 -06:00
None
db318e4981 Fix #954: Superuser detection; Feature #1004: User account disable/enable
Bug #954: The initialize_superuser endpoint only checked is_superuser=True, missing admin accounts created via the API (user_level=10). This caused users to intermittently see the "Create Super User" page instead of login.

Feature #1004: Admins can now disable/enable user accounts. Disabled users are blocked from JWT login, token refresh, XC API access, and all
authenticated endpoints. The last active admin cannot be disabled.

Files changed:

Backend:
- apps/accounts/api_views.py — Superuser check uses user_level>=10; token refresh blocks disabled users
- apps/accounts/models.py — CustomUserManager ensures create_superuser() always sets user_level=10
- apps/accounts/serializers.py — Last-admin protection guard; respect is_active on user creation
- apps/accounts/tests.py — new tests covering superuser detection, token
 refresh blocking, last-admin protection, disabled user login/access
- apps/backups/api_views.py — Switched from DRF's IsAdminUser (checks is_staff) to app's IsAdmin (checks user_level) on all 8 endpoints
- apps/backups/tests.py — new tests verifying user_level-based admin permission on backup endpoints
- apps/output/views.py — is_active check on xc_get_user(), xc_movie_stream(), xc_series_stream()
- apps/proxy/ts_proxy/views.py — is_active check on stream_xc()
- core/api_views.py — Admin notification filter uses user_level>=10
- core/developer_notifications.py — Admin checks use user_level>=10

Frontend:
- frontend/src/App.jsx — Null-safe superuser existence check
- frontend/src/components/forms/User.jsx — Account Enabled switch with
  self-disable prevention and tooltip
- frontend/src/components/tables/UsersTable.jsx — Status column (Active/Disabled badge)
2026-02-22 18:05:02 -06:00
dekzter
aece3367ce backend work for api key authentication 2026-02-21 13:45:07 -05:00
dekzter
24f812dc4d initial connect feature 2026-02-08 09:29:22 -05:00
dekzter
dba70b3c58 outstanding commits, may revisit later 2026-01-27 15:23:07 -05:00
SergeantPanda
5364123745 - Swagger/OpenAPI Migration: Migrated from drf-yasg (OpenAPI 2.0) to drf-spectacular (OpenAPI 3.0) for API documentation. This provides:
- Native Bearer token authentication support in Swagger UI - users can now enter just the JWT token and the "Bearer " prefix is automatically added
  - Modern OpenAPI 3.0 specification compliance
  - Better auto-generation of request/response schemas
  - Improved documentation accuracy with serializer introspection
2026-01-27 13:33:33 -06:00
SergeantPanda
cb1953baf2 Enhancement: Implement comprehensive logging for user authentication events and network access restrictions 2025-11-21 10:50:48 -06:00
SergeantPanda
dfaae6e617 Enhance UserViewSet queryset to prefetch related channel_profiles for improved performance 2025-09-14 19:47:40 -05:00
SergeantPanda
8cae13f845 Remove unneeded migration. 2025-09-02 09:59:06 -05:00
SergeantPanda
6f6c28ca7c Convert custom_properties to jsonb in the backend. 2025-09-02 09:41:51 -05:00
SergeantPanda
ac07a5217f Set last_login when successful login occurs. 2025-06-28 08:55:07 -05:00
SergeantPanda
1a8bbb6bb8 Reorder columns 2025-06-27 21:59:56 -05:00
SergeantPanda
1e91dd7597 Added all available fields. 2025-06-27 21:43:50 -05:00
dekzter
3f445607e0 looooots of updates for user-management, initial commit of access control 2025-05-31 18:01:46 -04:00
dekzter
e95c0859ab user custom properties, xc has its own password, properly checking xc permissions for streaming 2025-05-22 15:21:43 -04:00
dekzter
79104affe3 fixed migration issues 2025-05-18 11:53:09 -04:00
dekzter
74d58515d0 user management, user levels, user level channel access 2025-05-18 11:19:34 -04:00
dekzter
a9437e9214 new migrations 2025-03-05 17:18:04 -05:00
dekzter
3ecb49375c Websockets, fixed channel name collision, added back in multi-stream per channel support 2025-03-05 17:04:43 -05:00
Dispatcharr
814d6a6cda Added Super User Creator
Added creator
Corrected license in swagger
2025-03-03 14:57:38 -06:00
dekzter
3e3f4c85a1 multi stream support 2025-03-02 15:06:47 -05:00
kappa118
9c84b65302 initial migrations 2025-03-01 19:02:21 -05:00
kappa118
0dfa001f3a initial commit of react frontend 2025-02-23 14:35:19 -05:00
Dispatcharr
9da7adda92 Pre Alpha v4
Added login page
Added login/logout buttons
Added m3u settings
Added stream profiles to channels and streams
Added ability to add individual stream outside of m3u file
Added ability to add youtube live links as a stream source
Deleted migrations
Deleted pycache folders
Changed HDHR to get ip dynamically
2025-02-22 20:43:55 -06:00