Commit graph

3203 commits

Author SHA1 Message Date
SergeantPanda
f98bb183da Bug Fix: Fixed a provider TCP connection leak in the VOD proxy 2026-04-13 19:33:22 -05:00
SergeantPanda
a3f7d465d5
Merge pull request #1125 from firestaerter3:fix/vod-profile-connections-race-conditions
fix(vod-proxy): eliminate profile_connections counter stuck-at-nonzero races
2026-04-13 19:11:12 -05:00
SergeantPanda
55048b60e3 fix(vod-proxy): prevent double profile decrement and clean up stream counter naming 2026-04-13 18:40:33 -05:00
SergeantPanda
d73071b20f Merge branch 'dev' of https://github.com/Dispatcharr/Dispatcharr into pr/firestaerter3/1125 2026-04-13 17:42:43 -05:00
SergeantPanda
f8407610c8 Bug Fix/Enhancement: Improve logic for get xc epg endpoint for short epgs. Also support epg_days from xc user for xc epg endpoint.
Some checks failed
CI Pipeline / prepare (push) Waiting to run
CI Pipeline / docker (amd64, ubuntu-24.04) (push) Blocked by required conditions
CI Pipeline / docker (arm64, ubuntu-24.04-arm) (push) Blocked by required conditions
CI Pipeline / create-manifest (push) Blocked by required conditions
Build and Push Multi-Arch Docker Image / build-and-push (push) Waiting to run
Frontend Tests / test (push) Has been cancelled
2026-04-12 18:51:40 -05:00
SergeantPanda
9f3d4ff7ff Enhancement: Improved the EPG response cache key 2026-04-12 18:19:19 -05:00
SergeantPanda
62848c0ea0 Enhancement: Improved the HDHR, M3U, and EPG URL builder popovers in the Channels table 2026-04-12 17:24:17 -05:00
SergeantPanda
95fba1cb84 Bug Fix: Fixed the XC Password field in the User modal being editable by standard users 2026-04-12 16:45:58 -05:00
SergeantPanda
123509eb9d Enhancement: Redesigned the User settings modal with a tabbed layout 2026-04-12 16:39:35 -05:00
SergeantPanda
ba967f47d9 Enhancement: **EPG historical data window**: the EPG XML output and XC EPG API now support a prev_days URL parameter (e.g. &prev_days=3) to include past programs in the EPG response. This allows third-party players that request historical program schedules to receive the data they need. The EPG URL builder in the Channels page exposes "Days forward" and "Days back" controls. Per-user defaults for both values (epg_days / epg_prev_days) can be configured in the User settings modal and are applied automatically when no URL parameter is present. (Closes #1154) 2026-04-12 16:34:15 -05:00
SergeantPanda
a83b9fdf62 Enhancement: EPG channel scanning now automatically removes stale EPGData entries. 2026-04-12 15:37:28 -05:00
SergeantPanda
298ca3260e tests: Update frontend tests for recent frontend changes (Floating Video Player and Stream Connection Card)
Some checks are pending
CI Pipeline / prepare (push) Waiting to run
CI Pipeline / docker (amd64, ubuntu-24.04) (push) Blocked by required conditions
CI Pipeline / docker (arm64, ubuntu-24.04-arm) (push) Blocked by required conditions
CI Pipeline / create-manifest (push) Blocked by required conditions
Build and Push Multi-Arch Docker Image / build-and-push (push) Waiting to run
Frontend Tests / test (push) Waiting to run
2026-04-12 12:37:02 -05:00
SergeantPanda
e69a8f3449 Bug Fix: Stats page "Active Stream" dropdown not updating when a stream switch occurs 2026-04-12 12:28:39 -05:00
SergeantPanda
b629836b3d Bug Fix: Fixed stream switch metadata (url, user_agent, stream_id, m3u_profile) being written to Redis before the switch was confirmed to succeed 2026-04-12 12:02:20 -05:00
SergeantPanda
65d14644b4 Bug Fix: Fixed the next_stream rotation endpoint applying the same class of bug 2026-04-12 11:36:08 -05:00
SergeantPanda
ef030b3da0 Bug Fix: Manual stream selection from the Stats page not enforcing M3U profile connection limits in multi-worker deployments 2026-04-12 10:03:46 -05:00
SergeantPanda
ad46a10ce6 Bug Fix: Uploading a local M3U file with no expiration date set sending the string "null" as the exp_date field in the FormData request, causing a 400 validation error from the API. Null/undefined values are now skipped when building the FormData body, matching the behaviour already present in the update path. 2026-04-12 09:04:49 -05:00
SergeantPanda
f1a82e8843 Bug Fix: Fixed several incorrect or incomplete OpenAPI (@extend_schema) schemas across the API
Some checks are pending
CI Pipeline / prepare (push) Waiting to run
CI Pipeline / docker (amd64, ubuntu-24.04) (push) Blocked by required conditions
CI Pipeline / docker (arm64, ubuntu-24.04-arm) (push) Blocked by required conditions
CI Pipeline / create-manifest (push) Blocked by required conditions
Build and Push Multi-Arch Docker Image / build-and-push (push) Waiting to run
Frontend Tests / test (push) Waiting to run
2026-04-11 17:02:07 -05:00
SergeantPanda
1adbc70f53 Bug Fix: Fix bulk channel edit API when including streams array. (Fixes #883) 2026-04-11 16:11:45 -05:00
SergeantPanda
bfec229ca9 Enhancements:
- Rewrote the M3U line parser as an `iter_m3u_entries` generator that owns the full per-entry state machine. Intermediate directive lines between `#EXTINF` and the stream URL are now handled correctly rather than corrupting the pending entry or being silently misassigned. A `#EXTINF` with no following URL is discarded with a warning instead of carrying over a `url`-less entry into batch processing. Attribute keys are normalised to lowercase during parsing (provider attribute names remain case-insensitive end-to-end). The `#EXTINF` attribute regex is pre-compiled at module load, and attribute lookups use O(1) `dict.get()` instead of linear scans — approximately 10% faster parsing on large M3U files.
- Added support for the `#EXTGRP` directive in M3U files. When a `group-title` attribute is absent from the `#EXTINF` line, the value from a following `#EXTGRP:` line is used as the group. An explicit `group-title` attribute always takes priority. (Closes #1088)
- Added accumulation of `#EXTVLCOPT` directives per entry. Options are stored as a list under `vlc_opts` inside the stream's `custom_properties`, available for downstream use (e.g. passing VLC-specific options to the player). This is for a planned future enhancement and can also be utlized with the API.
2026-04-11 14:57:52 -05:00
SergeantPanda
fd7ac0029d Enhancement: M3U stream name parsing now uses the comma text (the canonical display title per the base #EXTINF spec) as the primary stream name, falling back to tvc-guide-title, then tvg-name, rather than preferring tvg-name first. Providers that use tvg-name as an EPG key and put the human-readable title after the comma will now display the correct name. Providers that duplicate the same value in both fields are unaffected. (Fixes #1081) 2026-04-11 12:46:36 -05:00
SergeantPanda
4a6724c94b Enhancement: FloatingVideo player: the native video controls (timeline, play/pause, volume) are now hidden by default when a live stream starts and only appear when the user hovers over the player. 2026-04-11 09:34:38 -05:00
SergeantPanda
8afaa01184 security: Extended rate limiting to the session-auth login alias (POST /api/accounts/auth/login/). It now delegates entirely to TokenObtainPairView, inheriting its throttle, network access check, and audit logging, and returns JWT tokens instead of a session cookie (the session-based response was unusable since SessionAuthentication is not in DEFAULT_AUTHENTICATION_CLASSES). Both endpoints share the same "login" throttle scope, so attempts across either path count against the same per-IP limit.
Some checks are pending
CI Pipeline / prepare (push) Waiting to run
CI Pipeline / docker (amd64, ubuntu-24.04) (push) Blocked by required conditions
CI Pipeline / docker (arm64, ubuntu-24.04-arm) (push) Blocked by required conditions
CI Pipeline / create-manifest (push) Blocked by required conditions
Build and Push Multi-Arch Docker Image / build-and-push (push) Waiting to run
2026-04-10 19:54:10 -05:00
SergeantPanda
e861fca092 Enhancement: Enhanced Swagger UI authorization dialog: registered a custom OpenApiAuthenticationExtension for ApiKeyAuthentication so drf-spectacular now generates an ApiKeyAuth (apiKey) entry alongside jwtAuth. Both entries include descriptive text linking to the relevant endpoints (/api/accounts/token/, /api/accounts/api-keys/generate/, /api/accounts/api-keys/revoke/). 2026-04-10 18:29:13 -05:00
SergeantPanda
f83523cfa2 changelog: Update changelog for plugin hub. 2026-04-10 17:50:02 -05:00
SergeantPanda
d8d0695963
Merge pull request #1155 from sv-dispatcharr/feat/plugin-hub
Some checks failed
CI Pipeline / prepare (push) Waiting to run
CI Pipeline / docker (amd64, ubuntu-24.04) (push) Blocked by required conditions
CI Pipeline / docker (arm64, ubuntu-24.04-arm) (push) Blocked by required conditions
CI Pipeline / create-manifest (push) Blocked by required conditions
Build and Push Multi-Arch Docker Image / build-and-push (push) Waiting to run
Frontend Tests / test (push) Waiting to run
Base Image Build / prepare (push) Has been cancelled
Base Image Build / docker (amd64, ubuntu-24.04) (push) Has been cancelled
Base Image Build / docker (arm64, ubuntu-24.04-arm) (push) Has been cancelled
Base Image Build / create-manifest (push) Has been cancelled
[Feature]: Add in-app plugin repo browser & management
2026-04-10 15:01:09 -05:00
Seth Van Niekerk
03b50420f5
update background color for AvailablePluginCard and PluginCard components; adjust button group alignment in PluginBrowsePage 2026-04-10 15:40:34 -04:00
Seth Van Niekerk
9734bca239
fix: update author display in PluginCard test 2026-04-10 15:22:08 -04:00
Seth Van Niekerk
e8e1560106
simplify component structure and improve layout responsiveness 2026-04-10 15:17:01 -04:00
Seth Van Niekerk
2573928e2a
enhance plugin installation and manifest fetching error handling with code review suggestions 2026-04-10 14:44:07 -04:00
Seth Van Niekerk
1cda7b9439
feat: plugin hub 2026-04-10 13:53:45 -04:00
SergeantPanda
192a134c04 changelog: Update changelog for python package updates/additions. 2026-04-10 12:30:58 -05:00
SergeantPanda
9b4d18bc18 Merge branch 'main' of https://github.com/Dispatcharr/Dispatcharr into dev 2026-04-10 12:26:31 -05:00
SergeantPanda
8eb22ce45a Enhancement: Add python-gnupg to dependencies for plugin store.
Some checks failed
Base Image Build / prepare (push) Has been cancelled
Build and Push Multi-Arch Docker Image / build-and-push (push) Has been cancelled
Base Image Build / docker (amd64, ubuntu-24.04) (push) Has been cancelled
Base Image Build / docker (arm64, ubuntu-24.04-arm) (push) Has been cancelled
Base Image Build / create-manifest (push) Has been cancelled
2026-04-10 12:24:19 -05:00
SergeantPanda
ff60005442 chore: Updated python packages.
- `Django` 6.0.3 → 6.0.4
  - `djangorestframework` 3.16.1 → 3.17.1
  - `requests` 2.33.0 → 2.33.1
  - `gevent` 25.9.1 → 26.4.0
  - `rapidfuzz` 3.14.3 → 3.14.5
  - `sentence-transformers` 5.3.0 → 5.4.0
  - `lxml` 6.0.2 → 6.0.3
2026-04-10 12:16:49 -05:00
SergeantPanda
06358a0333
Merge pull request #1190 from Dispatcharr/hardening
Hardening
2026-04-10 11:34:03 -05:00
SergeantPanda
c3fb9c0073 security: Fixed missing network_access_allowed checks in the VOD proxy. stream_vod, head_vod, stream_xc_movie, and stream_xc_episode were not checking the STREAMS network policy, unlike the equivalent TS proxy endpoints. 2026-04-10 11:09:27 -05:00
SergeantPanda
fa9a7868ff security: proxy streaming endpoints (stream_ts, stream_xc, stream_vod, head_vod, stream_xc_movie, stream_xc_episode) use @permission_classes([AllowAny]) (access is controlled by the per-stream-type network allow-list inside the view body); the UserAgentViewSet, StreamProfileViewSet, CoreSettingsViewSet, and ProxySettingsViewSet gained get_permissions() methods mapping read actions to IsStandardUser and write actions to IsAdmin; and AuthViewSet.logout was updated to return [Authenticated()]. 2026-04-10 10:47:50 -05:00
SergeantPanda
66ee67da30 security: Change from default of "Authenticated" to "IsAdmin" 2026-04-10 10:46:16 -05:00
SergeantPanda
289a8f48d0 security: Update frontend packages to mitigate CVE's. 2026-04-10 08:50:13 -05:00
SergeantPanda
04a684b359 security: Removed CORS_ALLOW_CREDENTIALS = True from CORS configuration. Dispatcharr authenticates via JWT Authorization headers and API keys — not cookies — so credentials are never sent cross-origin by browsers. The setting was also redundant: browsers reject Access-Control-Allow-Credentials: true when Access-Control-Allow-Origin is a wildcard (*), so it had no effect in practice. 2026-04-10 08:34:13 -05:00
SergeantPanda
b535f28ac5 security: Added rate limiting to the login endpoint (POST /api/accounts/token/) using DRF's built-in throttling. A LoginRateThrottle (3 requests/minute per IP, sliding window) is applied to the TokenObtainPairView. Repeated failed attempts from the same IP receive 429 Too Many Requests. 2026-04-09 21:46:50 -05:00
SergeantPanda
47427d4b0f security:
- Set `DEFAULT_PERMISSION_CLASSES` to `Authenticated` in the DRF configuration.
- Explicitly marked the HDHomeRun discovery endpoints (`DiscoverAPIView`, `LineupAPIView`, `LineupStatusAPIView`, `HDHRDeviceXMLAPIView`) and the version endpoint with `permission_classes = [AllowAny]` to document their intentionally public access now that the global default is `Authenticated`.
2026-04-09 21:36:51 -05:00
SergeantPanda
7083c512be security: Fixed path traversal vulnerability in file uploads. The M3U account upload (apps/m3u/api_views.py), logo upload (apps/channels/api_views.py), and backup upload (apps/backups/api_views.py) all used the uploaded filename directly without sanitization. os.path.join() discards all preceding components when it encounters an absolute path segment, and pathlib's / operator behaves identically; a relative ../ sequence also escapes via OS path resolution at open() time. All three upload paths now strip directory components via Path(name).name and validate the resolved path remains within the intended upload directory. Exploiting any of these required admin credentials. 2026-04-09 21:32:36 -05:00
SergeantPanda
08545b8c92 security: Prevented users from setting xc_password (and other admin-managed keys) on their own account via the PATCH /api/accounts/users/me/ endpoint. 2026-04-09 21:31:38 -05:00
SergeantPanda
dcefc6541c chore(cleanup): - Removed dead VODConnectionManager class (apps/proxy/vod_proxy/connection_manager.py) and its associated helpers, which had been superseded by MultiWorkerVODConnectionManager. All active code already used the multi-worker implementation. Removed the unused VODConnectionManager import from vod_proxy/views.py, the unscheduled cleanup_vod_connections task from apps/proxy/tasks.py, and the unscheduled cleanup_vod_persistent_connections task from core/tasks.py.
Some checks are pending
CI Pipeline / prepare (push) Waiting to run
CI Pipeline / docker (amd64, ubuntu-24.04) (push) Blocked by required conditions
CI Pipeline / docker (arm64, ubuntu-24.04-arm) (push) Blocked by required conditions
CI Pipeline / create-manifest (push) Blocked by required conditions
Build and Push Multi-Arch Docker Image / build-and-push (push) Waiting to run
Frontend Tests / test (push) Waiting to run
- Removed dead VOD URL routes: `VODPlaylistView` (playlist generation), `VODPositionView` (position tracking), and the class-based `VODStatsView` (replaced by the existing function-based `vod_stats` view).
- Removed dead `updateVODPosition()` API method from `frontend/src/api.js`, which called the now-removed position tracking endpoint.
2026-04-09 19:59:50 -05:00
SergeantPanda
7f64642003 security: Hardened the HLS proxy change_stream endpoint by converting it from a plain Django view to a DRF @api_view with @permission_classes([IsAdmin]), ensuring the endpoint actually enforces admin-only access. The previous decorator arrangement (@csrf_exempt + @permission_classes) had no effect on a plain Django view. 2026-04-09 19:58:40 -05:00
SergeantPanda
df6d821135 changelog: Update changelog for refactor PR. 2026-04-09 18:28:20 -05:00
SergeantPanda
bf409fb240
Merge pull request #1187 from nick4810:tests/frontend-unit-tests
Tests/frontend unit tests
2026-04-09 18:21:36 -05:00
SergeantPanda
442e2bdc0e Remove unused starttime24_long from buildTimePlaceholders, simplified formatTime24. 2026-04-09 17:50:59 -05:00