Commit graph

149 commits

Author SHA1 Message Date
SergeantPanda
66ee67da30 security: Change from default of "Authenticated" to "IsAdmin" 2026-04-10 10:46:16 -05:00
SergeantPanda
04a684b359 security: Removed CORS_ALLOW_CREDENTIALS = True from CORS configuration. Dispatcharr authenticates via JWT Authorization headers and API keys — not cookies — so credentials are never sent cross-origin by browsers. The setting was also redundant: browsers reject Access-Control-Allow-Credentials: true when Access-Control-Allow-Origin is a wildcard (*), so it had no effect in practice. 2026-04-10 08:34:13 -05:00
SergeantPanda
b535f28ac5 security: Added rate limiting to the login endpoint (POST /api/accounts/token/) using DRF's built-in throttling. A LoginRateThrottle (3 requests/minute per IP, sliding window) is applied to the TokenObtainPairView. Repeated failed attempts from the same IP receive 429 Too Many Requests. 2026-04-09 21:46:50 -05:00
SergeantPanda
47427d4b0f security:
- Set `DEFAULT_PERMISSION_CLASSES` to `Authenticated` in the DRF configuration.
- Explicitly marked the HDHomeRun discovery endpoints (`DiscoverAPIView`, `LineupAPIView`, `LineupStatusAPIView`, `HDHRDeviceXMLAPIView`) and the version endpoint with `permission_classes = [AllowAny]` to document their intentionally public access now that the global default is `Authenticated`.
2026-04-09 21:36:51 -05:00
SergeantPanda
086cc74959 Bug Fix: M3U profile URL rewriting now uses the regex module instead of re across all URL transform code paths (url_utils.transform_url, core/views.py, vod_proxy/_transform_url, tasks.get_transformed_credentials, and the WebSocket live-preview handler in consumers.py). The regex module natively accepts JavaScript/PCRE-style named capture groups ((?<name>...)) without any conversion, eliminating the root cause of patterns that matched in the frontend live preview but failed on the backend with a re.error. As a further improvement, regex also supports variable-length lookbehind assertions (e.g. (?<=a+)), which re rejects with an error; patterns using these will now work correctly on the backend as well. Replace-pattern JS tokens are still normalised before calling regex.sub: $<name>\g<name> and $1/$2/… → \1/\2/… (Python replacement syntax). Also fixed a bug in the WebSocket preview handler where a pattern error was incorrectly returning the search pattern string as the preview output instead of the original URL. (Fixes #1005)
Some checks failed
CI Pipeline / prepare (push) Waiting to run
CI Pipeline / docker (amd64, ubuntu-24.04) (push) Blocked by required conditions
CI Pipeline / docker (arm64, ubuntu-24.04-arm) (push) Blocked by required conditions
CI Pipeline / create-manifest (push) Blocked by required conditions
Build and Push Multi-Arch Docker Image / build-and-push (push) Waiting to run
Frontend Tests / test (push) Has been cancelled
2026-03-29 17:55:08 -05:00
dekzter
90a600b48f merged in dev 2026-03-26 12:17:43 -04:00
dekzter
a19be96ced fleshed out user limits and termination logic 2026-03-25 17:33:26 -04:00
None
b30a24e2fb feat: add TLS connection support for Redis and PostgreSQL (#950)
- Add 10 env vars for Redis/PostgreSQL TLS (REDIS_SSL, REDIS_SSL_VERIFY, REDIS_SSL_CA_CERT, REDIS_SSL_CERT, REDIS_SSL_KEY, POSTGRES_SSL, POSTGRES_SSL_MODE, POSTGRES_SSL_CA_CERT, POSTGRES_SSL_CERT, POSTGRES_SSL_KEY)
- Propagate SSL params to all Redis connection points: RedisClient, stream view, PubSub, client manager, Celery broker/result backend, Django Channels, and pre-Django startup scripts
- Add Celery SSL config via URL query string params (required by Kombu's internal URL parsing)
- Add PostgreSQL sslmode and certificate options to DATABASES config
- Add startup validation: cert file existence, URL scheme conflict detection, TLS status logging
- Add TLS error hints to Redis connection failure messages
- Add Connection Security panel in System Settings (modular mode only) showing encryption, verification, and mTLS status
- Add PG client key permission fix in web and celery entrypoints for Docker Desktop compatibility (0777 to 0600)
- Add TLS env var passthrough in entrypoint for su - login shells
- Document TLS env vars in modular docker-compose.yml
- Change env_mode from dev/prod to actual DISPATCHARR_ENV value for modular mode detection
2026-03-21 17:24:09 -05:00
SergeantPanda
1d4603dadd Enhancement: Optimize profile expiration handling and update task naming for clarity 2026-03-15 12:42:34 -05:00
SergeantPanda
b22f9e8e07 Enhancement: Account expiration tracking and notifications for M3U profiles 2026-03-14 18:38:59 -05:00
dekzter
f69a462253 merged in dev 2026-03-13 08:22:44 -04:00
SergeantPanda
76271fc9fd Bug Fix: Version update notification persisting after upgrading to the notified version (e.g. "v0.20.2 available" shown while already running v0.20.2). Root cause: check_for_version_update.delay() was called from AppConfig.ready(), which fires inside Celery prefork pool subprocesses before the broker connection is established, causing the dispatch to fail silently with no log output. Fixed by moving the startup dispatch to the worker_ready signal in celery.py (consistent with the existing recover_recordings_on_startup pattern), and deleting the stale version-{current_version} notification at the top of the production check path so it is cleared even when GitHub is unreachable. A WebSocket update is sent immediately on deletion so the frontend badge clears without waiting for the API response. 2026-03-08 13:38:18 -05:00
SergeantPanda
bf87c44a72 Merge branch 'dev' of https://github.com/Dispatcharr/Dispatcharr into pr/CodeBormen/1063 2026-03-05 16:48:34 -06:00
None
ce9f7ccbf9 fix(m3u): fix Celery worker memory leak during M3U/XC refresh
Restructure cleanup in refresh_single_m3u_account so del statements
run before gc.collect(), enabling cyclic garbage collection. Add worker_max_memory_per_child as a safety net against memory fragmentation.

Closes #1012, Closes #1053
2026-03-05 13:47:20 -06:00
None
9d08305dcb fix(dvr): fix recording modal crash, harden recovery pipeline, improve tests
Frontend:
- RecordingDetailsModal: fix ReferenceError crash (editing state used before declaration in useMemo — TDZ in production bundles broke all tile clicks)
- RecordingDetailsModal: fix focus-stealing on description edit by calling Movie()/Series() as plain functions instead of <Movie />/<Series />(inline component refs change every render, causing unmount/remount)
- RecordingDetailsModal: suppress sub_title in modal title after custom save
- ErrorBoundary: log caught errors and show message for easier debugging
- guideUtils: filter terminal recordings from mapRecordingsByProgramId so Guide red dots clear after recording finishes or rule is deleted
- RecordingDetailsModalUtils.test: add missing end_time to test fixtures (filterByUpcoming now uses end_time instead of start_time)

Backend:
- tasks.py: output file collision avoidance (check .mkv/.ts before writing)
- tasks.py: pre-restart TS segment concatenation (direct concat→MKV remux)
- tasks.py: recovery pipeline — recover crashed "recording" status, remux expired recordings, revoke stale tasks, deterministic task IDs, early lock release, 10-min lock TTL for large remux operations
- tasks.py: poster resolver skips external API when title matches channel name
- celery.py: trigger recover_recordings_on_startup via worker_ready signal

Tests:
- Renamed test_dvr_fixes.py → test_recording_pipeline.py (clarity)
- Renamed test_dvr_retry.py → test_db_retry.py (clarity), fixed mock paths for close_old_connections (resolved 3 test failures), replaced synthetic test
- test_recording_stop_cancel: replaced brittle time.sleep(0.5) with deterministic thread-capture pattern
2026-03-04 10:21:03 -06:00
SergeantPanda
d487bb5671
Revert "fix(wsgi): ensure gevent monkey-patching before Django import chain" 2026-03-03 15:33:55 -06:00
SergeantPanda
a8ba2ade18 Merge branch 'dev' of https://github.com/Dispatcharr/Dispatcharr into pr/endoze/1026 2026-03-03 11:52:12 -06:00
Endoze
9b6c793b11
fix(wsgi): ensure gevent monkey-patching before Django import chain
Celery's Redis connection pool was silently failing in modular
deployment mode because Django's setup imports celery.py before uWSGI's
gevent plugin reliably patches stdlib sockets. Moving patch_all() to the
top of wsgi.py guarantees all broker connections are gevent-aware
regardless of uWSGI initialization order.
2026-02-26 10:23:50 -05:00
dekzter
6f4665e6eb merged in dev 2026-02-26 08:20:20 -05:00
dekzter
7dc01a821b
Merge pull request #1019 from Dispatcharr/integrations-fix
pass all details into event triggers, updated custom script default path
2026-02-24 12:42:29 -05:00
dekzter
9470600474 pass all details into event triggers, updated custom script default path 2026-02-24 12:13:21 -05:00
dekzter
aece3367ce backend work for api key authentication 2026-02-21 13:45:07 -05:00
dekzter
55a5180ee1 hardening of script handling with configurable variables - making script execution more secure 2026-02-15 07:37:00 -05:00
dekzter
bc72ea7310 merged in dev 2026-02-11 19:51:21 -05:00
SergeantPanda
1df802341d
Merge pull request #937 from CodeBormen:Feature/Support-External-Redis-Auth
feat: Add Redis authentication support for modular deployment
2026-02-09 17:29:38 -06:00
dekzter
24f812dc4d initial connect feature 2026-02-08 09:29:22 -05:00
SergeantPanda
de81dc6c80 Enhancement: Refactored app initialization to prevent redundant execution across multiple worker processes. Created dispatcharr.app_initialization utility module with should_skip_initialization() function that prevents custom initialization tasks (backup scheduler sync, developer notifications sync) from running during management commands, in worker processes, or in development servers. This significantly reduces startup overhead in multi-worker deployments (e.g., uWSGI with 10 workers now syncs the scheduler once instead of 10 times). Applied to both CoreConfig and BackupsConfig apps. 2026-02-05 13:48:01 -06:00
SergeantPanda
e26c1908c5 Bug Fix: Automatic backups not enabled by default on new installations: Added backups app to INSTALLED_APPS and implemented automatic scheduler initialization in BackupsConfig.ready(). The backup scheduler now properly syncs the periodic task on startup, ensuring automatic daily backups are enabled and scheduled immediately on fresh database creation without requiring manual user intervention. 2026-02-04 16:56:11 -06:00
None
e217960500 feat: Add Redis authentication support for modular deployment
Add support for authentication when connecting to external Redis instances in modular deployment mode. This enables secure Redis deployments using either password-only authentication (Redis <6) or
username + password authentication (Redis 6+ ACL).

Changes:
- Add REDIS_PASSWORD and REDIS_USER environment variables
- Implement URL encoding for special characters in passwords
- Update all Redis connection points to support auth
- Add comprehensive documentation and examples to docker-compose.yml
- Maintains full backward compatibility (empty defaults = no auth)

All authentication mechanisms have been fully tested including pasword-only authentication, Redis 6+ ACL authentication with username + password, volume-mounted configuration files, and special character handling.

Existing deployments are not effected, authentication support is entirely opt-in using docker-compose.

Also, acknowledging the fact that the docker-compose file for modular deployments has been getting out of hand with auth support, the docker-compose.yml file was re-formatted for better visibility in configuration. This seemed like a better way to go than mandating a .env file.
2026-02-03 21:42:06 -06:00
SergeantPanda
b01eb9585c feat: add system notifications and update checks
Real-time notifications for system events and alerts
Per-user notification management and dismissal
Update check on startup and every 24 hours to notify users of available versions
Notification center UI component
Automatic cleanup of expired notifications
2026-02-03 09:24:02 -06:00
SergeantPanda
3c556494c1 Enhancement: Updated default network access settings for M3U and EPG endpoints to only allow local/private networks by default (127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, ::1/128, fc00::/7, fe80::/10). This improves security by preventing public internet access to these endpoints unless explicitly configured. Other endpoints (Streams, XC API, UI) remain open by default. 2026-01-31 20:26:45 -06:00
SergeantPanda
bd1e0e8f07 Bug fix: Admin URL Conflict with XC Streams: Updated nginx configuration to only redirect exact /admin and /admin/ paths to login in production, preventing interference with stream URLs that use "admin" as a username (e.g., /admin/password/stream_id now properly routes to stream handling instead of being redirected). 2026-01-27 14:36:57 -06:00
SergeantPanda
5364123745 - Swagger/OpenAPI Migration: Migrated from drf-yasg (OpenAPI 2.0) to drf-spectacular (OpenAPI 3.0) for API documentation. This provides:
- Native Bearer token authentication support in Swagger UI - users can now enter just the JWT token and the "Bearer " prefix is automatically added
  - Modern OpenAPI 3.0 specification compliance
  - Better auto-generation of request/response schemas
  - Improved documentation accuracy with serializer introspection
2026-01-27 13:33:33 -06:00
SergeantPanda
36967c10ce Refactor CoreSettings to use JSONField for value storage and update related logic for proper type handling. Adjusted serializers and forms to accommodate new data structure, ensuring seamless integration across the application. 2026-01-13 12:18:34 -06:00
SergeantPanda
de31826137 refactor: externalize Redis and Celery configuration via environment variables
Replace hardcoded localhost:6379 values throughout codebase with environment-based configuration. Add REDIS_PORT support and allow REDIS_URL override for external Redis services. Configure Celery broker/result backend to use Redis settings with environment variable overrides.

Closes #762
2025-12-18 16:54:59 -06:00
SergeantPanda
4878e92f44
Merge pull request #488 from stlalpha/feature/automated-backups
Enhancement: Add automated configuration backups
2025-12-15 16:17:33 -06:00
dekzter
b18bc62983 merged in from main 2025-12-06 14:13:06 -05:00
dekzter
f3a901cb3a Security Fix - generate JWT on application init 2025-12-06 13:40:10 -05:00
dekzter
4a23883d0c merged in upstream 2025-12-05 08:34:29 -05:00
SergeantPanda
f1320c9a5d Merge branch 'dev' of https://github.com/Dispatcharr/Dispatcharr into pr/stlalpha/488 2025-12-02 13:39:06 -06:00
Adrian Mace
6a9b5282cd
fix: allow all IPv6 CIDRs by default
This change ensures that by default, IPv6 clients can
connect to the service unless explicitly denied.

Fixes #593
2025-11-30 00:39:30 +11:00
Jim McBride
3eaa76174e Feature: Automated configuration backups with scheduling
- Create/Download/Upload/Restore database backups (PostgreSQL and SQLite)
- Configurable data directory backups (via settings.py)
- Scheduled backups (daily/weekly) via Celery Beat
- Retention policy (keep last N backups)
- Token-based auth for async task polling
- X-Accel-Redirect support for nginx file serving
- Comprehensive tests
2025-11-26 21:11:13 -06:00
SergeantPanda
afedce5cb2 Enhancement: Implement background profile refresh task with rate limiting to prevent provider bans during account profile updates. 2025-11-18 09:27:22 -06:00
dekzter
50e9075bb5 initial run of a binary and encoded redis client - no more encoding / decoding data into redis, huge PITA (still some outstanding spots I need to patch) 2025-10-25 08:15:39 -04:00
SergeantPanda
9b2ebf169b Better database connection cleanup. 2025-10-16 14:22:19 -05:00
SergeantPanda
ed065f718d Enhancement: Implement caching for proxy settings to improve performance and reduce database load. Also, ensure database connections are closed after use in both config and stream manager. 2025-10-14 13:44:28 -05:00
Dispatcharr
424a450654 DVR Features and bug fixes
Added ability to use custom comskip.ini
Added series recording without reliance on EPG
Fixed comskip bug
Fixed timezone mismatch when scheduling DVR recordings

No migrations completed yet
2025-09-18 10:23:16 -05:00
OkinawaBoss
3fb8e0ebd1
Merge pull request #363 from Dispatcharr/Plugins
Plugins
2025-09-08 09:11:19 -05:00
Dispatcharr
e9a11588c4 Init Plugins 2025-09-05 17:10:11 -05:00
SergeantPanda
870e77b137 Disable fetch-channel-statuses 2025-09-05 10:23:25 -05:00