Skip to content

Comments

fix(security): secure unauthenticated NZBDav import endpoints#317

Merged
javi11 merged 14 commits intojavi11:mainfrom
drondeseries:fix/nzbdav-security
Feb 23, 2026
Merged

fix(security): secure unauthenticated NZBDav import endpoints#317
javi11 merged 14 commits intojavi11:mainfrom
drondeseries:fix/nzbdav-security

Conversation

@drondeseries
Copy link
Contributor

@drondeseries drondeseries commented Feb 23, 2026

Description

This PR addresses a security vulnerability where the NZBDav import endpoints were accessible without authentication.

Changes

  • Moved the following endpoints behind the global JWT authentication middleware in internal/api/server.go:
    • POST /api/import/nzbdav
    • POST /api/import/nzbdav/reset
    • GET /api/import/nzbdav/status
    • DELETE /api/import/nzbdav

Security Impact

  • Prevents unauthenticated users from triggering imports, resetting import status, or viewing sensitive import information.
  • Manual file import and Arrs webhook endpoints remain accessible to external tools as they correctly implement their own API key verification.

Verification

  • Confirmed that accessing these endpoints without a valid token now returns 401 Unauthorized.
  • Validated that authenticated requests continue to function correctly.

@drondeseries
feat(ui): improve readability and mobile responsiveness
407eda2
@drondeseries
style(ui): improve readability and mobile responsiveness
159c5f1 
- increase base font sizes and restore table header legibility

- increase touch target sizes for buttons and checkboxes

- fix layout padding and wrapping issues on mobile

- add mobile navbar logo & configuration shortcut

- enhance config panels with higher border and background contrast
@drondeseries
fix(sabnzbd): history path should only output the root category folder
5639005
@drondeseries
fix(sabnzbd): output correct relative path based on strategy to histo…
60f451e 
…ry response
@drondeseries
feat(ui): dynamic category file explorer shortcuts based on config
2926d61
@drondeseries
feat(ui): add icons for music, books, games, and anime categories in …
082e9a4 
…files page
@drondeseries
feat(ui): refine audiobook icon matching logic in file explorer
286a24d
@drondeseries
fix(ui): use relative library paths for filespage left navigation sho…
08fb8a5 
…rtcuts instead of complete dir
@drondeseries
fix(arrs): update webhook/download client on key change and align sym…
ed46d03 
…link paths
@drondeseries
fix(security): secure unauthenticated NZBDav import endpoints
53f1025 
Moved the NZBDav import endpoints behind the global JWT authentication middleware to prevent unauthenticated access. Previously, these endpoints (status, reset, import, cancel) were publicly accessible, allowing unauthorized users to trigger imports or view import status.

The manual file import and Arrs webhook endpoints remain outside the JWT middleware as they implement their own API key verification logic.
@drondeseries
chore: merge upstream/main and resolve conflicts in frontend
89c56e1
@drondeseries
Merge branch 'main' into fix/nzbdav-security
09be98f
@drondeseries
fix(frontend): correct ImportHistoryItem property names in FileExplorer
6120c18
@drondeseries
Merge branch 'main' into fix/nzbdav-security
0f94e82
@javi11 javi11 merged commit 4818f4e into javi11:main Feb 23, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@drondeseries @javi11