- Require reauthentication to update security settings via API
(API key or username/password; accepted in body or headers)
- Add current_username/current_password/current_api_key to request
model for secure updates
- Mitigate timing attacks in Basic auth by verifying password using a
dummy hash when username mismatches; improve failure logging
- Enforce restrictive permissions (0600) on qbm_settings.yml during
load/save; warn and attempt automatic correction if permissive
- Lock down CORS defaults: no origins allowed, credentials disabled,
explicit methods/headers only
- Prevent path traversal on config filenames via strict validation and
resolve checks
- Automatically redact secrets in logs by registering sensitive fields
(passwords, tokens, keys)
- Redact password_hash and api_key in security settings responses
- Audit log security setting changes and reload middleware on save
BREAKING CHANGE: CORS is now denied by default (no allowed origins,
credentials disabled). Cross-origin clients must be explicitly allowed.
Updating security settings now requires current credentials (API key or
username/password).
- Filter out sensitive config files (qbm_settings.yml, secrets.yml, etc.) from API list response
- Block direct access to sensitive files like qbm_settings.yml via get_config endpoint
- Remove unused security endpoint path from auth middleware exclusions
This enhances security by preventing exposure of sensitive configuration data through the web API.
- Add base_url parameter to AuthenticationMiddleware for flexible path handling
- Update skip_auth_paths and API checks to incorporate base_url
- Fix username validator to properly handle empty strings without raising errors
- Update WebAPI to pass base_url to middleware
Add comprehensive authentication support for the qBit Manage web UI with multiple methods:
- None (default, no authentication)
- Basic HTTP authentication with browser popup
- API-only authentication (web UI accessible, API requires key)
Key features include:
- Secure password hashing using Argon2
- Rate limiting to prevent brute force attacks
- CSRF protection for state-changing requests
- Local IP bypass option for private networks
- API key generation for programmatic access
- New security settings page in the web UI
Adds [FR]: Authentication on WebUI
Fixes#867
