- Require reauthentication to update security settings via API
(API key or username/password; accepted in body or headers)
- Add current_username/current_password/current_api_key to request
model for secure updates
- Mitigate timing attacks in Basic auth by verifying password using a
dummy hash when username mismatches; improve failure logging
- Enforce restrictive permissions (0600) on qbm_settings.yml during
load/save; warn and attempt automatic correction if permissive
- Lock down CORS defaults: no origins allowed, credentials disabled,
explicit methods/headers only
- Prevent path traversal on config filenames via strict validation and
resolve checks
- Automatically redact secrets in logs by registering sensitive fields
(passwords, tokens, keys)
- Redact password_hash and api_key in security settings responses
- Audit log security setting changes and reload middleware on save
BREAKING CHANGE: CORS is now denied by default (no allowed origins,
credentials disabled). Cross-origin clients must be explicitly allowed.
Updating security settings now requires current credentials (API key or
username/password).
- Filter out sensitive config files (qbm_settings.yml, secrets.yml, etc.) from API list response
- Block direct access to sensitive files like qbm_settings.yml via get_config endpoint
- Remove unused security endpoint path from auth middleware exclusions
This enhances security by preventing exposure of sensitive configuration data through the web API.
- Add base_url parameter to AuthenticationMiddleware for flexible path handling
- Update skip_auth_paths and API checks to incorporate base_url
- Fix username validator to properly handle empty strings without raising errors
- Update WebAPI to pass base_url to middleware
Add comprehensive authentication support for the qBit Manage web UI with multiple methods:
- None (default, no authentication)
- Basic HTTP authentication with browser popup
- API-only authentication (web UI accessible, API requires key)
Key features include:
- Secure password hashing using Argon2
- Rate limiting to prevent brute force attacks
- CSRF protection for state-changing requests
- Local IP bypass option for private networks
- API key generation for programmatic access
- New security settings page in the web UI
Adds [FR]: Authentication on WebUI
Fixes#867
- Update scheduler to use qbm_settings.yml instead of schedule.yml
- Add automatic migration from legacy schedule.yml to new format
- Restructure settings with 'schedule' root key for better organization
- Update file paths and references across modules for consistency
- Preserve backward compatibility with migration logic
Legacy schedule.yml files are automatically migrated and removed.
# Requirements Updated
- "humanize==4.13.0"
- "ruff==0.12.11"
# Breaking Changes
- **DEPRECATE `QBT_CONFIG` / `--config-file` OPTION**
- No longer supporting `QBT_CONFIG` / `--config-file`. Instead please
switch over to **`QBT_CONFIG_DIR` / `--config-dir`**.
- `QBT_CONFIG` / `--config-file` option will still work for now but is
now considered legacy and will be removed in a future release.
- **Note**: All yml/yaml files will be treated as valid configuration
files and loaded in the `QBT_CONFIG_DIR` path. Please ensure you
**remove** any old/unused configurations that you don't want to be
loaded prior to using this path.
# Improvements
- Adds docker support for PUID/PGID environment variables
- Dockerfile copies the latest `config.yml.sample` in the config folder
- Add `QBT_HOST` / `--host` option to specify webUI host address (#929
Thanks to @QuixThe2nd)
- WebUI: Quick action settings persist now
# Bug Fixes
- WebUI: Fix loading spinner to be centered in the webUI
**Full Changelog**:
https://github.com/StuffAnThings/qbit_manage/compare/v4.5.5...v4.6.0
---------
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Fabricio Silva <hi@fabricio.dev>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
Co-authored-by: Parsa Yazdani <parsa@yazdani.au>
Co-authored-by: Actionbot <actions@github.com>
# Improvements
- **ci(docker)**: add OCI labels and build metadata to Docker images
- **Web UI**: Show an "Update available" badge next to the version and a
toast notification when a newer version is detected
- **Web UI**: Add integrated docs with collapsible sections
- **ci(build)**: Publish to PyPI
- **Category**: Allow category changes regardless of the "Category
Update All" status (Fixes#913)
# Bug Fixes
- Fixes container hanging when using run command with QBT_RUN flag
(Fixes#911)
- Fixes bug on interval scheduler not displaying the correct next run
time
- Fix bug on webAPI requests not being queued correctly when called
during a scheduled run
**Full Changelog**:
https://github.com/StuffAnThings/qbit_manage/compare/v4.5.4...v4.5.5
---------
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Actionbot <actions@github.com>
Co-authored-by: bakerboy448 <55419169+bakerboy448@users.noreply.github.com>
Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: ineednewpajamas <73252768+ineednewpajamas@users.noreply.github.com>
# Improvements
- Support cross-platform binary builds (Linux/Windows/MacOS)
- Adds desktop app installers (Linux/Windows/MacOS)
- Container images for latest now pointed to newest version
automatically (Fixes#897)
- Enable automatic open of webUI in local installs
- Add persistence toggling for webUI scheduler
# Bug Fixes
- Fix schedule.yml not loaded upon restarting Docker container (Fixes
#906)
- Fix bug where torrents were not being paused after share limits
reached (Fixes#901)
- Fix(api): prevent path traversal vulnerability in backup restore
endpoint (Fixes CWE-22 Security Vulnerability)
- Fix scheduler to run interval jobs immediately on startup
**Full Changelog**:
https://github.com/StuffAnThings/qbit_manage/compare/v4.5.3...v4.5.4
---------
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
# Requirements Updated
- "GitPython==3.1.45"
- "retrying==1.4.1",
# New Features
- **Remove Orphaned**: Adds new `min_file_age_minutes` flag to prevent
files newer than a certain time from being deleted (Thanks to @H2OKing89
#859)
- Adds new standalone script `ban_peers.py` for banning selected peers
(Thanks to @tboy1337 #888)
# Improvements
- Adds timeout detectiono for stuck runs for web API rqeeusts
# Bug Fixes
- Fix bug in webUI deleting nohardlink section (Fixes#884)
**Full Changelog**:
https://github.com/StuffAnThings/qbit_manage/compare/v4.5.1...v4.5.2
---------
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
Co-authored-by: cat-of-wisdom <217637421+cat-of-wisdom@users.noreply.github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Quentin <qking.dev@gmail.com>
Co-authored-by: ineednewpajamas <73252768+ineednewpajamas@users.noreply.github.com>
Co-authored-by: tboy1337 <30571311+tboy1337@users.noreply.github.com>
Co-authored-by: tboy1337 <tboy1337.unchanged733@aleeas.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
# Requirements Updated
- fastapi==0.116.0
- retrying==1.4.0
- uvicorn==0.35.0
# New Features
- **Web UI**: Introduced a new Web UI for configuring and managing qBit
Manage.
- Visual Configuration Editor for YAML files.
- Command Execution directly from the UI.
- Undo/Redo History for changes.
- Theme Support (light/dark mode).
- Responsive Design for desktop and mobile.
- Real-time YAML Preview.
- Pass skip qbitorrent check as optional parameter to the API (Adds
#860)\
**Full Changelog**:
https://github.com/StuffAnThings/qbit_manage/compare/v4.4.0...v4.5.0
---------
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: ineednewpajamas <73252768+ineednewpajamas@users.noreply.github.com>
# Requirements Updated
- requests==2.32.4
- ruamel.yaml==0.18.14
# New Updates
- Added Web API server feature for running commands via HTTP requests
- New `--web-server` flag to start the API server
- API requests during scheduled runs are automatically queued
- Queued requests are processed after the scheduled run completes
- See
[docs/Web-API.md](https://github.com/StuffAnThings/qbit_manage/wiki/Web-API)
for usage instructions
- Renamed `last_active` to `min_last_active`
- Added `max_last_active` to `share_limits` (Closes#774)
- Added new
[restore_torrents.py](https://github.com/StuffAnThings/qbit_manage/blob/develop/scripts/restore_torrents.py)
script for restoring deleted files+torrents in RecycleBin
## Bug Fixes
- (fix): don't reapply tags every run when torrent (#824) (Thanks to
@xx4h)
- Fix share limits always re-applying when using global Limit (-2)
(Closes#831) (Thanks to @chrisfosterelli)
**Full Changelog**:
https://github.com/StuffAnThings/qbit_manage/compare/v4.3.0...v4.4.0
---------
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Actionbot <actions@github.com>
Co-authored-by: bakerboy448 <55419169+bakerboy448@users.noreply.github.com>
Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
Co-authored-by: Gerald Lau <glau@bitdefender.com>
Co-authored-by: Patchy3767 <birabinowitz+github@gmail.com>
Co-authored-by: Fabian Sylvester <xx4h@xx4h.de>
Co-authored-by: ineednewpajamas <73252768+ineednewpajamas@users.noreply.github.com>
Co-authored-by: Chris Foster <chris.james.foster@gmail.com>
