- Strengthen password requirements with checks for uppercase, lowercase, numbers, and special characters (at least 3 types required)
- Block access to sensitive configuration files like qbm_settings.yml
- Improve API key display in UI with password input and show/hide toggle for better security
Add support for configuring trusted proxy IPs/subnets to properly determine real client IP addresses when behind proxies. This enhances security by allowing accurate local IP detection for authentication bypass. Updates include backend IP detection logic, API endpoints, and frontend UI components.
- Require reauthentication to update security settings via API
(API key or username/password; accepted in body or headers)
- Add current_username/current_password/current_api_key to request
model for secure updates
- Mitigate timing attacks in Basic auth by verifying password using a
dummy hash when username mismatches; improve failure logging
- Enforce restrictive permissions (0600) on qbm_settings.yml during
load/save; warn and attempt automatic correction if permissive
- Lock down CORS defaults: no origins allowed, credentials disabled,
explicit methods/headers only
- Prevent path traversal on config filenames via strict validation and
resolve checks
- Automatically redact secrets in logs by registering sensitive fields
(passwords, tokens, keys)
- Redact password_hash and api_key in security settings responses
- Audit log security setting changes and reload middleware on save
BREAKING CHANGE: CORS is now denied by default (no allowed origins,
credentials disabled). Cross-origin clients must be explicitly allowed.
Updating security settings now requires current credentials (API key or
username/password).
- Filter out sensitive config files (qbm_settings.yml, secrets.yml, etc.) from API list response
- Block direct access to sensitive files like qbm_settings.yml via get_config endpoint
- Remove unused security endpoint path from auth middleware exclusions
This enhances security by preventing exposure of sensitive configuration data through the web API.
- Add base_url parameter to AuthenticationMiddleware for flexible path handling
- Update skip_auth_paths and API checks to incorporate base_url
- Fix username validator to properly handle empty strings without raising errors
- Update WebAPI to pass base_url to middleware
Add comprehensive authentication support for the qBit Manage web UI with multiple methods:
- None (default, no authentication)
- Basic HTTP authentication with browser popup
- API-only authentication (web UI accessible, API requires key)
Key features include:
- Secure password hashing using Argon2
- Rate limiting to prevent brute force attacks
- CSRF protection for state-changing requests
- Local IP bypass option for private networks
- API key generation for programmatic access
- New security settings page in the web UI
Adds [FR]: Authentication on WebUI
Fixes#867
- Update scheduler to use qbm_settings.yml instead of schedule.yml
- Add automatic migration from legacy schedule.yml to new format
- Restructure settings with 'schedule' root key for better organization
- Update file paths and references across modules for consistency
- Preserve backward compatibility with migration logic
Legacy schedule.yml files are automatically migrated and removed.
# Requirements Updated
- "humanize==4.13.0"
- "ruff==0.12.11"
# Breaking Changes
- **DEPRECATE `QBT_CONFIG` / `--config-file` OPTION**
- No longer supporting `QBT_CONFIG` / `--config-file`. Instead please
switch over to **`QBT_CONFIG_DIR` / `--config-dir`**.
- `QBT_CONFIG` / `--config-file` option will still work for now but is
now considered legacy and will be removed in a future release.
- **Note**: All yml/yaml files will be treated as valid configuration
files and loaded in the `QBT_CONFIG_DIR` path. Please ensure you
**remove** any old/unused configurations that you don't want to be
loaded prior to using this path.
# Improvements
- Adds docker support for PUID/PGID environment variables
- Dockerfile copies the latest `config.yml.sample` in the config folder
- Add `QBT_HOST` / `--host` option to specify webUI host address (#929
Thanks to @QuixThe2nd)
- WebUI: Quick action settings persist now
# Bug Fixes
- WebUI: Fix loading spinner to be centered in the webUI
**Full Changelog**:
https://github.com/StuffAnThings/qbit_manage/compare/v4.5.5...v4.6.0
---------
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Fabricio Silva <hi@fabricio.dev>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
Co-authored-by: Parsa Yazdani <parsa@yazdani.au>
Co-authored-by: Actionbot <actions@github.com>
# Improvements
- **ci(docker)**: add OCI labels and build metadata to Docker images
- **Web UI**: Show an "Update available" badge next to the version and a
toast notification when a newer version is detected
- **Web UI**: Add integrated docs with collapsible sections
- **ci(build)**: Publish to PyPI
- **Category**: Allow category changes regardless of the "Category
Update All" status (Fixes#913)
# Bug Fixes
- Fixes container hanging when using run command with QBT_RUN flag
(Fixes#911)
- Fixes bug on interval scheduler not displaying the correct next run
time
- Fix bug on webAPI requests not being queued correctly when called
during a scheduled run
**Full Changelog**:
https://github.com/StuffAnThings/qbit_manage/compare/v4.5.4...v4.5.5
---------
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Actionbot <actions@github.com>
Co-authored-by: bakerboy448 <55419169+bakerboy448@users.noreply.github.com>
Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: ineednewpajamas <73252768+ineednewpajamas@users.noreply.github.com>
# Improvements
- Support cross-platform binary builds (Linux/Windows/MacOS)
- Adds desktop app installers (Linux/Windows/MacOS)
- Container images for latest now pointed to newest version
automatically (Fixes#897)
- Enable automatic open of webUI in local installs
- Add persistence toggling for webUI scheduler
# Bug Fixes
- Fix schedule.yml not loaded upon restarting Docker container (Fixes
#906)
- Fix bug where torrents were not being paused after share limits
reached (Fixes#901)
- Fix(api): prevent path traversal vulnerability in backup restore
endpoint (Fixes CWE-22 Security Vulnerability)
- Fix scheduler to run interval jobs immediately on startup
**Full Changelog**:
https://github.com/StuffAnThings/qbit_manage/compare/v4.5.3...v4.5.4
---------
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
# Requirements Updated
- "GitPython==3.1.45"
- "retrying==1.4.1",
# New Features
- **Remove Orphaned**: Adds new `min_file_age_minutes` flag to prevent
files newer than a certain time from being deleted (Thanks to @H2OKing89
#859)
- Adds new standalone script `ban_peers.py` for banning selected peers
(Thanks to @tboy1337 #888)
# Improvements
- Adds timeout detectiono for stuck runs for web API rqeeusts
# Bug Fixes
- Fix bug in webUI deleting nohardlink section (Fixes#884)
**Full Changelog**:
https://github.com/StuffAnThings/qbit_manage/compare/v4.5.1...v4.5.2
---------
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
Co-authored-by: cat-of-wisdom <217637421+cat-of-wisdom@users.noreply.github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Quentin <qking.dev@gmail.com>
Co-authored-by: ineednewpajamas <73252768+ineednewpajamas@users.noreply.github.com>
Co-authored-by: tboy1337 <30571311+tboy1337@users.noreply.github.com>
Co-authored-by: tboy1337 <tboy1337.unchanged733@aleeas.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
# Requirements Updated
- fastapi==0.116.0
- retrying==1.4.0
- uvicorn==0.35.0
# New Features
- **Web UI**: Introduced a new Web UI for configuring and managing qBit
Manage.
- Visual Configuration Editor for YAML files.
- Command Execution directly from the UI.
- Undo/Redo History for changes.
- Theme Support (light/dark mode).
- Responsive Design for desktop and mobile.
- Real-time YAML Preview.
- Pass skip qbitorrent check as optional parameter to the API (Adds
#860)\
**Full Changelog**:
https://github.com/StuffAnThings/qbit_manage/compare/v4.4.0...v4.5.0
---------
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: ineednewpajamas <73252768+ineednewpajamas@users.noreply.github.com>
# Requirements Updated
- requests==2.32.4
- ruamel.yaml==0.18.14
# New Updates
- Added Web API server feature for running commands via HTTP requests
- New `--web-server` flag to start the API server
- API requests during scheduled runs are automatically queued
- Queued requests are processed after the scheduled run completes
- See
[docs/Web-API.md](https://github.com/StuffAnThings/qbit_manage/wiki/Web-API)
for usage instructions
- Renamed `last_active` to `min_last_active`
- Added `max_last_active` to `share_limits` (Closes#774)
- Added new
[restore_torrents.py](https://github.com/StuffAnThings/qbit_manage/blob/develop/scripts/restore_torrents.py)
script for restoring deleted files+torrents in RecycleBin
## Bug Fixes
- (fix): don't reapply tags every run when torrent (#824) (Thanks to
@xx4h)
- Fix share limits always re-applying when using global Limit (-2)
(Closes#831) (Thanks to @chrisfosterelli)
**Full Changelog**:
https://github.com/StuffAnThings/qbit_manage/compare/v4.3.0...v4.4.0
---------
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Actionbot <actions@github.com>
Co-authored-by: bakerboy448 <55419169+bakerboy448@users.noreply.github.com>
Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
Co-authored-by: Gerald Lau <glau@bitdefender.com>
Co-authored-by: Patchy3767 <birabinowitz+github@gmail.com>
Co-authored-by: Fabian Sylvester <xx4h@xx4h.de>
Co-authored-by: ineednewpajamas <73252768+ineednewpajamas@users.noreply.github.com>
Co-authored-by: Chris Foster <chris.james.foster@gmail.com>
