- Strengthen password requirements with checks for uppercase, lowercase, numbers, and special characters (at least 3 types required)
- Block access to sensitive configuration files like qbm_settings.yml
- Improve API key display in UI with password input and show/hide toggle for better security
Add support for configuring trusted proxy IPs/subnets to properly determine real client IP addresses when behind proxies. This enhances security by allowing accurate local IP detection for authentication bypass. Updates include backend IP detection logic, API endpoints, and frontend UI components.
- Require reauthentication to update security settings via API
(API key or username/password; accepted in body or headers)
- Add current_username/current_password/current_api_key to request
model for secure updates
- Mitigate timing attacks in Basic auth by verifying password using a
dummy hash when username mismatches; improve failure logging
- Enforce restrictive permissions (0600) on qbm_settings.yml during
load/save; warn and attempt automatic correction if permissive
- Lock down CORS defaults: no origins allowed, credentials disabled,
explicit methods/headers only
- Prevent path traversal on config filenames via strict validation and
resolve checks
- Automatically redact secrets in logs by registering sensitive fields
(passwords, tokens, keys)
- Redact password_hash and api_key in security settings responses
- Audit log security setting changes and reload middleware on save
BREAKING CHANGE: CORS is now denied by default (no allowed origins,
credentials disabled). Cross-origin clients must be explicitly allowed.
Updating security settings now requires current credentials (API key or
username/password).
- Filter out sensitive config files (qbm_settings.yml, secrets.yml, etc.) from API list response
- Block direct access to sensitive files like qbm_settings.yml via get_config endpoint
- Remove unused security endpoint path from auth middleware exclusions
This enhances security by preventing exposure of sensitive configuration data through the web API.
- Add base_url parameter to AuthenticationMiddleware for flexible path handling
- Update skip_auth_paths and API checks to incorporate base_url
- Fix username validator to properly handle empty strings without raising errors
- Update WebAPI to pass base_url to middleware
Add comprehensive authentication support for the qBit Manage web UI with multiple methods:
- None (default, no authentication)
- Basic HTTP authentication with browser popup
- API-only authentication (web UI accessible, API requires key)
Key features include:
- Secure password hashing using Argon2
- Rate limiting to prevent brute force attacks
- CSRF protection for state-changing requests
- Local IP bypass option for private networks
- API key generation for programmatic access
- New security settings page in the web UI
Adds [FR]: Authentication on WebUI
Fixes#867
