diff --git a/.env.example b/.env.example
index 30180b1..a7e7e75 100644
--- a/.env.example
+++ b/.env.example
@@ -2,6 +2,29 @@
# Choose which media server backend to use: Subsonic or Jellyfin
BACKEND_TYPE=Jellyfin
+# ===== ADMIN NETWORK ACCESS (PORT 5275) =====
+# Keep false to bind admin UI to localhost only (recommended)
+# Set true only if you need LAN access from another device
+ADMIN_BIND_ANY_IP=false
+
+# Comma-separated trusted CIDR ranges allowed to access admin port when bind is enabled
+# Examples: 192.168.1.0/24,10.0.0.0/8
+ADMIN_TRUSTED_SUBNETS=
+
+# ===== CORS POLICY =====
+# Cross-origin requests are disabled by default.
+# Set explicit origins if you need browser access from another host.
+# Example: https://my-jellyfin.example.com,http://localhost:3000
+CORS_ALLOWED_ORIGINS=
+
+# Explicit allowed methods and headers for CORS preflight.
+# Keep these restrictive unless you have a concrete requirement.
+CORS_ALLOWED_METHODS=GET,POST,PUT,PATCH,DELETE,OPTIONS,HEAD
+CORS_ALLOWED_HEADERS=Accept,Authorization,Content-Type,Range,X-Requested-With,X-Emby-Authorization,X-MediaBrowser-Token
+
+# Set true only when your allowed origins require cookies/auth credentials.
+CORS_ALLOW_CREDENTIALS=false
+
# ===== REDIS CACHE (REQUIRED) =====
# Redis is the primary cache for all runtime data (search results, playlists, lyrics, etc.)
# File cache (/app/cache) acts as a persistence layer for cold starts
@@ -113,6 +136,14 @@ QOBUZ_USER_ID=
# If not specified, the highest available quality will be used
QOBUZ_QUALITY=
+# ===== MUSICBRAINZ CONFIGURATION =====
+# Enable MusicBrainz metadata lookups (optional, default: true)
+MUSICBRAINZ_ENABLED=true
+
+# Optional MusicBrainz account credentials for authenticated requests
+MUSICBRAINZ_USERNAME=
+MUSICBRAINZ_PASSWORD=
+
# ===== GENERAL SETTINGS =====
# External playlists support (optional, default: true)
# When enabled, allows searching and downloading playlists from Deezer/Qobuz
@@ -232,6 +263,11 @@ SCROBBLING_ENABLED=false
# This ensures Allstarr only scrobbles external tracks (Spotify, Deezer, Qobuz)
SCROBBLING_LOCAL_TRACKS_ENABLED=false
+# Emit synthetic local "played" events from progress when local scrobbling is disabled (default: false)
+# Only enable this if you explicitly need UserPlayedItems-based plugin triggering.
+# Keep false to avoid duplicate local scrobbles with Jellyfin plugins.
+SCROBBLING_SYNTHETIC_LOCAL_PLAYED_SIGNAL_ENABLED=false
+
# ===== LAST.FM SCROBBLING =====
# Enable Last.fm scrobbling (default: false)
SCROBBLING_LASTFM_ENABLED=false
@@ -270,7 +306,11 @@ SCROBBLING_LISTENBRAINZ_USER_TOKEN=
# Enable detailed request logging (default: false)
# When enabled, logs every incoming HTTP request with full details:
# - Method, path, query string
-# - Headers (auth tokens are masked)
+# - Headers
# - Response status and timing
# Useful for debugging client issues and seeing what API calls are being made
DEBUG_LOG_ALL_REQUESTS=false
+
+# Redact auth/query sensitive values in request logs (default: false).
+# Set true if you want DEBUG_LOG_ALL_REQUESTS while still masking tokens.
+DEBUG_REDACT_SENSITIVE_REQUEST_VALUES=false
diff --git a/Directory.Build.props b/Directory.Build.props
new file mode 100644
index 0000000..aba20cd
--- /dev/null
+++ b/Directory.Build.props
@@ -0,0 +1,9 @@
+
+
+
+ false
+
+
diff --git a/Dockerfile b/Dockerfile
index 0328a37..5afefe9 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -4,6 +4,7 @@ WORKDIR /src
COPY allstarr.sln .
COPY allstarr/allstarr.csproj allstarr/
+COPY allstarr/AppVersion.cs allstarr/
COPY allstarr.Tests/allstarr.Tests.csproj allstarr.Tests/
RUN dotnet restore
diff --git a/allstarr.Tests/AdminAuthControllerTests.cs b/allstarr.Tests/AdminAuthControllerTests.cs
new file mode 100644
index 0000000..233b339
--- /dev/null
+++ b/allstarr.Tests/AdminAuthControllerTests.cs
@@ -0,0 +1,213 @@
+using System.Net;
+using System.Text.Json;
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
+using Moq;
+using allstarr.Controllers;
+using allstarr.Models.Settings;
+using allstarr.Services.Admin;
+
+namespace allstarr.Tests;
+
+public class AdminAuthControllerTests
+{
+ [Fact]
+ public async Task Login_WithValidNonAdminJellyfinUser_CreatesSessionAndCookie()
+ {
+ HttpRequestMessage? capturedRequest = null;
+ string? capturedBody = null;
+
+ var handler = new DelegateHttpMessageHandler(async (request, _) =>
+ {
+ capturedRequest = request;
+ capturedBody = request.Content is null ? null : await request.Content.ReadAsStringAsync();
+
+ return new HttpResponseMessage(HttpStatusCode.OK)
+ {
+ Content = new StringContent("""
+ {
+ "AccessToken":"token-123",
+ "ServerId":"server-1",
+ "User":{
+ "Id":"user-1",
+ "Name":"josh",
+ "Policy":{"IsAdministrator":false}
+ }
+ }
+ """)
+ };
+ });
+
+ var sessionService = new AdminAuthSessionService();
+ var httpContext = new DefaultHttpContext();
+ httpContext.Request.Headers["X-Forwarded-Proto"] = "https";
+
+ var controller = CreateController(handler, sessionService, httpContext);
+ var result = await controller.Login(new AdminAuthController.LoginRequest
+ {
+ Username = " josh ",
+ Password = "secret-pass"
+ });
+
+ var ok = Assert.IsType(result);
+ var payloadJson = JsonSerializer.Serialize(ok.Value);
+ using var payload = JsonDocument.Parse(payloadJson);
+
+ Assert.True(payload.RootElement.GetProperty("authenticated").GetBoolean());
+ Assert.Equal("user-1", payload.RootElement.GetProperty("user").GetProperty("id").GetString());
+ Assert.Equal("josh", payload.RootElement.GetProperty("user").GetProperty("name").GetString());
+ Assert.False(payload.RootElement.GetProperty("user").GetProperty("isAdministrator").GetBoolean());
+
+ Assert.NotNull(capturedRequest);
+ Assert.Equal(HttpMethod.Post, capturedRequest!.Method);
+ Assert.Equal("http://jellyfin.local/Users/AuthenticateByName", capturedRequest.RequestUri?.ToString());
+ Assert.Contains("X-Emby-Authorization", capturedRequest.Headers.Select(h => h.Key));
+
+ Assert.NotNull(capturedBody);
+ Assert.Contains("\"Username\":\"josh\"", capturedBody!);
+ Assert.Contains("\"Pw\":\"secret-pass\"", capturedBody!);
+
+ var setCookies = httpContext.Response.Headers.SetCookie;
+ Assert.Single(setCookies);
+ var setCookieHeader = setCookies[0] ?? string.Empty;
+ Assert.Contains($"{AdminAuthSessionService.SessionCookieName}=", setCookieHeader);
+ Assert.Contains("httponly", setCookieHeader.ToLowerInvariant());
+ Assert.Contains("secure", setCookieHeader.ToLowerInvariant());
+ Assert.Contains("samesite=strict", setCookieHeader.ToLowerInvariant());
+
+ var sessionId = ExtractCookieValue(setCookieHeader);
+ Assert.True(sessionService.TryGetValidSession(sessionId, out var session));
+ Assert.Equal("user-1", session.UserId);
+ Assert.Equal("josh", session.UserName);
+ Assert.False(session.IsAdministrator);
+ }
+
+ [Fact]
+ public async Task Login_WithInvalidCredentials_ReturnsUnauthorized()
+ {
+ var handler = new DelegateHttpMessageHandler((_, _) =>
+ Task.FromResult(new HttpResponseMessage(HttpStatusCode.Unauthorized)));
+
+ var sessionService = new AdminAuthSessionService();
+ var httpContext = new DefaultHttpContext();
+ var controller = CreateController(handler, sessionService, httpContext);
+
+ var result = await controller.Login(new AdminAuthController.LoginRequest
+ {
+ Username = "josh",
+ Password = "wrong"
+ });
+
+ var unauthorized = Assert.IsType(result);
+ Assert.Equal(StatusCodes.Status401Unauthorized, unauthorized.StatusCode);
+ Assert.False(httpContext.Response.Headers.ContainsKey("Set-Cookie"));
+ }
+
+ [Fact]
+ public void GetCurrentSession_WithUnknownCookie_ReturnsUnauthenticated()
+ {
+ var handler = new DelegateHttpMessageHandler((_, _) =>
+ Task.FromResult(new HttpResponseMessage(HttpStatusCode.OK)));
+
+ var sessionService = new AdminAuthSessionService();
+ var httpContext = new DefaultHttpContext();
+ httpContext.Request.Headers.Cookie = $"{AdminAuthSessionService.SessionCookieName}=missing-session";
+
+ var controller = CreateController(handler, sessionService, httpContext);
+ var result = controller.GetCurrentSession();
+
+ var ok = Assert.IsType(result);
+ var payloadJson = JsonSerializer.Serialize(ok.Value);
+ using var payload = JsonDocument.Parse(payloadJson);
+
+ Assert.False(payload.RootElement.GetProperty("authenticated").GetBoolean());
+ var setCookies = httpContext.Response.Headers.SetCookie;
+ Assert.Single(setCookies);
+ var setCookieHeader = setCookies[0] ?? string.Empty;
+ Assert.Contains($"{AdminAuthSessionService.SessionCookieName}=", setCookieHeader);
+ Assert.Contains("expires=", setCookieHeader.ToLowerInvariant());
+ }
+
+ [Fact]
+ public void GetCurrentSession_WithValidCookie_ReturnsSessionUser()
+ {
+ var handler = new DelegateHttpMessageHandler((_, _) =>
+ Task.FromResult(new HttpResponseMessage(HttpStatusCode.OK)));
+
+ var sessionService = new AdminAuthSessionService();
+ var session = sessionService.CreateSession(
+ userId: "user-42",
+ userName: "alice",
+ isAdministrator: true,
+ jellyfinAccessToken: "token",
+ jellyfinServerId: "server");
+
+ var httpContext = new DefaultHttpContext();
+ httpContext.Request.Headers.Cookie = $"{AdminAuthSessionService.SessionCookieName}={session.SessionId}";
+
+ var controller = CreateController(handler, sessionService, httpContext);
+ var result = controller.GetCurrentSession();
+
+ var ok = Assert.IsType(result);
+ var payloadJson = JsonSerializer.Serialize(ok.Value);
+ using var payload = JsonDocument.Parse(payloadJson);
+
+ Assert.True(payload.RootElement.GetProperty("authenticated").GetBoolean());
+ Assert.Equal("user-42", payload.RootElement.GetProperty("user").GetProperty("id").GetString());
+ Assert.Equal("alice", payload.RootElement.GetProperty("user").GetProperty("name").GetString());
+ Assert.True(payload.RootElement.GetProperty("user").GetProperty("isAdministrator").GetBoolean());
+ }
+
+ private static AdminAuthController CreateController(
+ HttpMessageHandler handler,
+ AdminAuthSessionService sessionService,
+ HttpContext httpContext)
+ {
+ var jellyfinOptions = Options.Create(new JellyfinSettings
+ {
+ Url = "http://jellyfin.local"
+ });
+
+ var httpClientFactory = new Mock();
+ httpClientFactory.Setup(x => x.CreateClient(It.IsAny())).Returns(new HttpClient(handler));
+
+ var logger = new Mock>();
+ var controller = new AdminAuthController(
+ jellyfinOptions,
+ httpClientFactory.Object,
+ sessionService,
+ logger.Object)
+ {
+ ControllerContext = new ControllerContext
+ {
+ HttpContext = httpContext
+ }
+ };
+
+ return controller;
+ }
+
+ private static string ExtractCookieValue(string setCookieHeader)
+ {
+ var cookiePart = setCookieHeader.Split(';', 2)[0];
+ var parts = cookiePart.Split('=', 2);
+ return parts.Length == 2 ? parts[1] : string.Empty;
+ }
+
+ private sealed class DelegateHttpMessageHandler : HttpMessageHandler
+ {
+ private readonly Func> _handler;
+
+ public DelegateHttpMessageHandler(Func> handler)
+ {
+ _handler = handler;
+ }
+
+ protected override Task SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
+ {
+ return _handler(request, cancellationToken);
+ }
+ }
+}
diff --git a/allstarr.Tests/AdminAuthenticationMiddlewareTests.cs b/allstarr.Tests/AdminAuthenticationMiddlewareTests.cs
new file mode 100644
index 0000000..17d23fc
--- /dev/null
+++ b/allstarr.Tests/AdminAuthenticationMiddlewareTests.cs
@@ -0,0 +1,198 @@
+using System.Text;
+using Microsoft.AspNetCore.Http;
+using Microsoft.Extensions.Logging.Abstractions;
+using allstarr.Middleware;
+using allstarr.Services.Admin;
+
+namespace allstarr.Tests;
+
+public class AdminAuthenticationMiddlewareTests
+{
+ [Fact]
+ public async Task InvokeAsync_UnauthenticatedAdminRequest_Returns401()
+ {
+ var sessionService = new AdminAuthSessionService();
+ var nextInvoked = false;
+
+ var middleware = new AdminAuthenticationMiddleware(
+ _ =>
+ {
+ nextInvoked = true;
+ return Task.CompletedTask;
+ },
+ sessionService,
+ NullLogger.Instance);
+
+ var context = CreateContext(
+ path: "/api/admin/config",
+ method: HttpMethods.Get,
+ localPort: 5275);
+
+ await middleware.InvokeAsync(context);
+
+ Assert.False(nextInvoked);
+ Assert.Equal(StatusCodes.Status401Unauthorized, context.Response.StatusCode);
+
+ var body = await ReadResponseBodyAsync(context);
+ Assert.Contains("Authentication required", body);
+ }
+
+ [Fact]
+ public async Task InvokeAsync_NonAdminUser_AllowedRoute_PassesThrough()
+ {
+ var sessionService = new AdminAuthSessionService();
+ var session = sessionService.CreateSession(
+ userId: "user-1",
+ userName: "josh",
+ isAdministrator: false,
+ jellyfinAccessToken: "token",
+ jellyfinServerId: "server");
+
+ var nextInvoked = false;
+ var middleware = new AdminAuthenticationMiddleware(
+ context =>
+ {
+ nextInvoked = true;
+ context.Response.StatusCode = StatusCodes.Status204NoContent;
+ return Task.CompletedTask;
+ },
+ sessionService,
+ NullLogger.Instance);
+
+ var context = CreateContext(
+ path: "/api/admin/jellyfin/playlists",
+ method: HttpMethods.Get,
+ localPort: 5275,
+ sessionIdCookie: session.SessionId);
+
+ await middleware.InvokeAsync(context);
+
+ Assert.True(nextInvoked);
+ Assert.Equal(StatusCodes.Status204NoContent, context.Response.StatusCode);
+ Assert.True(context.Items.ContainsKey(AdminAuthSessionService.HttpContextSessionItemKey));
+ }
+
+ [Fact]
+ public async Task InvokeAsync_NonAdminUser_DisallowedRoute_Returns403()
+ {
+ var sessionService = new AdminAuthSessionService();
+ var session = sessionService.CreateSession(
+ userId: "user-1",
+ userName: "josh",
+ isAdministrator: false,
+ jellyfinAccessToken: "token",
+ jellyfinServerId: "server");
+
+ var nextInvoked = false;
+ var middleware = new AdminAuthenticationMiddleware(
+ _ =>
+ {
+ nextInvoked = true;
+ return Task.CompletedTask;
+ },
+ sessionService,
+ NullLogger.Instance);
+
+ var context = CreateContext(
+ path: "/api/admin/config",
+ method: HttpMethods.Get,
+ localPort: 5275,
+ sessionIdCookie: session.SessionId);
+
+ await middleware.InvokeAsync(context);
+
+ Assert.False(nextInvoked);
+ Assert.Equal(StatusCodes.Status403Forbidden, context.Response.StatusCode);
+
+ var body = await ReadResponseBodyAsync(context);
+ Assert.Contains("Administrator permissions required", body);
+ }
+
+ [Fact]
+ public async Task InvokeAsync_AdminUser_DisallowedForUserButAllowedForAdmin_PassesThrough()
+ {
+ var sessionService = new AdminAuthSessionService();
+ var session = sessionService.CreateSession(
+ userId: "admin-1",
+ userName: "admin",
+ isAdministrator: true,
+ jellyfinAccessToken: "token",
+ jellyfinServerId: "server");
+
+ var nextInvoked = false;
+ var middleware = new AdminAuthenticationMiddleware(
+ context =>
+ {
+ nextInvoked = true;
+ context.Response.StatusCode = StatusCodes.Status204NoContent;
+ return Task.CompletedTask;
+ },
+ sessionService,
+ NullLogger.Instance);
+
+ var context = CreateContext(
+ path: "/api/admin/config",
+ method: HttpMethods.Get,
+ localPort: 5275,
+ sessionIdCookie: session.SessionId);
+
+ await middleware.InvokeAsync(context);
+
+ Assert.True(nextInvoked);
+ Assert.Equal(StatusCodes.Status204NoContent, context.Response.StatusCode);
+ }
+
+ [Fact]
+ public async Task InvokeAsync_AdminApiOnMainPort_PassesThroughForDownstreamFilter()
+ {
+ var sessionService = new AdminAuthSessionService();
+ var nextInvoked = false;
+
+ var middleware = new AdminAuthenticationMiddleware(
+ context =>
+ {
+ nextInvoked = true;
+ context.Response.StatusCode = StatusCodes.Status404NotFound;
+ return Task.CompletedTask;
+ },
+ sessionService,
+ NullLogger.Instance);
+
+ var context = CreateContext(
+ path: "/api/admin/config",
+ method: HttpMethods.Get,
+ localPort: 5274);
+
+ await middleware.InvokeAsync(context);
+
+ Assert.True(nextInvoked);
+ Assert.Equal(StatusCodes.Status404NotFound, context.Response.StatusCode);
+ }
+
+ private static DefaultHttpContext CreateContext(
+ string path,
+ string method,
+ int localPort,
+ string? sessionIdCookie = null)
+ {
+ var context = new DefaultHttpContext();
+ context.Request.Path = path;
+ context.Request.Method = method;
+ context.Connection.LocalPort = localPort;
+ context.Response.Body = new MemoryStream();
+
+ if (!string.IsNullOrWhiteSpace(sessionIdCookie))
+ {
+ context.Request.Headers.Cookie = $"{AdminAuthSessionService.SessionCookieName}={sessionIdCookie}";
+ }
+
+ return context;
+ }
+
+ private static async Task ReadResponseBodyAsync(HttpContext context)
+ {
+ context.Response.Body.Seek(0, SeekOrigin.Begin);
+ using var reader = new StreamReader(context.Response.Body, Encoding.UTF8, leaveOpen: true);
+ return await reader.ReadToEndAsync();
+ }
+}
diff --git a/allstarr.Tests/AdminNetworkAllowlistMiddlewareTests.cs b/allstarr.Tests/AdminNetworkAllowlistMiddlewareTests.cs
new file mode 100644
index 0000000..b0088cd
--- /dev/null
+++ b/allstarr.Tests/AdminNetworkAllowlistMiddlewareTests.cs
@@ -0,0 +1,93 @@
+using System.Net;
+using Microsoft.AspNetCore.Http;
+using Microsoft.Extensions.Configuration;
+using Microsoft.Extensions.Logging.Abstractions;
+using allstarr.Middleware;
+
+namespace allstarr.Tests;
+
+public class AdminNetworkAllowlistMiddlewareTests
+{
+ [Fact]
+ public async Task InvokeAsync_AdminPortLoopback_AllowsRequest()
+ {
+ var middleware = CreateMiddleware(new Dictionary(), out var nextInvoked);
+ var context = CreateContext(5275, "127.0.0.1");
+
+ await middleware.InvokeAsync(context);
+
+ Assert.True(nextInvoked());
+ Assert.Equal(StatusCodes.Status204NoContent, context.Response.StatusCode);
+ }
+
+ [Fact]
+ public async Task InvokeAsync_AdminPortUntrustedSubnet_BlocksRequest()
+ {
+ var middleware = CreateMiddleware(new Dictionary(), out var nextInvoked);
+ var context = CreateContext(5275, "192.168.1.25");
+
+ await middleware.InvokeAsync(context);
+
+ Assert.False(nextInvoked());
+ Assert.Equal(StatusCodes.Status403Forbidden, context.Response.StatusCode);
+ }
+
+ [Fact]
+ public async Task InvokeAsync_AdminPortTrustedSubnet_AllowsRequest()
+ {
+ var middleware = CreateMiddleware(new Dictionary
+ {
+ ["Admin:TrustedSubnets"] = "192.168.1.0/24"
+ }, out var nextInvoked);
+ var context = CreateContext(5275, "192.168.1.25");
+
+ await middleware.InvokeAsync(context);
+
+ Assert.True(nextInvoked());
+ Assert.Equal(StatusCodes.Status204NoContent, context.Response.StatusCode);
+ }
+
+ [Fact]
+ public async Task InvokeAsync_NonAdminPort_BypassesAllowlist()
+ {
+ var middleware = CreateMiddleware(new Dictionary(), out var nextInvoked);
+ var context = CreateContext(8080, "8.8.8.8");
+
+ await middleware.InvokeAsync(context);
+
+ Assert.True(nextInvoked());
+ Assert.Equal(StatusCodes.Status204NoContent, context.Response.StatusCode);
+ }
+
+ private static AdminNetworkAllowlistMiddleware CreateMiddleware(
+ IDictionary configValues,
+ out Func nextInvoked)
+ {
+ var invoked = false;
+ nextInvoked = () => invoked;
+
+ var configuration = new ConfigurationBuilder()
+ .AddInMemoryCollection(configValues)
+ .Build();
+
+ return new AdminNetworkAllowlistMiddleware(
+ context =>
+ {
+ invoked = true;
+ context.Response.StatusCode = StatusCodes.Status204NoContent;
+ return Task.CompletedTask;
+ },
+ configuration,
+ NullLogger.Instance);
+ }
+
+ private static DefaultHttpContext CreateContext(int localPort, string remoteIp)
+ {
+ var context = new DefaultHttpContext();
+ context.Connection.LocalPort = localPort;
+ context.Connection.RemoteIpAddress = IPAddress.Parse(remoteIp);
+ context.Request.Path = "/api/admin/status";
+ context.Response.Body = new MemoryStream();
+ return context;
+ }
+}
diff --git a/allstarr.Tests/AdminNetworkBindingPolicyTests.cs b/allstarr.Tests/AdminNetworkBindingPolicyTests.cs
new file mode 100644
index 0000000..d00db6e
--- /dev/null
+++ b/allstarr.Tests/AdminNetworkBindingPolicyTests.cs
@@ -0,0 +1,67 @@
+using allstarr.Services.Common;
+using Microsoft.Extensions.Configuration;
+using System.Net;
+
+namespace allstarr.Tests;
+
+public class AdminNetworkBindingPolicyTests
+{
+ [Fact]
+ public void ShouldBindAdminAnyIp_DefaultsToFalse_WhenUnset()
+ {
+ var configuration = new ConfigurationBuilder()
+ .AddInMemoryCollection(new Dictionary())
+ .Build();
+
+ var bindAnyIp = AdminNetworkBindingPolicy.ShouldBindAdminAnyIp(configuration);
+
+ Assert.False(bindAnyIp);
+ }
+
+ [Fact]
+ public void ShouldBindAdminAnyIp_ReturnsTrue_WhenConfigured()
+ {
+ var configuration = new ConfigurationBuilder()
+ .AddInMemoryCollection(new Dictionary
+ {
+ ["Admin:BindAnyIp"] = "true"
+ })
+ .Build();
+
+ var bindAnyIp = AdminNetworkBindingPolicy.ShouldBindAdminAnyIp(configuration);
+
+ Assert.True(bindAnyIp);
+ }
+
+ [Fact]
+ public void ParseTrustedSubnets_ReturnsOnlyValidNetworks()
+ {
+ var configuration = new ConfigurationBuilder()
+ .AddInMemoryCollection(new Dictionary
+ {
+ ["Admin:TrustedSubnets"] = "192.168.1.0/24, invalid,10.0.0.0/8"
+ })
+ .Build();
+
+ var subnets = AdminNetworkBindingPolicy.ParseTrustedSubnets(configuration);
+
+ Assert.Equal(2, subnets.Count);
+ Assert.Contains(subnets, n => n.ToString() == "192.168.1.0/24");
+ Assert.Contains(subnets, n => n.ToString() == "10.0.0.0/8");
+ }
+
+ [Theory]
+ [InlineData("127.0.0.1", true)]
+ [InlineData("192.168.1.55", true)]
+ [InlineData("10.25.1.3", false)]
+ public void IsRemoteIpAllowed_HonorsLoopbackAndTrustedSubnets(string ip, bool expected)
+ {
+ var trusted = new List();
+ Assert.True(IPNetwork.TryParse("192.168.1.0/24", out var subnet));
+ trusted.Add(subnet);
+
+ var allowed = AdminNetworkBindingPolicy.IsRemoteIpAllowed(IPAddress.Parse(ip), trusted);
+
+ Assert.Equal(expected, allowed);
+ }
+}
diff --git a/allstarr.Tests/AdminStaticFilesMiddlewareTests.cs b/allstarr.Tests/AdminStaticFilesMiddlewareTests.cs
new file mode 100644
index 0000000..b63cc3b
--- /dev/null
+++ b/allstarr.Tests/AdminStaticFilesMiddlewareTests.cs
@@ -0,0 +1,147 @@
+using allstarr.Middleware;
+using Microsoft.AspNetCore.Http;
+using Moq;
+
+namespace allstarr.Tests;
+
+public class AdminStaticFilesMiddlewareTests
+{
+ [Fact]
+ public async Task InvokeAsync_AdminRootPath_ServesIndexHtml()
+ {
+ var webRoot = CreateTempWebRoot();
+ await File.WriteAllTextAsync(Path.Combine(webRoot, "index.html"), "ok");
+
+ try
+ {
+ var middleware = CreateMiddleware(webRoot, out var nextInvoked);
+ var context = CreateContext(localPort: 5275, path: "/");
+
+ await middleware.InvokeAsync(context);
+
+ Assert.False(nextInvoked());
+ Assert.Equal("text/html", context.Response.ContentType);
+ Assert.Equal(StatusCodes.Status200OK, context.Response.StatusCode);
+ }
+ finally
+ {
+ DeleteTempWebRoot(webRoot);
+ }
+ }
+
+ [Fact]
+ public async Task InvokeAsync_AdminPathTraversalAttempt_ReturnsNotFound()
+ {
+ var webRoot = CreateTempWebRoot();
+ var parent = Directory.GetParent(webRoot)!.FullName;
+ await File.WriteAllTextAsync(Path.Combine(parent, "secret.txt"), "secret");
+
+ try
+ {
+ var middleware = CreateMiddleware(webRoot, out var nextInvoked);
+ var context = CreateContext(localPort: 5275, path: "/../secret.txt");
+
+ await middleware.InvokeAsync(context);
+
+ Assert.False(nextInvoked());
+ Assert.Equal(StatusCodes.Status404NotFound, context.Response.StatusCode);
+ }
+ finally
+ {
+ DeleteTempWebRoot(webRoot);
+ }
+ }
+
+ [Fact]
+ public async Task InvokeAsync_AdminValidStaticFile_ServesFile()
+ {
+ var webRoot = CreateTempWebRoot();
+ var jsDir = Path.Combine(webRoot, "js");
+ Directory.CreateDirectory(jsDir);
+ await File.WriteAllTextAsync(Path.Combine(jsDir, "app.js"), "console.log('ok');");
+
+ try
+ {
+ var middleware = CreateMiddleware(webRoot, out var nextInvoked);
+ var context = CreateContext(localPort: 5275, path: "/js/app.js");
+
+ await middleware.InvokeAsync(context);
+
+ Assert.False(nextInvoked());
+ Assert.Equal("application/javascript", context.Response.ContentType);
+ Assert.Equal(StatusCodes.Status200OK, context.Response.StatusCode);
+ }
+ finally
+ {
+ DeleteTempWebRoot(webRoot);
+ }
+ }
+
+ [Fact]
+ public async Task InvokeAsync_NonAdminPort_BypassesStaticMiddleware()
+ {
+ var webRoot = CreateTempWebRoot();
+ await File.WriteAllTextAsync(Path.Combine(webRoot, "index.html"), "ok");
+
+ try
+ {
+ var middleware = CreateMiddleware(webRoot, out var nextInvoked);
+ var context = CreateContext(localPort: 8080, path: "/index.html");
+
+ await middleware.InvokeAsync(context);
+
+ Assert.True(nextInvoked());
+ Assert.Equal(StatusCodes.Status204NoContent, context.Response.StatusCode);
+ }
+ finally
+ {
+ DeleteTempWebRoot(webRoot);
+ }
+ }
+
+ private static AdminStaticFilesMiddleware CreateMiddleware(
+ string webRootPath,
+ out Func nextInvoked)
+ {
+ var invoked = false;
+ nextInvoked = () => invoked;
+
+ var environment = new Mock();
+ environment.SetupGet(x => x.WebRootPath).Returns(webRootPath);
+
+ return new AdminStaticFilesMiddleware(
+ context =>
+ {
+ invoked = true;
+ context.Response.StatusCode = StatusCodes.Status204NoContent;
+ return Task.CompletedTask;
+ },
+ environment.Object);
+ }
+
+ private static DefaultHttpContext CreateContext(int localPort, string path)
+ {
+ var context = new DefaultHttpContext();
+ context.Connection.LocalPort = localPort;
+ context.Request.Method = HttpMethods.Get;
+ context.Request.Path = path;
+ context.Response.Body = new MemoryStream();
+ return context;
+ }
+
+ private static string CreateTempWebRoot()
+ {
+ var root = Path.Combine(Path.GetTempPath(), "allstarr-tests", Guid.NewGuid().ToString("N"), "wwwroot");
+ Directory.CreateDirectory(root);
+ return root;
+ }
+
+ private static void DeleteTempWebRoot(string webRoot)
+ {
+ var testRoot = Directory.GetParent(webRoot)?.FullName;
+ if (!string.IsNullOrWhiteSpace(testRoot) && Directory.Exists(testRoot))
+ {
+ Directory.Delete(testRoot, recursive: true);
+ }
+ }
+}
diff --git a/allstarr.Tests/ApiKeyAuthFilterTests.cs b/allstarr.Tests/ApiKeyAuthFilterTests.cs
deleted file mode 100644
index 3015301..0000000
--- a/allstarr.Tests/ApiKeyAuthFilterTests.cs
+++ /dev/null
@@ -1,167 +0,0 @@
-using System.Threading.Tasks;
-using Microsoft.AspNetCore.Http;
-using Microsoft.AspNetCore.Mvc;
-using Microsoft.AspNetCore.Mvc.Abstractions;
-using Microsoft.AspNetCore.Mvc.Filters;
-using Microsoft.AspNetCore.Routing;
-using Microsoft.Extensions.Logging;
-using Microsoft.Extensions.Options;
-using Moq;
-using System.Collections.Generic;
-using allstarr.Filters;
-using allstarr.Models.Settings;
-
-namespace allstarr.Tests;
-
-public class ApiKeyAuthFilterTests
-{
- private readonly Mock> _loggerMock;
- private readonly IOptions _options;
-
- public ApiKeyAuthFilterTests()
- {
- _loggerMock = new Mock>();
- _options = Options.Create(new JellyfinSettings { ApiKey = "secret-key" });
- }
-
- private static (ActionExecutingContext ExecContext, ActionContext ActionContext) CreateContext(HttpContext httpContext)
- {
- var actionContext = new ActionContext(httpContext, new RouteData(), new ActionDescriptor());
- var execContext = new ActionExecutingContext(actionContext, new List(), new Dictionary(), controller: new object());
- return (execContext, actionContext);
- }
-
- private static ActionExecutionDelegate CreateNext(ActionContext actionContext, Action onInvoke)
- {
- return () =>
- {
- onInvoke();
- var executedContext = new ActionExecutedContext(actionContext, new List(), controller: new object());
- return Task.FromResult(executedContext);
- };
- }
-
- [Fact]
- public async Task OnActionExecutionAsync_WithValidHeader_AllowsRequest()
- {
- // Arrange
- var httpContext = new DefaultHttpContext();
- httpContext.Request.Headers["X-Api-Key"] = "secret-key";
-
- var (ctx, actionCtx) = CreateContext(httpContext);
- var filter = new ApiKeyAuthFilter(_options, _loggerMock.Object);
-
- var invoked = false;
- var next = CreateNext(actionCtx, () => invoked = true);
-
- // Act
- await filter.OnActionExecutionAsync(ctx, next);
-
- // Assert
- Assert.True(invoked, "Next delegate should be invoked for valid API key header");
- Assert.Null(ctx.Result);
- }
-
- [Fact]
- public async Task OnActionExecutionAsync_WithValidQuery_AllowsRequest()
- {
- // Arrange
- var httpContext = new DefaultHttpContext();
- httpContext.Request.QueryString = new QueryString("?api_key=secret-key");
-
- var (ctx, actionCtx) = CreateContext(httpContext);
- var filter = new ApiKeyAuthFilter(_options, _loggerMock.Object);
-
- var invoked = false;
- var next = CreateNext(actionCtx, () => invoked = true);
-
- // Act
- await filter.OnActionExecutionAsync(ctx, next);
-
- // Assert
- Assert.True(invoked, "Next delegate should be invoked for valid API key query");
- Assert.Null(ctx.Result);
- }
-
- [Fact]
- public async Task OnActionExecutionAsync_WithXEmbyTokenHeader_AllowsRequest()
- {
- // Arrange
- var httpContext = new DefaultHttpContext();
- httpContext.Request.Headers["X-Emby-Token"] = "secret-key";
-
- var (ctx, actionCtx) = CreateContext(httpContext);
- var filter = new ApiKeyAuthFilter(_options, _loggerMock.Object);
-
- var invoked = false;
- var next = CreateNext(actionCtx, () => invoked = true);
-
- // Act
- await filter.OnActionExecutionAsync(ctx, next);
-
- // Assert
- Assert.True(invoked, "Next delegate should be invoked for valid X-Emby-Token header");
- Assert.Null(ctx.Result);
- }
-
- [Fact]
- public async Task OnActionExecutionAsync_WithMissingKey_ReturnsUnauthorized()
- {
- // Arrange
- var httpContext = new DefaultHttpContext();
- var (ctx, actionCtx) = CreateContext(httpContext);
- var filter = new ApiKeyAuthFilter(_options, _loggerMock.Object);
-
- var invoked = false;
- var next = CreateNext(actionCtx, () => invoked = true);
-
- // Act
- await filter.OnActionExecutionAsync(ctx, next);
-
- // Assert
- Assert.False(invoked, "Next delegate should not be invoked when API key is missing");
- Assert.IsType(ctx.Result);
- }
-
- [Fact]
- public async Task OnActionExecutionAsync_WithWrongKey_ReturnsUnauthorized()
- {
- // Arrange
- var httpContext = new DefaultHttpContext();
- httpContext.Request.Headers["X-Api-Key"] = "wrong-key";
-
- var (ctx, actionCtx) = CreateContext(httpContext);
- var filter = new ApiKeyAuthFilter(_options, _loggerMock.Object);
-
- var invoked = false;
- var next = CreateNext(actionCtx, () => invoked = true);
-
- // Act
- await filter.OnActionExecutionAsync(ctx, next);
-
- // Assert
- Assert.False(invoked, "Next delegate should not be invoked for wrong API key");
- Assert.IsType(ctx.Result);
- }
-
- [Fact]
- public async Task OnActionExecutionAsync_ConstantTimeComparison_WorksForDifferentLengths()
- {
- // Arrange
- var httpContext = new DefaultHttpContext();
- httpContext.Request.Headers["X-Api-Key"] = "short";
-
- var (ctx, actionCtx) = CreateContext(httpContext);
- var filter = new ApiKeyAuthFilter(Options.Create(new JellyfinSettings { ApiKey = "much-longer-secret-key" }), _loggerMock.Object);
-
- var invoked = false;
- var next = CreateNext(actionCtx, () => invoked = true);
-
- // Act
- await filter.OnActionExecutionAsync(ctx, next);
-
- // Assert
- Assert.False(invoked, "Next should not be invoked for wrong key");
- Assert.IsType(ctx.Result);
- }
-}
diff --git a/allstarr.Tests/AuthHeaderHelperTests.cs b/allstarr.Tests/AuthHeaderHelperTests.cs
new file mode 100644
index 0000000..bf004e2
--- /dev/null
+++ b/allstarr.Tests/AuthHeaderHelperTests.cs
@@ -0,0 +1,87 @@
+using allstarr.Services.Common;
+using Microsoft.AspNetCore.Http;
+using Xunit;
+
+namespace allstarr.Tests;
+
+public class AuthHeaderHelperTests
+{
+ [Fact]
+ public void ForwardAuthHeaders_ShouldPreferXEmbyAuthorization()
+ {
+ var headers = new HeaderDictionary
+ {
+ ["X-Emby-Authorization"] = "MediaBrowser Token=\"abc\"",
+ ["Authorization"] = "Bearer xyz"
+ };
+
+ using var request = new HttpRequestMessage();
+ var forwarded = AuthHeaderHelper.ForwardAuthHeaders(headers, request);
+
+ Assert.True(forwarded);
+ Assert.True(request.Headers.TryGetValues("X-Emby-Authorization", out var values));
+ Assert.Contains("MediaBrowser Token=\"abc\"", values);
+ Assert.False(request.Headers.Contains("Authorization"));
+ }
+
+ [Fact]
+ public void ForwardAuthHeaders_ShouldMapMediaBrowserAuthorizationToXEmby()
+ {
+ var headers = new HeaderDictionary
+ {
+ ["Authorization"] = "MediaBrowser Client=\"Feishin\", Token=\"abc\""
+ };
+
+ using var request = new HttpRequestMessage();
+ var forwarded = AuthHeaderHelper.ForwardAuthHeaders(headers, request);
+
+ Assert.True(forwarded);
+ Assert.True(request.Headers.Contains("X-Emby-Authorization"));
+ }
+
+ [Fact]
+ public void ForwardAuthHeaders_ShouldForwardStandardAuthorization()
+ {
+ var headers = new HeaderDictionary
+ {
+ ["Authorization"] = "Bearer xyz"
+ };
+
+ using var request = new HttpRequestMessage();
+ var forwarded = AuthHeaderHelper.ForwardAuthHeaders(headers, request);
+
+ Assert.True(forwarded);
+ Assert.True(request.Headers.Contains("Authorization"));
+ }
+
+ [Fact]
+ public void ExtractDeviceIdAndClientName_ShouldParseMediaBrowserHeader()
+ {
+ var headers = new HeaderDictionary
+ {
+ ["X-Emby-Authorization"] =
+ "MediaBrowser Client=\"Feishin\", Device=\"Desktop\", DeviceId=\"dev-123\", Version=\"1.0\", Token=\"abc\""
+ };
+
+ Assert.Equal("dev-123", AuthHeaderHelper.ExtractDeviceId(headers));
+ Assert.Equal("Feishin", AuthHeaderHelper.ExtractClientName(headers));
+ }
+
+ [Fact]
+ public void CreateAuthHeader_ShouldBuildMediaBrowserString()
+ {
+ var header = AuthHeaderHelper.CreateAuthHeader(
+ token: "abc",
+ client: "Feishin",
+ device: "Desktop",
+ deviceId: "dev-123",
+ version: "1.0");
+
+ Assert.Contains("MediaBrowser", header);
+ Assert.Contains("Client=\"Feishin\"", header);
+ Assert.Contains("Device=\"Desktop\"", header);
+ Assert.Contains("DeviceId=\"dev-123\"", header);
+ Assert.Contains("Version=\"1.0\"", header);
+ Assert.Contains("Token=\"abc\"", header);
+ }
+}
diff --git a/allstarr.Tests/CacheKeyBuilderTests.cs b/allstarr.Tests/CacheKeyBuilderTests.cs
new file mode 100644
index 0000000..a6293fb
--- /dev/null
+++ b/allstarr.Tests/CacheKeyBuilderTests.cs
@@ -0,0 +1,71 @@
+using allstarr.Services.Common;
+using Xunit;
+
+namespace allstarr.Tests;
+
+public class CacheKeyBuilderTests
+{
+ [Fact]
+ public void SearchKey_ShouldIncludeRouteContextDimensions()
+ {
+ var key = CacheKeyBuilder.BuildSearchKey(
+ " DATA ",
+ "MusicAlbum",
+ 500,
+ 0,
+ "efa26829c37196b030fa31d127e0715b",
+ "DateCreated,SortName",
+ "Descending",
+ true,
+ "1635cd7d23144ba08251ebe22a56119e");
+
+ Assert.Equal(
+ "search:data:musicalbum:500:0:efa26829c37196b030fa31d127e0715b:datecreated,sortname:descending:true:1635cd7d23144ba08251ebe22a56119e",
+ key);
+ }
+
+ [Fact]
+ public void SearchKey_OldOverload_ShouldRemainCompatible()
+ {
+ Assert.Equal("search:data:Audio:500:0", CacheKeyBuilder.BuildSearchKey("DATA", "Audio", 500, 0));
+ }
+
+ [Fact]
+ public void SpotifyKeys_ShouldMatchExpectedFormats()
+ {
+ Assert.Equal("spotify:playlist:Road Trip", CacheKeyBuilder.BuildSpotifyPlaylistKey("Road Trip"));
+ Assert.Equal("spotify:playlist:items:Road Trip", CacheKeyBuilder.BuildSpotifyPlaylistItemsKey("Road Trip"));
+ Assert.Equal("spotify:playlist:ordered:Road Trip", CacheKeyBuilder.BuildSpotifyPlaylistOrderedKey("Road Trip"));
+ Assert.Equal("spotify:matched:ordered:Road Trip", CacheKeyBuilder.BuildSpotifyMatchedTracksKey("Road Trip"));
+ Assert.Equal("spotify:matched:Road Trip", CacheKeyBuilder.BuildSpotifyLegacyMatchedTracksKey("Road Trip"));
+ Assert.Equal("spotify:playlist:stats:Road Trip", CacheKeyBuilder.BuildSpotifyPlaylistStatsKey("Road Trip"));
+ Assert.Equal("spotify:manual-map:Road Trip:abc123", CacheKeyBuilder.BuildSpotifyManualMappingKey("Road Trip", "abc123"));
+ Assert.Equal("spotify:external-map:Road Trip:abc123", CacheKeyBuilder.BuildSpotifyExternalMappingKey("Road Trip", "abc123"));
+ Assert.Equal("spotify:global-map:abc123", CacheKeyBuilder.BuildSpotifyGlobalMappingKey("abc123"));
+ Assert.Equal("spotify:global-map:all-ids", CacheKeyBuilder.BuildSpotifyGlobalMappingsIndexKey());
+ }
+
+ [Fact]
+ public void LyricsAndGenreKeys_ShouldMatchExpectedFormats()
+ {
+ Assert.Equal("lyrics:Artist:Title:Album:240", CacheKeyBuilder.BuildLyricsKey("Artist", "Title", "Album", 240));
+ Assert.Equal("lyricsplus:Artist:Title:Album:240", CacheKeyBuilder.BuildLyricsPlusKey("Artist", "Title", "Album", 240));
+ Assert.Equal("lyrics:manual-map:Artist:Title", CacheKeyBuilder.BuildLyricsManualMappingKey("Artist", "Title"));
+ Assert.Equal("lyrics:id:42", CacheKeyBuilder.BuildLyricsByIdKey(42));
+
+ Assert.Equal("genre:Track:Artist", CacheKeyBuilder.BuildGenreEnrichmentKey("Track", "Artist"));
+ Assert.Equal("genre:Track:Artist", CacheKeyBuilder.BuildGenreEnrichmentKey("Track:Artist"));
+ Assert.Equal("genre:rock", CacheKeyBuilder.BuildGenreKey("Rock"));
+ }
+
+ [Fact]
+ public void MusicBrainzAndOdesliKeys_ShouldMatchExpectedFormats()
+ {
+ Assert.Equal("musicbrainz:isrc:USABC123", CacheKeyBuilder.BuildMusicBrainzIsrcKey("USABC123"));
+ Assert.Equal("musicbrainz:search:title:artist:5", CacheKeyBuilder.BuildMusicBrainzSearchKey("Title", "Artist", 5));
+ Assert.Equal("musicbrainz:mbid:abc-def", CacheKeyBuilder.BuildMusicBrainzMbidKey("abc-def"));
+
+ Assert.Equal("odesli:tidal-to-spotify:123", CacheKeyBuilder.BuildOdesliTidalToSpotifyKey("123"));
+ Assert.Equal("odesli:url-to-spotify:https://example.com/track", CacheKeyBuilder.BuildOdesliUrlToSpotifyKey("https://example.com/track"));
+ }
+}
diff --git a/allstarr.Tests/ConfigControllerAuthorizationTests.cs b/allstarr.Tests/ConfigControllerAuthorizationTests.cs
new file mode 100644
index 0000000..c2cee63
--- /dev/null
+++ b/allstarr.Tests/ConfigControllerAuthorizationTests.cs
@@ -0,0 +1,166 @@
+using System.Text.Json;
+using Microsoft.AspNetCore.Hosting;
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.Extensions.Configuration;
+using Microsoft.Extensions.Hosting;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
+using Moq;
+using allstarr.Controllers;
+using allstarr.Models.Admin;
+using allstarr.Models.Settings;
+using allstarr.Services.Admin;
+using allstarr.Services.Common;
+using allstarr.Services.Spotify;
+
+namespace allstarr.Tests;
+
+public class ConfigControllerAuthorizationTests
+{
+ [Fact]
+ public async Task UpdateConfig_WithoutAdminSession_ReturnsForbidden()
+ {
+ var controller = CreateController(CreateHttpContextWithSession(isAdmin: false));
+ var result = await controller.UpdateConfig(new ConfigUpdateRequest
+ {
+ Updates = new Dictionary { ["TEST_KEY"] = "value" }
+ });
+
+ AssertForbidden(result);
+ }
+
+ [Fact]
+ public async Task RestartContainer_WithoutAdminSession_ReturnsForbidden()
+ {
+ var controller = CreateController(CreateHttpContextWithSession(isAdmin: false));
+ var result = await controller.RestartContainer();
+
+ AssertForbidden(result);
+ }
+
+ [Fact]
+ public void ExportEnv_WithoutAdminSession_ReturnsForbidden()
+ {
+ var controller = CreateController(CreateHttpContextWithSession(isAdmin: false));
+ var result = controller.ExportEnv();
+
+ AssertForbidden(result);
+ }
+
+ [Fact]
+ public async Task ImportEnv_WithoutAdminSession_ReturnsForbidden()
+ {
+ var controller = CreateController(CreateHttpContextWithSession(isAdmin: false));
+ var file = new FormFile(Stream.Null, 0, 0, "file", "config.env");
+ var result = await controller.ImportEnv(file);
+
+ AssertForbidden(result);
+ }
+
+ [Fact]
+ public async Task UpdateConfig_WithAdminSession_ContinuesToValidation()
+ {
+ var controller = CreateController(CreateHttpContextWithSession(isAdmin: true));
+ var result = await controller.UpdateConfig(new ConfigUpdateRequest());
+
+ var badRequest = Assert.IsType(result);
+ Assert.Equal(StatusCodes.Status400BadRequest, badRequest.StatusCode);
+ }
+
+ [Fact]
+ public void ExportEnv_WithAdminSession_WhenFeatureDisabled_ReturnsNotFound()
+ {
+ var controller = CreateController(CreateHttpContextWithSession(isAdmin: true));
+ var result = controller.ExportEnv();
+
+ var notFound = Assert.IsType(result);
+ Assert.Equal(StatusCodes.Status404NotFound, notFound.StatusCode);
+ }
+
+ private static HttpContext CreateHttpContextWithSession(bool isAdmin)
+ {
+ var context = new DefaultHttpContext();
+ context.Connection.LocalPort = 5275;
+ context.Items[AdminAuthSessionService.HttpContextSessionItemKey] = new AdminAuthSession
+ {
+ SessionId = "session-id",
+ UserId = "user-id",
+ UserName = "user",
+ IsAdministrator = isAdmin,
+ JellyfinAccessToken = "token",
+ JellyfinServerId = "server-id",
+ ExpiresAtUtc = DateTime.UtcNow.AddHours(1),
+ LastSeenUtc = DateTime.UtcNow
+ };
+
+ return context;
+ }
+
+ private static ConfigController CreateController(
+ HttpContext httpContext,
+ Dictionary? configValues = null)
+ {
+ var logger = new Mock>();
+ var configuration = new ConfigurationBuilder()
+ .AddInMemoryCollection(configValues ?? new Dictionary())
+ .Build();
+
+ var webHostEnvironment = new Mock();
+ webHostEnvironment.SetupGet(e => e.EnvironmentName).Returns(Environments.Development);
+ webHostEnvironment.SetupGet(e => e.ContentRootPath).Returns(Directory.GetCurrentDirectory());
+ var helperLogger = new Mock>();
+ var helperService = new AdminHelperService(
+ helperLogger.Object,
+ Options.Create(new JellyfinSettings()),
+ webHostEnvironment.Object);
+
+ var redisLogger = new Mock>();
+ var redisCache = new RedisCacheService(
+ Options.Create(new RedisSettings
+ {
+ Enabled = false,
+ ConnectionString = "localhost:6379"
+ }),
+ redisLogger.Object);
+ var spotifyCookieLogger = new Mock>();
+ var spotifySessionCookieService = new SpotifySessionCookieService(
+ Options.Create(new SpotifyApiSettings()),
+ helperService,
+ spotifyCookieLogger.Object);
+
+ var controller = new ConfigController(
+ logger.Object,
+ configuration,
+ Options.Create(new SpotifyApiSettings()),
+ Options.Create(new JellyfinSettings()),
+ Options.Create(new SubsonicSettings()),
+ Options.Create(new DeezerSettings()),
+ Options.Create(new QobuzSettings()),
+ Options.Create(new SquidWTFSettings()),
+ Options.Create(new MusicBrainzSettings()),
+ Options.Create(new SpotifyImportSettings()),
+ Options.Create(new ScrobblingSettings()),
+ helperService,
+ spotifySessionCookieService,
+ redisCache)
+ {
+ ControllerContext = new ControllerContext
+ {
+ HttpContext = httpContext
+ }
+ };
+
+ return controller;
+ }
+
+ private static void AssertForbidden(IActionResult result)
+ {
+ var forbidden = Assert.IsType(result);
+ Assert.Equal(StatusCodes.Status403Forbidden, forbidden.StatusCode);
+
+ var payload = JsonSerializer.Serialize(forbidden.Value);
+ using var document = JsonDocument.Parse(payload);
+ Assert.Equal("Administrator permissions required", document.RootElement.GetProperty("error").GetString());
+ }
+}
diff --git a/allstarr.Tests/DownloadsControllerPathSecurityTests.cs b/allstarr.Tests/DownloadsControllerPathSecurityTests.cs
new file mode 100644
index 0000000..8712fe4
--- /dev/null
+++ b/allstarr.Tests/DownloadsControllerPathSecurityTests.cs
@@ -0,0 +1,117 @@
+using allstarr.Controllers;
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.Extensions.Configuration;
+using Microsoft.Extensions.Logging.Abstractions;
+
+namespace allstarr.Tests;
+
+public class DownloadsControllerPathSecurityTests
+{
+ [Fact]
+ public void DownloadFile_PathTraversalIntoPrefixedSibling_IsRejected()
+ {
+ var testRoot = CreateTestRoot();
+ var downloadsRoot = Path.Combine(testRoot, "downloads");
+ var keptRoot = Path.Combine(downloadsRoot, "kept");
+ var siblingRoot = Path.Combine(downloadsRoot, "kept-malicious");
+
+ Directory.CreateDirectory(keptRoot);
+ Directory.CreateDirectory(siblingRoot);
+ File.WriteAllText(Path.Combine(siblingRoot, "attack.mp3"), "not-allowed");
+
+ try
+ {
+ var controller = CreateController(downloadsRoot);
+ var result = controller.DownloadFile("../kept-malicious/attack.mp3");
+
+ var badRequest = Assert.IsType(result);
+ Assert.Equal(StatusCodes.Status400BadRequest, badRequest.StatusCode);
+ }
+ finally
+ {
+ DeleteTestRoot(testRoot);
+ }
+ }
+
+ [Fact]
+ public void DeleteDownload_PathTraversalIntoPrefixedSibling_IsRejected()
+ {
+ var testRoot = CreateTestRoot();
+ var downloadsRoot = Path.Combine(testRoot, "downloads");
+ var keptRoot = Path.Combine(downloadsRoot, "kept");
+ var siblingRoot = Path.Combine(downloadsRoot, "kept-malicious");
+ var siblingFile = Path.Combine(siblingRoot, "attack.mp3");
+
+ Directory.CreateDirectory(keptRoot);
+ Directory.CreateDirectory(siblingRoot);
+ File.WriteAllText(siblingFile, "not-allowed");
+
+ try
+ {
+ var controller = CreateController(downloadsRoot);
+ var result = controller.DeleteDownload("../kept-malicious/attack.mp3");
+
+ var badRequest = Assert.IsType(result);
+ Assert.Equal(StatusCodes.Status400BadRequest, badRequest.StatusCode);
+ Assert.True(File.Exists(siblingFile));
+ }
+ finally
+ {
+ DeleteTestRoot(testRoot);
+ }
+ }
+
+ [Fact]
+ public void DownloadFile_ValidPathInsideKeptFolder_AllowsDownload()
+ {
+ var testRoot = CreateTestRoot();
+ var downloadsRoot = Path.Combine(testRoot, "downloads");
+ var artistDir = Path.Combine(downloadsRoot, "kept", "Artist");
+ var validFile = Path.Combine(artistDir, "track.mp3");
+
+ Directory.CreateDirectory(artistDir);
+ File.WriteAllText(validFile, "ok");
+
+ try
+ {
+ var controller = CreateController(downloadsRoot);
+ var result = controller.DownloadFile("Artist/track.mp3");
+
+ Assert.IsType(result);
+ }
+ finally
+ {
+ DeleteTestRoot(testRoot);
+ }
+ }
+
+ private static DownloadsController CreateController(string downloadsRoot)
+ {
+ var config = new ConfigurationBuilder()
+ .AddInMemoryCollection(new Dictionary
+ {
+ ["Library:DownloadPath"] = downloadsRoot
+ })
+ .Build();
+
+ return new DownloadsController(
+ NullLogger.Instance,
+ config);
+ }
+
+ private static string CreateTestRoot()
+ {
+ var root = Path.Combine(Path.GetTempPath(), "allstarr-tests", Guid.NewGuid().ToString("N"));
+ Directory.CreateDirectory(root);
+ return root;
+ }
+
+ private static void DeleteTestRoot(string root)
+ {
+ if (Directory.Exists(root))
+ {
+ Directory.Delete(root, recursive: true);
+ }
+ }
+}
diff --git a/allstarr.Tests/ExplicitContentFilterTests.cs b/allstarr.Tests/ExplicitContentFilterTests.cs
new file mode 100644
index 0000000..e6b5516
--- /dev/null
+++ b/allstarr.Tests/ExplicitContentFilterTests.cs
@@ -0,0 +1,43 @@
+using allstarr.Models.Domain;
+using allstarr.Models.Settings;
+using allstarr.Services.Common;
+using Xunit;
+
+namespace allstarr.Tests;
+
+public class ExplicitContentFilterTests
+{
+ [Fact]
+ public void ShouldIncludeSong_ShouldIncludeUnknownExplicitState()
+ {
+ var song = new Song { ExplicitContentLyrics = null };
+
+ Assert.True(ExplicitContentFilter.ShouldIncludeSong(song, ExplicitFilter.All));
+ Assert.True(ExplicitContentFilter.ShouldIncludeSong(song, ExplicitFilter.ExplicitOnly));
+ Assert.True(ExplicitContentFilter.ShouldIncludeSong(song, ExplicitFilter.CleanOnly));
+ }
+
+ [Fact]
+ public void ShouldIncludeSong_ExplicitOnly_ShouldExcludeOnlyCleanEditedValue3()
+ {
+ Assert.True(ExplicitContentFilter.ShouldIncludeSong(new Song { ExplicitContentLyrics = 0 }, ExplicitFilter.ExplicitOnly));
+ Assert.True(ExplicitContentFilter.ShouldIncludeSong(new Song { ExplicitContentLyrics = 1 }, ExplicitFilter.ExplicitOnly));
+ Assert.True(ExplicitContentFilter.ShouldIncludeSong(new Song { ExplicitContentLyrics = 2 }, ExplicitFilter.ExplicitOnly));
+ Assert.False(ExplicitContentFilter.ShouldIncludeSong(new Song { ExplicitContentLyrics = 3 }, ExplicitFilter.ExplicitOnly));
+ }
+
+ [Fact]
+ public void ShouldIncludeSong_CleanOnly_ShouldExcludeExplicitValue1()
+ {
+ Assert.True(ExplicitContentFilter.ShouldIncludeSong(new Song { ExplicitContentLyrics = 0 }, ExplicitFilter.CleanOnly));
+ Assert.False(ExplicitContentFilter.ShouldIncludeSong(new Song { ExplicitContentLyrics = 1 }, ExplicitFilter.CleanOnly));
+ Assert.True(ExplicitContentFilter.ShouldIncludeSong(new Song { ExplicitContentLyrics = 3 }, ExplicitFilter.CleanOnly));
+ }
+
+ [Fact]
+ public void ShouldIncludeSong_All_ShouldAlwaysInclude()
+ {
+ Assert.True(ExplicitContentFilter.ShouldIncludeSong(new Song { ExplicitContentLyrics = 1 }, ExplicitFilter.All));
+ Assert.True(ExplicitContentFilter.ShouldIncludeSong(new Song { ExplicitContentLyrics = 3 }, ExplicitFilter.All));
+ }
+}
diff --git a/allstarr.Tests/JavaScriptSyntaxTests.cs b/allstarr.Tests/JavaScriptSyntaxTests.cs
index e27916a..6f74e39 100644
--- a/allstarr.Tests/JavaScriptSyntaxTests.cs
+++ b/allstarr.Tests/JavaScriptSyntaxTests.cs
@@ -1,4 +1,5 @@
using System.Diagnostics;
+using System.Text.RegularExpressions;
using Xunit;
namespace allstarr.Tests;
@@ -23,7 +24,7 @@ public class JavaScriptSyntaxTests
{
var filePath = Path.Combine(_wwwrootPath, "app.js");
Assert.True(File.Exists(filePath), $"app.js not found at {filePath}");
-
+
var isValid = ValidateJavaScriptSyntax(filePath, out var error);
Assert.True(isValid, $"app.js has syntax errors:\n{error}");
}
@@ -33,7 +34,7 @@ public class JavaScriptSyntaxTests
{
var filePath = Path.Combine(_wwwrootPath, "spotify-mappings.js");
Assert.True(File.Exists(filePath), $"spotify-mappings.js not found at {filePath}");
-
+
var isValid = ValidateJavaScriptSyntax(filePath, out var error);
Assert.True(isValid, $"spotify-mappings.js has syntax errors:\n{error}");
}
@@ -43,7 +44,7 @@ public class JavaScriptSyntaxTests
{
var filePath = Path.Combine(_wwwrootPath, "js", "utils.js");
Assert.True(File.Exists(filePath), $"js/utils.js not found at {filePath}");
-
+
var isValid = ValidateJavaScriptSyntax(filePath, out var error);
Assert.True(isValid, $"js/utils.js has syntax errors:\n{error}");
}
@@ -53,7 +54,7 @@ public class JavaScriptSyntaxTests
{
var filePath = Path.Combine(_wwwrootPath, "js", "api.js");
Assert.True(File.Exists(filePath), $"js/api.js not found at {filePath}");
-
+
var isValid = ValidateJavaScriptSyntax(filePath, out var error);
Assert.True(isValid, $"js/api.js has syntax errors:\n{error}");
}
@@ -63,17 +64,40 @@ public class JavaScriptSyntaxTests
{
var filePath = Path.Combine(_wwwrootPath, "js", "main.js");
Assert.True(File.Exists(filePath), $"js/main.js not found at {filePath}");
-
+
var isValid = ValidateJavaScriptSyntax(filePath, out var error);
Assert.True(isValid, $"js/main.js has syntax errors:\n{error}");
}
+ [Fact]
+ public void ModularJs_ExtractedModulesShouldHaveValidSyntax()
+ {
+ var moduleFiles = new[]
+ {
+ "settings-editor.js",
+ "auth-session.js",
+ "dashboard-data.js",
+ "operations.js",
+ "playlist-admin.js",
+ "scrobbling-admin.js"
+ };
+
+ foreach (var moduleFile in moduleFiles)
+ {
+ var filePath = Path.Combine(_wwwrootPath, "js", moduleFile);
+ Assert.True(File.Exists(filePath), $"js/{moduleFile} not found at {filePath}");
+
+ var isValid = ValidateJavaScriptSyntax(filePath, out var error);
+ Assert.True(isValid, $"js/{moduleFile} has syntax errors:\n{error}");
+ }
+ }
+
[Fact]
public void AppJs_ShouldBeDeprecated()
{
var filePath = Path.Combine(_wwwrootPath, "app.js");
var content = File.ReadAllText(filePath);
-
+
// Check that the file is now just a deprecation notice
Assert.Contains("DEPRECATED", content);
Assert.Contains("main.js", content);
@@ -82,18 +106,45 @@ public class JavaScriptSyntaxTests
[Fact]
public void MainJs_ShouldBeComplete()
{
- var filePath = Path.Combine(_wwwrootPath, "js", "main.js");
- var content = File.ReadAllText(filePath);
-
- // Check that critical window functions exist
- Assert.Contains("window.fetchStatus", content);
- Assert.Contains("window.fetchPlaylists", content);
- Assert.Contains("window.fetchConfig", content);
- Assert.Contains("window.fetchEndpointUsage", content);
-
- // Check that the file has proper initialization
- Assert.Contains("DOMContentLoaded", content);
- Assert.Contains("window.fetchStatus();", content);
+ var mainPath = Path.Combine(_wwwrootPath, "js", "main.js");
+ var dashboardPath = Path.Combine(_wwwrootPath, "js", "dashboard-data.js");
+ var settingsPath = Path.Combine(_wwwrootPath, "js", "settings-editor.js");
+ var authPath = Path.Combine(_wwwrootPath, "js", "auth-session.js");
+ var operationsPath = Path.Combine(_wwwrootPath, "js", "operations.js");
+ var playlistPath = Path.Combine(_wwwrootPath, "js", "playlist-admin.js");
+ var scrobblingPath = Path.Combine(_wwwrootPath, "js", "scrobbling-admin.js");
+
+ Assert.True(File.Exists(mainPath), $"js/main.js not found at {mainPath}");
+ Assert.True(File.Exists(dashboardPath), $"js/dashboard-data.js not found at {dashboardPath}");
+ Assert.True(File.Exists(settingsPath), $"js/settings-editor.js not found at {settingsPath}");
+ Assert.True(File.Exists(authPath), $"js/auth-session.js not found at {authPath}");
+ Assert.True(File.Exists(operationsPath), $"js/operations.js not found at {operationsPath}");
+ Assert.True(File.Exists(playlistPath), $"js/playlist-admin.js not found at {playlistPath}");
+ Assert.True(File.Exists(scrobblingPath), $"js/scrobbling-admin.js not found at {scrobblingPath}");
+
+ var mainContent = File.ReadAllText(mainPath);
+ var dashboardContent = File.ReadAllText(dashboardPath);
+ var settingsContent = File.ReadAllText(settingsPath);
+ var authContent = File.ReadAllText(authPath);
+ var operationsContent = File.ReadAllText(operationsPath);
+ var playlistContent = File.ReadAllText(playlistPath);
+ var scrobblingContent = File.ReadAllText(scrobblingPath);
+
+ Assert.Contains("DOMContentLoaded", mainContent);
+ Assert.Contains("authSession.bootstrapAuth()", mainContent);
+ Assert.Contains("initDashboardData", mainContent);
+
+ Assert.Contains("window.fetchStatus", dashboardContent);
+ Assert.Contains("window.fetchPlaylists", dashboardContent);
+ Assert.Contains("window.fetchConfig", dashboardContent);
+ Assert.Contains("window.fetchEndpointUsage", dashboardContent);
+
+ Assert.Contains("window.openEditSetting", settingsContent);
+ Assert.Contains("window.saveEditSetting", settingsContent);
+ Assert.Contains("window.logoutAdminSession", authContent);
+ Assert.Contains("window.restartContainer", operationsContent);
+ Assert.Contains("window.linkPlaylist", playlistContent);
+ Assert.Contains("window.loadScrobblingConfig", scrobblingContent);
}
[Fact]
@@ -103,10 +154,10 @@ public class JavaScriptSyntaxTests
// Skip this test or check main.js instead
var filePath = Path.Combine(_wwwrootPath, "js", "main.js");
var content = File.ReadAllText(filePath);
-
+
var openBraces = content.Count(c => c == '{');
var closeBraces = content.Count(c => c == '}');
-
+
Assert.Equal(openBraces, closeBraces);
}
@@ -116,15 +167,42 @@ public class JavaScriptSyntaxTests
// app.js is now deprecated and just contains comments
// Skip this test or check main.js instead
var filePath = Path.Combine(_wwwrootPath, "js", "main.js");
-
+
// Use Node.js to validate syntax instead of counting parentheses
// This is more reliable than regex-based string/comment removal
string error;
var isValid = ValidateJavaScriptSyntax(filePath, out error);
-
+
Assert.True(isValid, $"JavaScript syntax validation failed: {error}");
}
+ [Fact]
+ public void ApiJs_ShouldCentralizeFetchHandling()
+ {
+ var filePath = Path.Combine(_wwwrootPath, "js", "api.js");
+ var content = File.ReadAllText(filePath);
+
+ Assert.Contains("async function requestJson", content);
+ Assert.Contains("async function requestBlob", content);
+ Assert.Contains("async function requestOptionalJson", content);
+
+ var fetchCallCount = Regex.Matches(content, @"\bfetch\(").Count;
+ Assert.Equal(3, fetchCallCount);
+ }
+
+ [Fact]
+ public void ScrobblingAdmin_ShouldUseApiWrappersInsteadOfDirectFetch()
+ {
+ var filePath = Path.Combine(_wwwrootPath, "js", "scrobbling-admin.js");
+ var content = File.ReadAllText(filePath);
+
+ Assert.DoesNotContain("fetch(", content);
+ Assert.Contains("API.fetchScrobblingStatus()", content);
+ Assert.Contains("API.updateLocalTracksScrobbling", content);
+ Assert.Contains("API.authenticateLastFm()", content);
+ Assert.Contains("API.validateListenBrainzToken", content);
+ }
+
private bool ValidateJavaScriptSyntax(string filePath, out string error)
{
error = string.Empty;
@@ -165,23 +243,4 @@ public class JavaScriptSyntaxTests
}
}
- private string RemoveStringsAndComments(string content)
- {
- // Simple removal of strings and comments for brace counting
- // This is not perfect but good enough for basic validation
- var result = content;
-
- // Remove single-line comments
- result = System.Text.RegularExpressions.Regex.Replace(result, @"//.*$", "", System.Text.RegularExpressions.RegexOptions.Multiline);
-
- // Remove multi-line comments
- result = System.Text.RegularExpressions.Regex.Replace(result, @"/\*.*?\*/", "", System.Text.RegularExpressions.RegexOptions.Singleline);
-
- // Remove strings (simple approach)
- result = System.Text.RegularExpressions.Regex.Replace(result, @"""(?:[^""\\]|\\.)*""", "");
- result = System.Text.RegularExpressions.Regex.Replace(result, @"'(?:[^'\\]|\\.)*'", "");
- result = System.Text.RegularExpressions.Regex.Replace(result, @"`(?:[^`\\]|\\.)*`", "");
-
- return result;
- }
}
diff --git a/allstarr.Tests/JellyfinProxyServiceTests.cs b/allstarr.Tests/JellyfinProxyServiceTests.cs
index 15b0620..a967cbc 100644
--- a/allstarr.Tests/JellyfinProxyServiceTests.cs
+++ b/allstarr.Tests/JellyfinProxyServiceTests.cs
@@ -182,7 +182,7 @@ public class JellyfinProxyServiceTests
// Assert
Assert.NotNull(captured);
var url = captured!.RequestUri!.ToString();
-
+
// Verify the query parameters are properly URL encoded
Assert.Contains("searchTerm=", url);
Assert.Contains("test", url);
@@ -192,7 +192,7 @@ public class JellyfinProxyServiceTests
Assert.Contains("MusicAlbum", url);
Assert.Contains("limit=25", url);
Assert.Contains("recursive=true", url);
-
+
// Verify spaces are encoded (either as %20 or +)
var uri = captured.RequestUri;
var searchTermValue = System.Web.HttpUtility.ParseQueryString(uri!.Query).Get("searchTerm");
@@ -225,6 +225,67 @@ public class JellyfinProxyServiceTests
Assert.Equal(200, statusCode);
}
+ [Fact]
+ public async Task GetJsonAsync_WithEndpointQuery_PreservesCallerParameters()
+ {
+ // Arrange
+ HttpRequestMessage? captured = null;
+ _mockHandler.Protected()
+ .Setup>("SendAsync",
+ ItExpr.IsAny(),
+ ItExpr.IsAny())
+ .Callback((req, ct) => captured = req)
+ .ReturnsAsync(new HttpResponseMessage(HttpStatusCode.OK)
+ {
+ Content = new StringContent("{\"Id\":\"abc-123\"}")
+ });
+
+ // Act
+ await _service.GetJsonAsync(
+ "Users/user-abc/Items/abc-123?api_key=query-token&Fields=DateCreated,PremiereDate,ProductionYear");
+
+ // Assert
+ Assert.NotNull(captured);
+ var requestUri = captured!.RequestUri!;
+ Assert.Contains("/Users/user-abc/Items/abc-123", requestUri.ToString());
+
+ var query = System.Web.HttpUtility.ParseQueryString(requestUri.Query);
+ Assert.Equal("query-token", query.Get("api_key"));
+ Assert.Equal("DateCreated,PremiereDate,ProductionYear", query.Get("Fields"));
+ }
+
+ [Fact]
+ public async Task GetJsonAsync_WithEndpointAndExplicitQuery_MergesWithExplicitPrecedence()
+ {
+ // Arrange
+ HttpRequestMessage? captured = null;
+ _mockHandler.Protected()
+ .Setup>("SendAsync",
+ ItExpr.IsAny(),
+ ItExpr.IsAny())
+ .Callback((req, ct) => captured = req)
+ .ReturnsAsync(new HttpResponseMessage(HttpStatusCode.OK)
+ {
+ Content = new StringContent("{\"Items\":[]}")
+ });
+
+ // Act
+ await _service.GetJsonAsync(
+ "Items/abc-123?api_key=endpoint-token&Fields=DateCreated",
+ new Dictionary
+ {
+ ["api_key"] = "explicit-token",
+ ["UserId"] = "route-user"
+ });
+
+ // Assert
+ Assert.NotNull(captured);
+ var query = System.Web.HttpUtility.ParseQueryString(captured!.RequestUri!.Query);
+ Assert.Equal("explicit-token", query.Get("api_key"));
+ Assert.Equal("DateCreated", query.Get("Fields"));
+ Assert.Equal("route-user", query.Get("UserId"));
+ }
+
[Fact]
public async Task GetArtistsAsync_WithSearchTerm_IncludesInQuery()
{
@@ -277,6 +338,30 @@ public class JellyfinProxyServiceTests
Assert.Contains("maxHeight=300", url);
}
+ [Fact]
+ public async Task GetImageAsync_WithTag_IncludesTagInQuery()
+ {
+ // Arrange
+ HttpRequestMessage? captured = null;
+ _mockHandler.Protected()
+ .Setup>("SendAsync",
+ ItExpr.IsAny(),
+ ItExpr.IsAny())
+ .Callback((req, ct) => captured = req)
+ .ReturnsAsync(new HttpResponseMessage(HttpStatusCode.OK)
+ {
+ Content = new ByteArrayContent(new byte[] { 1, 2, 3 })
+ });
+
+ // Act
+ await _service.GetImageAsync("item-123", "Primary", imageTag: "playlist-art-v2");
+
+ // Assert
+ Assert.NotNull(captured);
+ var query = System.Web.HttpUtility.ParseQueryString(captured!.RequestUri!.Query);
+ Assert.Equal("playlist-art-v2", query.Get("tag"));
+ }
+
[Fact]
diff --git a/allstarr.Tests/JellyfinQueryRedactionTests.cs b/allstarr.Tests/JellyfinQueryRedactionTests.cs
new file mode 100644
index 0000000..36d926e
--- /dev/null
+++ b/allstarr.Tests/JellyfinQueryRedactionTests.cs
@@ -0,0 +1,42 @@
+using System.Reflection;
+using allstarr.Controllers;
+
+namespace allstarr.Tests;
+
+public class JellyfinQueryRedactionTests
+{
+ [Fact]
+ public void MaskSensitiveQueryString_RedactsSensitiveValues()
+ {
+ var masked = InvokeMaskSensitiveQueryString(
+ "?api_key=secret1&query=hello&x-emby-token=secret2&AuthToken=secret3");
+
+ Assert.Contains("api_key=", masked);
+ Assert.Contains("query=hello", masked);
+ Assert.Contains("x-emby-token=", masked);
+ Assert.Contains("AuthToken=", masked);
+ Assert.DoesNotContain("secret1", masked);
+ Assert.DoesNotContain("secret2", masked);
+ Assert.DoesNotContain("secret3", masked);
+ }
+
+ [Theory]
+ [InlineData(null)]
+ [InlineData("")]
+ public void MaskSensitiveQueryString_EmptyOrNull_ReturnsEmpty(string? input)
+ {
+ var masked = InvokeMaskSensitiveQueryString(input);
+ Assert.Equal(string.Empty, masked);
+ }
+
+ private static string InvokeMaskSensitiveQueryString(string? queryString)
+ {
+ var method = typeof(JellyfinController).GetMethod(
+ "MaskSensitiveQueryString",
+ BindingFlags.Static | BindingFlags.NonPublic);
+
+ Assert.NotNull(method);
+ var result = method!.Invoke(null, new object?[] { queryString });
+ return Assert.IsType(result);
+ }
+}
diff --git a/allstarr.Tests/JellyfinResponseBuilderTests.cs b/allstarr.Tests/JellyfinResponseBuilderTests.cs
index 39b1d8b..47e9246 100644
--- a/allstarr.Tests/JellyfinResponseBuilderTests.cs
+++ b/allstarr.Tests/JellyfinResponseBuilderTests.cs
@@ -75,6 +75,58 @@ public class JellyfinResponseBuilderTests
Assert.Equal("USRC12345678", providerIds["ISRC"]);
}
+ [Theory]
+ [InlineData("deezer")]
+ [InlineData("qobuz")]
+ [InlineData("squidwtf")]
+ [InlineData("Deezer")]
+ [InlineData("Qobuz")]
+ [InlineData("SquidWTF")]
+ public void ConvertSongToJellyfinItem_ExternalStreamingProviders_DisableTranscoding(string provider)
+ {
+ // Arrange
+ var song = new Song
+ {
+ Id = $"ext-{provider}-song-123",
+ Title = "External Track",
+ Artist = "External Artist",
+ IsLocal = false,
+ ExternalProvider = provider,
+ ExternalId = "123"
+ };
+
+ // Act
+ var result = _builder.ConvertSongToJellyfinItem(song);
+
+ // Assert
+ var mediaSources = Assert.IsAssignableFrom(result["MediaSources"]);
+ var mediaSource = Assert.IsType>(mediaSources[0]);
+ Assert.False(Assert.IsType(mediaSource["SupportsTranscoding"]));
+ }
+
+ [Fact]
+ public void ConvertSongToJellyfinItem_OtherExternalProviders_KeepTranscodingEnabled()
+ {
+ // Arrange
+ var song = new Song
+ {
+ Id = "ext-spotify-song-123",
+ Title = "External Track",
+ Artist = "External Artist",
+ IsLocal = false,
+ ExternalProvider = "spotify",
+ ExternalId = "123"
+ };
+
+ // Act
+ var result = _builder.ConvertSongToJellyfinItem(song);
+
+ // Assert
+ var mediaSources = Assert.IsAssignableFrom(result["MediaSources"]);
+ var mediaSource = Assert.IsType>(mediaSources[0]);
+ Assert.True(Assert.IsType(mediaSource["SupportsTranscoding"]));
+ }
+
[Fact]
public void ConvertAlbumToJellyfinItem_SetsCorrectFields()
{
diff --git a/allstarr.Tests/JellyfinSearchTermRecoveryTests.cs b/allstarr.Tests/JellyfinSearchTermRecoveryTests.cs
new file mode 100644
index 0000000..3772592
--- /dev/null
+++ b/allstarr.Tests/JellyfinSearchTermRecoveryTests.cs
@@ -0,0 +1,47 @@
+using System.Reflection;
+using allstarr.Controllers;
+
+namespace allstarr.Tests;
+
+public class JellyfinSearchTermRecoveryTests
+{
+ [Fact]
+ public void RecoverSearchTermFromRawQuery_PreservesUnencodedAmpersand()
+ {
+ var raw = "?SearchTerm=Love%20&%20Hyperbole&Recursive=true&IncludeItemTypes=MusicAlbum";
+ var recovered = InvokePrivateStatic("RecoverSearchTermFromRawQuery", raw);
+
+ Assert.Equal("Love & Hyperbole", recovered);
+ }
+
+ [Fact]
+ public void GetEffectiveSearchTerm_PrefersRecoveredWhenBoundIsTruncated()
+ {
+ var bound = "Love ";
+ var raw = "?SearchTerm=Love%20&%20Hyperbole&Recursive=true";
+ var effective = InvokePrivateStatic("GetEffectiveSearchTerm", bound, raw);
+
+ Assert.Equal("Love & Hyperbole", effective);
+ }
+
+ [Fact]
+ public void GetEffectiveSearchTerm_UsesBoundWhenRecoveredIsMissing()
+ {
+ var bound = "Love & Hyperbole";
+ var raw = "?Recursive=true&IncludeItemTypes=MusicAlbum";
+ var effective = InvokePrivateStatic("GetEffectiveSearchTerm", bound, raw);
+
+ Assert.Equal("Love & Hyperbole", effective);
+ }
+
+ private static T InvokePrivateStatic(string methodName, params object?[] args)
+ {
+ var method = typeof(JellyfinController).GetMethod(
+ methodName,
+ BindingFlags.NonPublic | BindingFlags.Static);
+
+ Assert.NotNull(method);
+ var result = method!.Invoke(null, args);
+ return (T)result!;
+ }
+}
diff --git a/allstarr.Tests/OutboundRequestGuardTests.cs b/allstarr.Tests/OutboundRequestGuardTests.cs
new file mode 100644
index 0000000..756b357
--- /dev/null
+++ b/allstarr.Tests/OutboundRequestGuardTests.cs
@@ -0,0 +1,64 @@
+using allstarr.Services.Common;
+
+namespace allstarr.Tests;
+
+public class OutboundRequestGuardTests
+{
+ [Fact]
+ public void TryCreateSafeHttpUri_WithPublicHttpsUrl_AllowsRequest()
+ {
+ var allowed = OutboundRequestGuard.TryCreateSafeHttpUri(
+ "https://example.com/cover.jpg",
+ out var uri,
+ out var reason);
+
+ Assert.True(allowed);
+ Assert.NotNull(uri);
+ Assert.Equal("https://example.com/cover.jpg", uri!.ToString());
+ Assert.Equal(string.Empty, reason);
+ }
+
+ [Theory]
+ [InlineData("http://localhost/test")]
+ [InlineData("http://127.0.0.1/test")]
+ [InlineData("http://10.0.0.5/album.png")]
+ [InlineData("http://192.168.1.10/album.png")]
+ [InlineData("http://100.64.0.25/path")]
+ [InlineData("http://[::1]/image")]
+ [InlineData("http://[fd00::1]/image")]
+ public void TryCreateSafeHttpUri_WithLocalOrPrivateHost_BlocksRequest(string rawUrl)
+ {
+ var allowed = OutboundRequestGuard.TryCreateSafeHttpUri(rawUrl, out var uri, out var reason);
+
+ Assert.False(allowed);
+ Assert.Null(uri);
+ Assert.NotEmpty(reason);
+ }
+
+ [Theory]
+ [InlineData("ftp://example.com/file")]
+ [InlineData("file:///etc/passwd")]
+ [InlineData("javascript:alert(1)")]
+ [InlineData("/relative/path")]
+ public void TryCreateSafeHttpUri_WithInvalidSchemeOrRelativeUrl_BlocksRequest(string rawUrl)
+ {
+ var allowed = OutboundRequestGuard.TryCreateSafeHttpUri(rawUrl, out var uri, out var reason);
+
+ Assert.False(allowed);
+ Assert.Null(uri);
+ Assert.NotEmpty(reason);
+ }
+
+ [Fact]
+ public void TryCreateSafeHttpUri_WithUserInfo_BlocksRequest()
+ {
+ var allowed = OutboundRequestGuard.TryCreateSafeHttpUri(
+ "https://user:pass@example.com/image.jpg",
+ out var uri,
+ out var reason);
+
+ Assert.False(allowed);
+ Assert.Null(uri);
+ Assert.Contains("Userinfo", reason, StringComparison.OrdinalIgnoreCase);
+ }
+}
diff --git a/allstarr.Tests/PlaybackSessionTests.cs b/allstarr.Tests/PlaybackSessionTests.cs
new file mode 100644
index 0000000..7daf493
--- /dev/null
+++ b/allstarr.Tests/PlaybackSessionTests.cs
@@ -0,0 +1,64 @@
+using allstarr.Models.Scrobbling;
+using Xunit;
+
+namespace allstarr.Tests;
+
+public class PlaybackSessionTests
+{
+ [Fact]
+ public void ShouldScrobble_ExternalTrackStartedFromBeginning_ScrobblesWhenThresholdMet()
+ {
+ var session = CreateSession(isExternal: true, startPositionSeconds: 0, durationSeconds: 300, playedSeconds: 240);
+
+ Assert.True(session.ShouldScrobble());
+ }
+
+ [Fact]
+ public void ShouldScrobble_ExternalTrackResumedMidTrack_DoesNotScrobble()
+ {
+ var session = CreateSession(isExternal: true, startPositionSeconds: 90, durationSeconds: 300, playedSeconds: 240);
+
+ Assert.False(session.ShouldScrobble());
+ }
+
+ [Fact]
+ public void ShouldScrobble_ExternalTrackAtToleranceBoundary_Scrobbles()
+ {
+ var session = CreateSession(isExternal: true, startPositionSeconds: 5, durationSeconds: 240, playedSeconds: 120);
+
+ Assert.True(session.ShouldScrobble());
+ }
+
+ [Fact]
+ public void ShouldScrobble_LocalTrackIgnoresStartPosition_ScrobblesWhenThresholdMet()
+ {
+ var session = CreateSession(isExternal: false, startPositionSeconds: 120, durationSeconds: 300, playedSeconds: 150);
+
+ Assert.True(session.ShouldScrobble());
+ }
+
+ private static PlaybackSession CreateSession(
+ bool isExternal,
+ int startPositionSeconds,
+ int durationSeconds,
+ int playedSeconds)
+ {
+ return new PlaybackSession
+ {
+ SessionId = "session-1",
+ DeviceId = "device-1",
+ StartTime = DateTime.UtcNow,
+ LastActivity = DateTime.UtcNow,
+ LastPositionSeconds = playedSeconds,
+ Track = new ScrobbleTrack
+ {
+ Title = "Track",
+ Artist = "Artist",
+ DurationSeconds = durationSeconds,
+ Timestamp = DateTimeOffset.UtcNow.ToUnixTimeSeconds(),
+ IsExternal = isExternal,
+ StartPositionSeconds = startPositionSeconds
+ }
+ };
+ }
+}
diff --git a/allstarr.Tests/PlaylistTrackStatusResolverTests.cs b/allstarr.Tests/PlaylistTrackStatusResolverTests.cs
new file mode 100644
index 0000000..3208d6a
--- /dev/null
+++ b/allstarr.Tests/PlaylistTrackStatusResolverTests.cs
@@ -0,0 +1,107 @@
+using allstarr.Models.Domain;
+using allstarr.Models.Spotify;
+using allstarr.Services.Admin;
+
+namespace allstarr.Tests;
+
+public class PlaylistTrackStatusResolverTests
+{
+ [Fact]
+ public void TryResolveFromMatchedTrack_LocalMatch_ReturnsLocal()
+ {
+ var matchedBySpotifyId = new Dictionary(StringComparer.OrdinalIgnoreCase)
+ {
+ ["1UNWD6R5EOFklUHKZZvww2"] = new MatchedTrack
+ {
+ SpotifyId = "1UNWD6R5EOFklUHKZZvww2",
+ MatchedSong = new Song
+ {
+ IsLocal = true
+ }
+ }
+ };
+
+ var resolved = PlaylistTrackStatusResolver.TryResolveFromMatchedTrack(
+ matchedBySpotifyId,
+ "1UNWD6R5EOFklUHKZZvww2",
+ out var isLocal,
+ out var externalProvider);
+
+ Assert.True(resolved);
+ Assert.True(isLocal);
+ Assert.Null(externalProvider);
+ }
+
+ [Fact]
+ public void TryResolveFromMatchedTrack_ExternalMatch_ReturnsProvider()
+ {
+ var matchedBySpotifyId = new Dictionary(StringComparer.OrdinalIgnoreCase)
+ {
+ ["6zSpb8dQRaw0M1dK8PBwQz"] = new MatchedTrack
+ {
+ SpotifyId = "6zSpb8dQRaw0M1dK8PBwQz",
+ MatchedSong = new Song
+ {
+ IsLocal = false,
+ ExternalProvider = "squidwtf"
+ }
+ }
+ };
+
+ var resolved = PlaylistTrackStatusResolver.TryResolveFromMatchedTrack(
+ matchedBySpotifyId,
+ "6zspb8dqraw0m1dk8pbwqz",
+ out var isLocal,
+ out var externalProvider);
+
+ Assert.True(resolved);
+ Assert.False(isLocal);
+ Assert.Equal("squidwtf", externalProvider);
+ }
+
+ [Fact]
+ public void TryResolveFromMatchedTrack_NoMatch_ReturnsFalse()
+ {
+ var matchedBySpotifyId = new Dictionary(StringComparer.OrdinalIgnoreCase)
+ {
+ ["abc"] = new MatchedTrack
+ {
+ SpotifyId = "abc",
+ MatchedSong = new Song { IsLocal = true }
+ }
+ };
+
+ var resolved = PlaylistTrackStatusResolver.TryResolveFromMatchedTrack(
+ matchedBySpotifyId,
+ "def",
+ out var isLocal,
+ out var externalProvider);
+
+ Assert.False(resolved);
+ Assert.Null(isLocal);
+ Assert.Null(externalProvider);
+ }
+
+ [Fact]
+ public void TryResolveFromMatchedTrack_NullMatchedSong_ReturnsFalse()
+ {
+ var matchedBySpotifyId = new Dictionary(StringComparer.OrdinalIgnoreCase)
+ {
+ ["abc"] = new MatchedTrack
+ {
+ SpotifyId = "abc",
+ MatchedSong = null!
+ }
+ };
+
+ var resolved = PlaylistTrackStatusResolver.TryResolveFromMatchedTrack(
+ matchedBySpotifyId,
+ "abc",
+ out var isLocal,
+ out var externalProvider);
+
+ Assert.False(resolved);
+ Assert.Null(isLocal);
+ Assert.Null(externalProvider);
+ }
+}
diff --git a/allstarr.Tests/ProviderIdsEnricherTests.cs b/allstarr.Tests/ProviderIdsEnricherTests.cs
new file mode 100644
index 0000000..b4c497d
--- /dev/null
+++ b/allstarr.Tests/ProviderIdsEnricherTests.cs
@@ -0,0 +1,58 @@
+using System.Text.Json;
+using allstarr.Services.Common;
+
+namespace allstarr.Tests;
+
+public class ProviderIdsEnricherTests
+{
+ [Fact]
+ public void EnsureSpotifyProviderIds_WhenProviderIdsMissing_AddsSpotifyKeys()
+ {
+ var item = new Dictionary
+ {
+ ["Name"] = "As the World Caves In",
+ ["ProviderIds"] = null
+ };
+
+ ProviderIdsEnricher.EnsureSpotifyProviderIds(item, "2xXNLutYAOELYVObYb1C1S", "album-123");
+
+ var providerIds = Assert.IsType>(item["ProviderIds"]);
+ Assert.Equal("2xXNLutYAOELYVObYb1C1S", providerIds["Spotify"]);
+ Assert.Equal("album-123", providerIds["SpotifyAlbum"]);
+ }
+
+ [Fact]
+ public void EnsureSpotifyProviderIds_WhenProviderIdsJsonElement_PreservesAndAdds()
+ {
+ using var doc = JsonDocument.Parse("""{"Jellyfin":"cde0216ad42ece9b66e2626a744e8283"}""");
+ var item = new Dictionary
+ {
+ ["ProviderIds"] = doc.RootElement.Clone()
+ };
+
+ ProviderIdsEnricher.EnsureSpotifyProviderIds(item, "2xXNLutYAOELYVObYb1C1S", null);
+
+ var providerIds = Assert.IsType>(item["ProviderIds"]);
+ Assert.Equal("cde0216ad42ece9b66e2626a744e8283", providerIds["Jellyfin"]);
+ Assert.Equal("2xXNLutYAOELYVObYb1C1S", providerIds["Spotify"]);
+ }
+
+ [Fact]
+ public void EnsureSpotifyProviderIds_WhenSpotifyAlreadyExists_DoesNotOverwrite()
+ {
+ var providerIds = new Dictionary(StringComparer.OrdinalIgnoreCase)
+ {
+ ["Spotify"] = "existing-spid"
+ };
+ var item = new Dictionary
+ {
+ ["ProviderIds"] = providerIds
+ };
+
+ ProviderIdsEnricher.EnsureSpotifyProviderIds(item, "new-spid", "album-1");
+
+ var normalized = Assert.IsType>(item["ProviderIds"]);
+ Assert.Equal("existing-spid", normalized["Spotify"]);
+ Assert.Equal("album-1", normalized["SpotifyAlbum"]);
+ }
+}
diff --git a/allstarr.Tests/RetryHelperTests.cs b/allstarr.Tests/RetryHelperTests.cs
new file mode 100644
index 0000000..2d47746
--- /dev/null
+++ b/allstarr.Tests/RetryHelperTests.cs
@@ -0,0 +1,64 @@
+using System.Net;
+using allstarr.Services.Common;
+using Microsoft.Extensions.Logging.Abstractions;
+using Xunit;
+
+namespace allstarr.Tests;
+
+public class RetryHelperTests
+{
+ [Fact]
+ public async Task RetryWithBackoffAsync_ShouldRetryOn503AndSucceed()
+ {
+ var attempts = 0;
+
+ var result = await RetryHelper.RetryWithBackoffAsync(async () =>
+ {
+ attempts++;
+ await Task.Yield();
+
+ if (attempts < 3)
+ {
+ throw new HttpRequestException("temporary", null, HttpStatusCode.ServiceUnavailable);
+ }
+
+ return "ok";
+ }, NullLogger.Instance, maxRetries: 4, initialDelayMs: 1);
+
+ Assert.Equal("ok", result);
+ Assert.Equal(3, attempts);
+ }
+
+ [Fact]
+ public async Task RetryWithBackoffAsync_ShouldRetryOn429ThenThrowAfterMaxRetries()
+ {
+ var attempts = 0;
+
+ var ex = await Assert.ThrowsAsync(async () =>
+ await RetryHelper.RetryWithBackoffAsync(async () =>
+ {
+ attempts++;
+ await Task.Yield();
+ throw new HttpRequestException("rate limited", null, HttpStatusCode.TooManyRequests);
+ }, NullLogger.Instance, maxRetries: 3, initialDelayMs: 1));
+
+ Assert.Equal(HttpStatusCode.TooManyRequests, ex.StatusCode);
+ Assert.Equal(3, attempts);
+ }
+
+ [Fact]
+ public async Task RetryWithBackoffAsync_ShouldNotRetryOnNonHttpRequestException()
+ {
+ var attempts = 0;
+
+ await Assert.ThrowsAsync(async () =>
+ await RetryHelper.RetryWithBackoffAsync(async () =>
+ {
+ attempts++;
+ await Task.Yield();
+ throw new InvalidOperationException("fatal");
+ }, NullLogger.Instance, maxRetries: 3, initialDelayMs: 1));
+
+ Assert.Equal(1, attempts);
+ }
+}
diff --git a/allstarr.Tests/ScrobblingAdminControllerTests.cs b/allstarr.Tests/ScrobblingAdminControllerTests.cs
index 51592d5..53c4f5b 100644
--- a/allstarr.Tests/ScrobblingAdminControllerTests.cs
+++ b/allstarr.Tests/ScrobblingAdminControllerTests.cs
@@ -1,69 +1,32 @@
-using Xunit;
-using Moq;
-using Microsoft.AspNetCore.Mvc;
-using Microsoft.Extensions.Logging;
-using Microsoft.Extensions.Options;
-using Microsoft.Extensions.Configuration;
+using System.Net;
+using System.Net.Http;
+using System.Text;
+using System.Text.Json;
using allstarr.Controllers;
using allstarr.Models.Settings;
using allstarr.Services.Admin;
-using System.Net;
-using System.Net.Http;
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.Extensions.Configuration;
+using Microsoft.Extensions.Hosting;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
+using Moq;
+using Xunit;
namespace allstarr.Tests;
public class ScrobblingAdminControllerTests
{
- private readonly Mock> _mockSettings;
- private readonly Mock _mockConfiguration;
- private readonly Mock> _mockLogger;
- private readonly Mock _mockHttpClientFactory;
- private readonly ScrobblingAdminController _controller;
-
- public ScrobblingAdminControllerTests()
- {
- _mockSettings = new Mock>();
- _mockConfiguration = new Mock();
- _mockLogger = new Mock>();
- _mockHttpClientFactory = new Mock();
-
- var settings = new ScrobblingSettings
- {
- Enabled = true,
- LastFm = new LastFmSettings
- {
- Enabled = true,
- ApiKey = "cb3bdcd415fcb40cd572b137b2b255f5",
- SharedSecret = "3a08f9fad6ddc4c35b0dce0062cecb5e",
- SessionKey = "",
- Username = null,
- Password = null
- }
- };
-
- _mockSettings.Setup(s => s.Value).Returns(settings);
-
- _controller = new ScrobblingAdminController(
- _mockSettings.Object,
- _mockConfiguration.Object,
- _mockHttpClientFactory.Object,
- _mockLogger.Object,
- null! // AdminHelperService not needed for these tests
- );
- }
-
[Fact]
- public void GetStatus_ReturnsCorrectConfiguration()
+ public void GetStatus_ReturnsOk()
{
- // Act
- var result = _controller.GetStatus() as OkObjectResult;
+ var controller = CreateController(
+ CreateSettings(username: null, password: null),
+ new HttpResponseMessage(HttpStatusCode.OK));
- // Assert
- Assert.NotNull(result);
- Assert.Equal(200, result.StatusCode);
-
- dynamic? status = result.Value;
- Assert.NotNull(status);
+ var result = controller.GetStatus();
+ Assert.IsType(result);
}
[Theory]
@@ -73,119 +36,176 @@ public class ScrobblingAdminControllerTests
[InlineData("username", null)]
public async Task AuthenticateLastFm_MissingCredentials_ReturnsBadRequest(string? username, string? password)
{
- // Arrange - set credentials in settings
- var settings = new ScrobblingSettings
+ var controller = CreateController(
+ CreateSettings(username, password),
+ new HttpResponseMessage(HttpStatusCode.OK));
+
+ var result = await controller.AuthenticateLastFm();
+ var badRequest = Assert.IsType(result);
+ Assert.Equal(StatusCodes.Status400BadRequest, badRequest.StatusCode);
+ }
+
+ [Fact]
+ public async Task AuthenticateLastFm_WhenSessionSaveFails_DoesNotExposeSessionKey()
+ {
+ var sessionKey = "super-secret-session-key";
+ var successXml = $"testuser{sessionKey}";
+
+ var controller = CreateController(
+ CreateSettings("testuser", "password123"),
+ new HttpResponseMessage(HttpStatusCode.OK)
+ {
+ Content = new StringContent(successXml, Encoding.UTF8, "application/xml")
+ },
+ adminHelper: null);
+
+ var result = await controller.AuthenticateLastFm();
+ var serverError = Assert.IsType(result);
+ Assert.Equal(StatusCodes.Status500InternalServerError, serverError.StatusCode);
+
+ var payload = JsonSerializer.Serialize(serverError.Value);
+ Assert.DoesNotContain("sessionKey", payload, StringComparison.OrdinalIgnoreCase);
+ Assert.DoesNotContain(sessionKey, payload, StringComparison.Ordinal);
+ }
+
+ [Fact]
+ public async Task AuthenticateLastFm_SuccessResponse_DoesNotIncludeSessionKey()
+ {
+ var tempRoot = Path.Combine(Path.GetTempPath(), "allstarr-tests", Guid.NewGuid().ToString("N"), "app");
+ Directory.CreateDirectory(tempRoot);
+
+ try
+ {
+ var successXml = "testusersecret-session-key";
+
+ var adminHelper = CreateAdminHelperService(tempRoot);
+ var controller = CreateController(
+ CreateSettings("testuser", "password123"),
+ new HttpResponseMessage(HttpStatusCode.OK)
+ {
+ Content = new StringContent(successXml, Encoding.UTF8, "application/xml")
+ },
+ adminHelper);
+
+ var result = await controller.AuthenticateLastFm();
+ var ok = Assert.IsType(result);
+ Assert.Equal(StatusCodes.Status200OK, ok.StatusCode);
+
+ var payload = JsonSerializer.Serialize(ok.Value);
+ using var document = JsonDocument.Parse(payload);
+ Assert.False(document.RootElement.TryGetProperty("SessionKey", out _));
+ Assert.True(document.RootElement.GetProperty("Success").GetBoolean());
+ }
+ finally
+ {
+ var testRoot = Path.GetDirectoryName(tempRoot);
+ if (!string.IsNullOrEmpty(testRoot) && Directory.Exists(testRoot))
+ {
+ Directory.Delete(testRoot, recursive: true);
+ }
+ }
+ }
+
+ [Fact]
+ public async Task ValidateListenBrainzToken_WhenSaveFails_DoesNotExposeUserToken()
+ {
+ var userToken = "listenbrainz-secret-token";
+ var validResponse = "{\"valid\":true,\"user_name\":\"listener\"}";
+
+ var controller = CreateController(
+ CreateSettings("testuser", "password123"),
+ new HttpResponseMessage(HttpStatusCode.OK)
+ {
+ Content = new StringContent(validResponse, Encoding.UTF8, "application/json")
+ },
+ adminHelper: null);
+
+ var result = await controller.ValidateListenBrainzToken(
+ new ScrobblingAdminController.ValidateTokenRequest { UserToken = userToken });
+ var serverError = Assert.IsType(result);
+ Assert.Equal(StatusCodes.Status500InternalServerError, serverError.StatusCode);
+
+ var payload = JsonSerializer.Serialize(serverError.Value);
+ Assert.DoesNotContain("userToken", payload, StringComparison.OrdinalIgnoreCase);
+ Assert.DoesNotContain(userToken, payload, StringComparison.Ordinal);
+ }
+
+ private static ScrobblingSettings CreateSettings(string? username, string? password)
+ {
+ return new ScrobblingSettings
{
Enabled = true,
+ LocalTracksEnabled = false,
LastFm = new LastFmSettings
{
Enabled = true,
ApiKey = "cb3bdcd415fcb40cd572b137b2b255f5",
SharedSecret = "3a08f9fad6ddc4c35b0dce0062cecb5e",
- SessionKey = "",
+ SessionKey = string.Empty,
Username = username,
Password = password
+ },
+ ListenBrainz = new ListenBrainzSettings
+ {
+ Enabled = true,
+ UserToken = string.Empty
}
};
- _mockSettings.Setup(s => s.Value).Returns(settings);
-
- var controller = new ScrobblingAdminController(
- _mockSettings.Object,
- _mockConfiguration.Object,
- _mockHttpClientFactory.Object,
- _mockLogger.Object,
- null! // AdminHelperService not needed for this test
- );
-
- // Act
- var result = await controller.AuthenticateLastFm() as BadRequestObjectResult;
-
- // Assert
- Assert.NotNull(result);
- Assert.Equal(400, result.StatusCode);
}
- [Fact]
- public void DebugAuth_ValidCredentials_ReturnsDebugInfo()
+ private static AdminHelperService CreateAdminHelperService(string contentRootPath)
{
- // Arrange
- var request = new ScrobblingAdminController.AuthenticateRequest
- {
- Username = "testuser",
- Password = "testpass123"
- };
+ var helperLogger = new Mock>();
+ var webHostEnvironment = new Mock();
+ webHostEnvironment.SetupGet(e => e.EnvironmentName).Returns(Environments.Development);
+ webHostEnvironment.SetupGet(e => e.ContentRootPath).Returns(contentRootPath);
- // Act
- var result = _controller.DebugAuth(request) as OkObjectResult;
-
- // Assert
- Assert.NotNull(result);
- Assert.Equal(200, result.StatusCode);
-
- dynamic? debugInfo = result.Value;
- Assert.NotNull(debugInfo);
+ return new AdminHelperService(
+ helperLogger.Object,
+ Options.Create(new JellyfinSettings()),
+ webHostEnvironment.Object);
}
- [Theory]
- [InlineData("user!@#$%", "pass!@#$%")]
- [InlineData("user with spaces", "pass with spaces")]
- [InlineData("user\ttab", "pass\ttab")]
- [InlineData("user'quote", "pass\"doublequote")]
- [InlineData("user&ersand", "pass&ersand")]
- [InlineData("user*asterisk", "pass*asterisk")]
- [InlineData("user$dollar", "pass$dollar")]
- [InlineData("user(paren)", "pass)paren")]
- [InlineData("user[bracket]", "pass{bracket}")]
- public void DebugAuth_SpecialCharacters_HandlesCorrectly(string username, string password)
+ private static ScrobblingAdminController CreateController(
+ ScrobblingSettings settings,
+ HttpResponseMessage httpResponse,
+ AdminHelperService? adminHelper = null)
{
- // Arrange
- var request = new ScrobblingAdminController.AuthenticateRequest
- {
- Username = username,
- Password = password
- };
+ var mockSettings = new Mock>();
+ mockSettings.Setup(s => s.Value).Returns(settings);
- // Act
- var result = _controller.DebugAuth(request) as OkObjectResult;
+ var configuration = new ConfigurationBuilder()
+ .AddInMemoryCollection(new Dictionary())
+ .Build();
- // Assert
- Assert.NotNull(result);
- Assert.Equal(200, result.StatusCode);
- Assert.NotNull(result.Value);
-
- // Use reflection to access anonymous type properties
- var passwordLengthProp = result.Value.GetType().GetProperty("PasswordLength");
- Assert.NotNull(passwordLengthProp);
- var passwordLength = (int?)passwordLengthProp.GetValue(result.Value);
- Assert.Equal(password.Length, passwordLength);
+ var logger = new Mock>();
+ var httpClientFactory = new Mock();
+
+ var httpClient = new HttpClient(new StubHttpMessageHandler(httpResponse));
+ httpClientFactory.Setup(f => f.CreateClient(It.IsAny())).Returns(httpClient);
+
+ return new ScrobblingAdminController(
+ mockSettings.Object,
+ configuration,
+ httpClientFactory.Object,
+ logger.Object,
+ adminHelper!);
}
- [Theory]
- [InlineData("test!pass456")]
- [InlineData("p@ssw0rd!")]
- [InlineData("test&test")]
- [InlineData("my*password")]
- [InlineData("pass$word")]
- public void DebugAuth_PasswordsWithShellSpecialChars_CalculatesCorrectLength(string password)
+ private sealed class StubHttpMessageHandler : HttpMessageHandler
{
- // Arrange
- var request = new ScrobblingAdminController.AuthenticateRequest
+ private readonly HttpResponseMessage _response;
+
+ public StubHttpMessageHandler(HttpResponseMessage response)
{
- Username = "testuser",
- Password = password
- };
+ _response = response;
+ }
- // Act
- var result = _controller.DebugAuth(request) as OkObjectResult;
-
- // Assert
- Assert.NotNull(result);
- Assert.NotNull(result.Value);
-
- // Use reflection to access anonymous type properties
- var passwordLengthProp = result.Value.GetType().GetProperty("PasswordLength");
- Assert.NotNull(passwordLengthProp);
- var passwordLength = (int?)passwordLengthProp.GetValue(result.Value);
- Assert.Equal(password.Length, passwordLength);
+ protected override Task SendAsync(
+ HttpRequestMessage request,
+ CancellationToken cancellationToken)
+ {
+ return Task.FromResult(_response);
+ }
}
}
diff --git a/allstarr.Tests/ScrobblingOrchestratorTests.cs b/allstarr.Tests/ScrobblingOrchestratorTests.cs
new file mode 100644
index 0000000..fa35f51
--- /dev/null
+++ b/allstarr.Tests/ScrobblingOrchestratorTests.cs
@@ -0,0 +1,54 @@
+using allstarr.Models.Scrobbling;
+using allstarr.Models.Settings;
+using allstarr.Services.Scrobbling;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
+using Moq;
+
+namespace allstarr.Tests;
+
+public class ScrobblingOrchestratorTests
+{
+ [Fact]
+ public async Task OnPlaybackStartAsync_DuplicateStartForSameTrack_SendsNowPlayingOnce()
+ {
+ var service = new Mock();
+ service.SetupGet(s => s.IsEnabled).Returns(true);
+ service.SetupGet(s => s.ServiceName).Returns("MockService");
+ service.Setup(s => s.UpdateNowPlayingAsync(It.IsAny(), It.IsAny()))
+ .ReturnsAsync(ScrobbleResult.CreateSuccess());
+
+ var orchestrator = CreateOrchestrator(service.Object);
+ var track = CreateTrack();
+
+ await orchestrator.OnPlaybackStartAsync("device-1", track);
+ await orchestrator.OnPlaybackStartAsync("device-1", track);
+
+ service.Verify(
+ s => s.UpdateNowPlayingAsync(It.IsAny(), It.IsAny()),
+ Times.Once);
+ }
+
+ private static ScrobblingOrchestrator CreateOrchestrator(IScrobblingService service)
+ {
+ var settings = Options.Create(new ScrobblingSettings
+ {
+ Enabled = true
+ });
+
+ var logger = Mock.Of>();
+ return new ScrobblingOrchestrator(new[] { service }, settings, logger);
+ }
+
+ private static ScrobbleTrack CreateTrack()
+ {
+ return new ScrobbleTrack
+ {
+ Title = "Sad Girl Summer",
+ Artist = "Maisie Peters",
+ DurationSeconds = 180,
+ IsExternal = true,
+ StartPositionSeconds = 0
+ };
+ }
+}
diff --git a/allstarr.Tests/SpotifyApiClientTests.cs b/allstarr.Tests/SpotifyApiClientTests.cs
index d9d5d3f..3454b93 100644
--- a/allstarr.Tests/SpotifyApiClientTests.cs
+++ b/allstarr.Tests/SpotifyApiClientTests.cs
@@ -4,6 +4,9 @@ using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options;
using allstarr.Services.Spotify;
using allstarr.Models.Settings;
+using allstarr.Models.Spotify;
+using System.Reflection;
+using System.Text.Json;
namespace allstarr.Tests;
@@ -79,4 +82,86 @@ public class SpotifyApiClientTests
// Assert
Assert.NotNull(client);
}
+
+ [Fact]
+ public void ParseGraphQLPlaylist_ParsesCreatedAtFromAttributes()
+ {
+ // Arrange
+ var client = new SpotifyApiClient(_mockLogger.Object, _settings);
+ using var doc = JsonDocument.Parse("""
+ {
+ "name": "Discover Weekly",
+ "description": "Weekly picks",
+ "revisionId": "rev123",
+ "attributes": [
+ { "key": "core:created_at", "value": "1771218000000" }
+ ]
+ }
+ """);
+
+ // Act
+ var playlist = InvokePrivateMethod(client, "ParseGraphQLPlaylist", doc.RootElement, "37i9dQZEVXcJyaHDR0yDFT");
+
+ // Assert
+ Assert.NotNull(playlist);
+ Assert.Equal("Discover Weekly", playlist!.Name);
+ Assert.Equal(DateTimeOffset.FromUnixTimeMilliseconds(1771218000000).UtcDateTime, playlist.CreatedAt);
+ }
+
+ [Fact]
+ public void ParseGraphQLTrack_ParsesAddedAtIsoStringAsUtc()
+ {
+ // Arrange
+ var client = new SpotifyApiClient(_mockLogger.Object, _settings);
+ using var doc = JsonDocument.Parse("""
+ {
+ "addedAt": { "isoString": "2026-02-16T05:00:00Z" },
+ "itemV2": {
+ "data": {
+ "uri": "spotify:track:3a8mo25v74BMUOJ1IDUEBL",
+ "name": "Sample Track",
+ "artists": {
+ "items": [
+ {
+ "profile": { "name": "Sample Artist" },
+ "uri": "spotify:artist:123"
+ }
+ ]
+ },
+ "albumOfTrack": {
+ "name": "Sample Album",
+ "uri": "spotify:album:456",
+ "coverArt": {
+ "sources": [
+ { "url": "https://example.com/small.jpg", "width": 64 },
+ { "url": "https://example.com/large.jpg", "width": 640 }
+ ]
+ }
+ },
+ "trackDuration": { "totalMilliseconds": 201526 },
+ "contentRating": { "label": "NONE" },
+ "trackNumber": 1,
+ "discNumber": 1,
+ "playcount": "1200"
+ }
+ }
+ }
+ """);
+
+ // Act
+ var track = InvokePrivateMethod(client, "ParseGraphQLTrack", doc.RootElement, 0);
+
+ // Assert
+ Assert.NotNull(track);
+ Assert.Equal("3a8mo25v74BMUOJ1IDUEBL", track!.SpotifyId);
+ Assert.Equal(new DateTime(2026, 2, 16, 5, 0, 0, DateTimeKind.Utc), track.AddedAt);
+ }
+
+ private static T InvokePrivateMethod(object instance, string methodName, params object?[] args)
+ {
+ var method = instance.GetType().GetMethod(methodName, BindingFlags.Instance | BindingFlags.NonPublic);
+ Assert.NotNull(method);
+ var result = method!.Invoke(instance, args);
+ return (T)result!;
+ }
}
diff --git a/allstarr.Tests/SquidWTFMetadataServiceTests.cs b/allstarr.Tests/SquidWTFMetadataServiceTests.cs
index 38003c1..5ac4271 100644
--- a/allstarr.Tests/SquidWTFMetadataServiceTests.cs
+++ b/allstarr.Tests/SquidWTFMetadataServiceTests.cs
@@ -4,8 +4,11 @@ using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options;
using allstarr.Services.SquidWTF;
using allstarr.Services.Common;
+using allstarr.Models.Domain;
using allstarr.Models.Settings;
using System.Collections.Generic;
+using System.Reflection;
+using System.Text.Json;
namespace allstarr.Tests;
@@ -22,29 +25,29 @@ public class SquidWTFMetadataServiceTests
{
_mockLogger = new Mock>();
_mockHttpClientFactory = new Mock();
-
+
_subsonicSettings = Options.Create(new SubsonicSettings
{
ExplicitFilter = ExplicitFilter.All
});
-
+
_squidwtfSettings = Options.Create(new SquidWTFSettings
{
Quality = "FLAC"
});
-
+
// Create mock Redis cache
var mockRedisLogger = new Mock>();
var mockRedisSettings = Options.Create(new RedisSettings { Enabled = false });
_mockCache = new Mock(mockRedisSettings, mockRedisLogger.Object);
-
- _apiUrls = new List
- {
+
+ _apiUrls = new List
+ {
"https://test1.example.com",
"https://test2.example.com",
"https://test3.example.com"
};
-
+
var httpClient = new System.Net.Http.HttpClient();
_mockHttpClientFactory.Setup(f => f.CreateClient(It.IsAny())).Returns(httpClient);
}
@@ -339,4 +342,223 @@ public class SquidWTFMetadataServiceTests
// Assert
Assert.NotNull(service);
}
+
+ [Fact]
+ public void BuildSearchQueryVariants_WithAmpersand_AddsAndVariant()
+ {
+ var variants = InvokePrivateStaticMethod>(
+ typeof(SquidWTFMetadataService),
+ "BuildSearchQueryVariants",
+ "love & hyperbole");
+
+ Assert.Equal(2, variants.Count);
+ Assert.Contains("love & hyperbole", variants);
+ Assert.Contains("love and hyperbole", variants);
+ }
+
+ [Fact]
+ public void BuildSearchQueryVariants_WithoutAmpersand_KeepsOriginalOnly()
+ {
+ var variants = InvokePrivateStaticMethod>(
+ typeof(SquidWTFMetadataService),
+ "BuildSearchQueryVariants",
+ "love and hyperbole");
+
+ Assert.Single(variants);
+ Assert.Equal("love and hyperbole", variants[0]);
+ }
+
+ [Fact]
+ public void ParseTidalTrack_MapsFieldsUsedByJellyfinAndTagWriter()
+ {
+ // Arrange
+ var service = new SquidWTFMetadataService(
+ _mockHttpClientFactory.Object,
+ _subsonicSettings,
+ _squidwtfSettings,
+ _mockLogger.Object,
+ _mockCache.Object,
+ _apiUrls);
+
+ using var doc = JsonDocument.Parse("""
+ {
+ "id": 452455962,
+ "title": "Stuck Up",
+ "version": "Live",
+ "duration": 151,
+ "trackNumber": 1,
+ "volumeNumber": 1,
+ "explicit": true,
+ "bpm": 130,
+ "isrc": "USUG12504959",
+ "streamStartDate": "2025-08-08T00:00:00.000+0000",
+ "copyright": "℗ 2025 Golden Angel LLC, under exclusive license to Interscope Records.",
+ "artists": [
+ { "id": 9321197, "name": "Amaarae" },
+ { "id": 30396, "name": "Black Star" }
+ ],
+ "album": {
+ "id": 452455961,
+ "title": "BLACK STAR",
+ "cover": "87f0be2b-dd7e-42d4-b438-f8f161d29674",
+ "numberOfTracks": 13,
+ "releaseDate": "2025-08-08",
+ "artist": { "id": 9321197, "name": "Amaarae" }
+ }
+ }
+ """);
+
+ // Act
+ var song = InvokePrivateMethod(service, "ParseTidalTrack", doc.RootElement, null);
+
+ // Assert
+ Assert.Equal("ext-squidwtf-song-452455962", song.Id);
+ Assert.Equal("Stuck Up (Live)", song.Title);
+ Assert.Equal("Amaarae", song.Artist);
+ Assert.Equal("Amaarae", song.AlbumArtist);
+ Assert.Equal("USUG12504959", song.Isrc);
+ Assert.Equal(130, song.Bpm);
+ Assert.Equal("2025-08-08", song.ReleaseDate);
+ Assert.Equal(2025, song.Year);
+ Assert.Equal(13, song.TotalTracks);
+ Assert.Equal("℗ 2025 Golden Angel LLC, under exclusive license to Interscope Records.", song.Copyright);
+ Assert.Equal("Black Star", Assert.Single(song.Contributors));
+ Assert.Contains("/87f0be2b/dd7e/42d4/b438/f8f161d29674/320x320.jpg", song.CoverArtUrl);
+ Assert.Contains("/87f0be2b/dd7e/42d4/b438/f8f161d29674/1280x1280.jpg", song.CoverArtUrlLarge);
+ }
+
+ [Fact]
+ public void ParseTidalTrackFull_MapsCopyrightToCopyrightField()
+ {
+ // Arrange
+ var service = new SquidWTFMetadataService(
+ _mockHttpClientFactory.Object,
+ _subsonicSettings,
+ _squidwtfSettings,
+ _mockLogger.Object,
+ _mockCache.Object,
+ _apiUrls);
+
+ using var doc = JsonDocument.Parse("""
+ {
+ "id": 987654,
+ "title": "Night Walk",
+ "duration": 200,
+ "trackNumber": 7,
+ "volumeNumber": 1,
+ "streamStartDate": "2024-02-01T00:00:00.000+0000",
+ "copyright": "℗ 2024 Example Label",
+ "artist": { "id": 111, "name": "Main Artist" },
+ "album": {
+ "id": 222,
+ "title": "Moonlight",
+ "cover": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee"
+ }
+ }
+ """);
+
+ // Act
+ var song = InvokePrivateMethod(service, "ParseTidalTrackFull", doc.RootElement);
+
+ // Assert
+ Assert.Equal("℗ 2024 Example Label", song.Copyright);
+ Assert.Null(song.Label);
+ Assert.Equal(2024, song.Year);
+ }
+
+ [Fact]
+ public void ParseTidalPlaylist_UsesPromotedArtistsAndFallbackMetadata()
+ {
+ // Arrange
+ var service = new SquidWTFMetadataService(
+ _mockHttpClientFactory.Object,
+ _subsonicSettings,
+ _squidwtfSettings,
+ _mockLogger.Object,
+ _mockCache.Object,
+ _apiUrls);
+
+ using var doc = JsonDocument.Parse("""
+ {
+ "uuid": "b55ffed4-ab60-4da5-9faf-e54a45de4f9c",
+ "title": "Guest Verses: BIG30",
+ "description": "Remixes and guest verses",
+ "creator": { "id": 0 },
+ "promotedArtists": [
+ { "id": 19872911, "name": "BigWalkDog" }
+ ],
+ "lastUpdated": "2022-09-23T17:52:48.974+0000",
+ "image": "75ed74c0-58d8-4af7-a4c0-cbae0315dc34",
+ "numberOfTracks": 32,
+ "duration": 5466
+ }
+ """);
+
+ // Act
+ var playlist = InvokePrivateMethod(service, "ParseTidalPlaylist", doc.RootElement);
+
+ // Assert
+ Assert.Equal("BigWalkDog", playlist.CuratorName);
+ Assert.Equal(32, playlist.TrackCount);
+ Assert.Equal(5466, playlist.Duration);
+ Assert.True(playlist.CreatedDate.HasValue);
+ Assert.Equal(2022, playlist.CreatedDate!.Value.Year);
+ Assert.Contains("/75ed74c0/58d8/4af7/a4c0/cbae0315dc34/1080x1080.jpg", playlist.CoverUrl);
+ }
+
+ [Fact]
+ public void ParseTidalAlbum_AppendsVersionAndParsesYearFallback()
+ {
+ // Arrange
+ var service = new SquidWTFMetadataService(
+ _mockHttpClientFactory.Object,
+ _subsonicSettings,
+ _squidwtfSettings,
+ _mockLogger.Object,
+ _mockCache.Object,
+ _apiUrls);
+
+ using var doc = JsonDocument.Parse("""
+ {
+ "id": 579814,
+ "title": "Black Star",
+ "version": "Remastered",
+ "streamStartDate": "2002-06-04T00:00:00.000+0000",
+ "numberOfTracks": 13,
+ "cover": "49fcdc8b-2f43-43a9-b156-f2f83908f95f",
+ "artists": [
+ { "id": 30396, "name": "Black Star" }
+ ]
+ }
+ """);
+
+ // Act
+ var album = InvokePrivateMethod(service, "ParseTidalAlbum", doc.RootElement);
+
+ // Assert
+ Assert.Equal("Black Star (Remastered)", album.Title);
+ Assert.Equal(2002, album.Year);
+ Assert.Equal(13, album.SongCount);
+ Assert.Contains("/49fcdc8b/2f43/43a9/b156/f2f83908f95f/320x320.jpg", album.CoverArtUrl);
+ }
+
+ private static T InvokePrivateMethod(object target, string methodName, params object?[] parameters)
+ {
+ var method = target.GetType().GetMethod(methodName, BindingFlags.Instance | BindingFlags.NonPublic);
+ Assert.NotNull(method);
+
+ var result = method!.Invoke(target, parameters);
+ Assert.NotNull(result);
+ return (T)result!;
+ }
+
+ private static T InvokePrivateStaticMethod(Type targetType, string methodName, params object?[] parameters)
+ {
+ var method = targetType.GetMethod(methodName, BindingFlags.Static | BindingFlags.NonPublic);
+ Assert.NotNull(method);
+
+ var result = method!.Invoke(null, parameters);
+ Assert.NotNull(result);
+ return (T)result!;
+ }
}
diff --git a/allstarr.Tests/TrackParserBaseTests.cs b/allstarr.Tests/TrackParserBaseTests.cs
new file mode 100644
index 0000000..76359d8
--- /dev/null
+++ b/allstarr.Tests/TrackParserBaseTests.cs
@@ -0,0 +1,27 @@
+using allstarr.Services.Common;
+using Xunit;
+
+namespace allstarr.Tests;
+
+public class TrackParserBaseTests
+{
+ [Fact]
+ public void TrackParserBaseHelpers_ShouldBuildConsistentIdsAndYears()
+ {
+ Assert.Equal("ext-deezer-song-123", TrackParserProbe.SongId("deezer", "123"));
+ Assert.Equal("ext-qobuz-album-555", TrackParserProbe.AlbumId("qobuz", "555"));
+ Assert.Equal("ext-squidwtf-artist-77", TrackParserProbe.ArtistId("squidwtf", "77"));
+
+ Assert.Equal(2024, TrackParserProbe.Year("2024-11-03"));
+ Assert.Null(TrackParserProbe.Year(""));
+ Assert.Null(TrackParserProbe.Year("abc"));
+ }
+
+ private sealed class TrackParserProbe : TrackParserBase
+ {
+ public static string SongId(string provider, string externalId) => BuildExternalSongId(provider, externalId);
+ public static string AlbumId(string provider, string externalId) => BuildExternalAlbumId(provider, externalId);
+ public static string ArtistId(string provider, string externalId) => BuildExternalArtistId(provider, externalId);
+ public static int? Year(string? dateString) => ParseYearFromDateString(dateString);
+ }
+}
diff --git a/allstarr.Tests/VersionUpgradePolicyTests.cs b/allstarr.Tests/VersionUpgradePolicyTests.cs
new file mode 100644
index 0000000..4a67304
--- /dev/null
+++ b/allstarr.Tests/VersionUpgradePolicyTests.cs
@@ -0,0 +1,42 @@
+using allstarr.Services.Common;
+
+namespace allstarr.Tests;
+
+public class VersionUpgradePolicyTests
+{
+ [Fact]
+ public void ShouldTriggerRebuild_ReturnsTrue_ForMinorUpgrade()
+ {
+ var shouldRebuild = VersionUpgradePolicy.ShouldTriggerRebuild("1.1.0", "1.2.0", out var reason);
+
+ Assert.True(shouldRebuild);
+ Assert.Equal("minor version upgrade", reason);
+ }
+
+ [Fact]
+ public void ShouldTriggerRebuild_ReturnsTrue_ForMajorUpgrade()
+ {
+ var shouldRebuild = VersionUpgradePolicy.ShouldTriggerRebuild("1.9.3", "2.0.0", out var reason);
+
+ Assert.True(shouldRebuild);
+ Assert.Equal("major version upgrade", reason);
+ }
+
+ [Fact]
+ public void ShouldTriggerRebuild_ReturnsFalse_ForPatchUpgrade()
+ {
+ var shouldRebuild = VersionUpgradePolicy.ShouldTriggerRebuild("1.2.0", "1.2.1", out var reason);
+
+ Assert.False(shouldRebuild);
+ Assert.Equal("patch-only upgrade", reason);
+ }
+
+ [Fact]
+ public void ShouldTriggerRebuild_ReturnsFalse_ForDowngrade()
+ {
+ var shouldRebuild = VersionUpgradePolicy.ShouldTriggerRebuild("2.0.0", "1.9.9", out var reason);
+
+ Assert.False(shouldRebuild);
+ Assert.Equal("version is not an upgrade", reason);
+ }
+}
diff --git a/allstarr/AppVersion.cs b/allstarr/AppVersion.cs
index 5dc08d1..e0d7c68 100644
--- a/allstarr/AppVersion.cs
+++ b/allstarr/AppVersion.cs
@@ -9,5 +9,5 @@ public static class AppVersion
///
/// Current application version.
///
- public const string Version = "1.1.3";
+ public const string Version = "1.3.0";
}
diff --git a/allstarr/Controllers/AdminAuthController.cs b/allstarr/Controllers/AdminAuthController.cs
new file mode 100644
index 0000000..95b56d4
--- /dev/null
+++ b/allstarr/Controllers/AdminAuthController.cs
@@ -0,0 +1,206 @@
+using System.Text.Json;
+using System.Text;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.Extensions.Options;
+using allstarr.Filters;
+using allstarr.Models.Settings;
+using allstarr.Services.Admin;
+
+namespace allstarr.Controllers;
+
+[ApiController]
+[Route("api/admin/auth")]
+[ServiceFilter(typeof(AdminPortFilter))]
+public class AdminAuthController : ControllerBase
+{
+ private readonly JellyfinSettings _jellyfinSettings;
+ private readonly HttpClient _httpClient;
+ private readonly AdminAuthSessionService _sessionService;
+ private readonly ILogger _logger;
+
+ public AdminAuthController(
+ IOptions jellyfinSettings,
+ IHttpClientFactory httpClientFactory,
+ AdminAuthSessionService sessionService,
+ ILogger logger)
+ {
+ _jellyfinSettings = jellyfinSettings.Value;
+ _httpClient = httpClientFactory.CreateClient();
+ _sessionService = sessionService;
+ _logger = logger;
+ }
+
+ [HttpPost("login")]
+ public async Task Login([FromBody] LoginRequest request)
+ {
+ if (string.IsNullOrWhiteSpace(_jellyfinSettings.Url))
+ {
+ return StatusCode(500, new { error = "Jellyfin URL is not configured" });
+ }
+
+ var username = request.Username?.Trim();
+ if (string.IsNullOrWhiteSpace(username) || string.IsNullOrWhiteSpace(request.Password))
+ {
+ return BadRequest(new { error = "Username and password are required" });
+ }
+
+ var jellyfinAuthUrl = $"{_jellyfinSettings.Url.TrimEnd('/')}/Users/AuthenticateByName";
+ var deviceId = Guid.NewGuid().ToString("N");
+ var authHeader =
+ $"MediaBrowser Client=\"AllstarrAdmin\", Device=\"WebUI\", DeviceId=\"{deviceId}\", Version=\"1.0.0\"";
+
+ try
+ {
+ var loginJson = JsonSerializer.Serialize(new JellyfinAuthenticateRequest
+ {
+ Username = username,
+ Pw = request.Password
+ }, new JsonSerializerOptions
+ {
+ PropertyNamingPolicy = null
+ });
+
+ using var httpRequest = new HttpRequestMessage(HttpMethod.Post, jellyfinAuthUrl)
+ {
+ Content = new StringContent(loginJson, Encoding.UTF8, "application/json")
+ };
+ httpRequest.Headers.TryAddWithoutValidation("X-Emby-Authorization", authHeader);
+
+ using var response = await _httpClient.SendAsync(httpRequest);
+
+ if (!response.IsSuccessStatusCode)
+ {
+ if (response.StatusCode is System.Net.HttpStatusCode.Unauthorized or
+ System.Net.HttpStatusCode.Forbidden)
+ {
+ return Unauthorized(new { error = "Invalid Jellyfin credentials" });
+ }
+
+ if (response.StatusCode == System.Net.HttpStatusCode.ServiceUnavailable)
+ {
+ return StatusCode(503, new { error = "Jellyfin is temporarily unavailable" });
+ }
+
+ return StatusCode((int)response.StatusCode, new
+ {
+ error = "Failed to authenticate with Jellyfin"
+ });
+ }
+
+ using var authDoc = await JsonDocument.ParseAsync(await response.Content.ReadAsStreamAsync());
+ var root = authDoc.RootElement;
+
+ var accessToken = root.TryGetProperty("AccessToken", out var tokenProp) ? tokenProp.GetString() : null;
+ var serverId = root.TryGetProperty("ServerId", out var serverIdProp) ? serverIdProp.GetString() : null;
+ if (string.IsNullOrWhiteSpace(accessToken) ||
+ !root.TryGetProperty("User", out var userProp))
+ {
+ return StatusCode(502, new { error = "Jellyfin returned an invalid authentication response" });
+ }
+
+ var userId = userProp.TryGetProperty("Id", out var userIdProp) ? userIdProp.GetString() : null;
+ var userName = userProp.TryGetProperty("Name", out var userNameProp) ? userNameProp.GetString() : username;
+ var isAdministrator = userProp.TryGetProperty("Policy", out var policyProp) &&
+ policyProp.TryGetProperty("IsAdministrator", out var adminProp) &&
+ adminProp.ValueKind == JsonValueKind.True;
+
+ if (string.IsNullOrWhiteSpace(userId) || string.IsNullOrWhiteSpace(userName))
+ {
+ return StatusCode(502, new { error = "Jellyfin user details are missing in auth response" });
+ }
+
+ var session = _sessionService.CreateSession(
+ userId: userId,
+ userName: userName,
+ isAdministrator: isAdministrator,
+ jellyfinAccessToken: accessToken,
+ jellyfinServerId: serverId);
+
+ SetSessionCookie(session.SessionId, session.ExpiresAtUtc);
+
+ _logger.LogInformation("Admin WebUI login successful for Jellyfin user {UserName} ({UserId})",
+ session.UserName, session.UserId);
+
+ return Ok(new
+ {
+ authenticated = true,
+ user = new
+ {
+ id = session.UserId,
+ name = session.UserName,
+ isAdministrator = session.IsAdministrator
+ },
+ expiresAtUtc = session.ExpiresAtUtc
+ });
+ }
+ catch (Exception ex)
+ {
+ _logger.LogError(ex, "Admin WebUI Jellyfin login failed");
+ return StatusCode(500, new { error = "Failed to authenticate with Jellyfin" });
+ }
+ }
+
+ [HttpGet("me")]
+ public IActionResult GetCurrentSession()
+ {
+ if (!Request.Cookies.TryGetValue(AdminAuthSessionService.SessionCookieName, out var sessionId) ||
+ !_sessionService.TryGetValidSession(sessionId, out var session))
+ {
+ Response.Cookies.Delete(AdminAuthSessionService.SessionCookieName);
+ return Ok(new { authenticated = false });
+ }
+
+ return Ok(new
+ {
+ authenticated = true,
+ user = new
+ {
+ id = session.UserId,
+ name = session.UserName,
+ isAdministrator = session.IsAdministrator
+ },
+ expiresAtUtc = session.ExpiresAtUtc
+ });
+ }
+
+ [HttpPost("logout")]
+ public IActionResult Logout()
+ {
+ if (Request.Cookies.TryGetValue(AdminAuthSessionService.SessionCookieName, out var sessionId))
+ {
+ _sessionService.RemoveSession(sessionId);
+ }
+
+ Response.Cookies.Delete(AdminAuthSessionService.SessionCookieName);
+ return Ok(new { success = true });
+ }
+
+ private void SetSessionCookie(string sessionId, DateTime expiresAtUtc)
+ {
+ var secure = Request.IsHttps ||
+ string.Equals(Request.Headers["X-Forwarded-Proto"], "https",
+ StringComparison.OrdinalIgnoreCase);
+
+ Response.Cookies.Append(AdminAuthSessionService.SessionCookieName, sessionId, new CookieOptions
+ {
+ HttpOnly = true,
+ Secure = secure,
+ SameSite = SameSiteMode.Strict,
+ Path = "/",
+ IsEssential = true,
+ Expires = expiresAtUtc
+ });
+ }
+
+ public class LoginRequest
+ {
+ public string? Username { get; set; }
+ public string? Password { get; set; }
+ }
+
+ private sealed class JellyfinAuthenticateRequest
+ {
+ public string? Username { get; init; }
+ public string? Pw { get; init; }
+ }
+}
diff --git a/allstarr/Controllers/ConfigController.cs b/allstarr/Controllers/ConfigController.cs
index be39fe7..a81d511 100644
--- a/allstarr/Controllers/ConfigController.cs
+++ b/allstarr/Controllers/ConfigController.cs
@@ -5,6 +5,7 @@ using allstarr.Models.Admin;
using allstarr.Filters;
using allstarr.Services.Admin;
using allstarr.Services.Common;
+using allstarr.Services.Spotify;
using System.Text.Json;
using System.Net.Sockets;
@@ -27,6 +28,7 @@ public class ConfigController : ControllerBase
private readonly SpotifyImportSettings _spotifyImportSettings;
private readonly ScrobblingSettings _scrobblingSettings;
private readonly AdminHelperService _helperService;
+ private readonly SpotifySessionCookieService _spotifySessionCookieService;
private readonly RedisCacheService _cache;
private const string CacheDirectory = "/app/cache/spotify";
@@ -43,6 +45,7 @@ public class ConfigController : ControllerBase
IOptions spotifyImportSettings,
IOptions scrobblingSettings,
AdminHelperService helperService,
+ SpotifySessionCookieService spotifySessionCookieService,
RedisCacheService cache)
{
_logger = logger;
@@ -57,38 +60,117 @@ public class ConfigController : ControllerBase
_spotifyImportSettings = spotifyImportSettings.Value;
_scrobblingSettings = scrobblingSettings.Value;
_helperService = helperService;
+ _spotifySessionCookieService = spotifySessionCookieService;
_cache = cache;
}
[HttpGet("config")]
public async Task GetConfig()
{
+ var envVars = await ReadEnvSettingsAsync();
+
+ var backendType = GetEnvString(
+ envVars,
+ "BACKEND_TYPE",
+ _configuration.GetValue("Backend:Type") ?? "Jellyfin");
+ var useJellyfinSettings = backendType.Equals("Jellyfin", StringComparison.OrdinalIgnoreCase);
+
+ var fallbackMusicService = useJellyfinSettings
+ ? _jellyfinSettings.MusicService.ToString()
+ : _subsonicSettings.MusicService.ToString();
+ var fallbackExplicitFilter = useJellyfinSettings
+ ? _jellyfinSettings.ExplicitFilter.ToString()
+ : _subsonicSettings.ExplicitFilter.ToString();
+ var fallbackEnableExternalPlaylists = useJellyfinSettings
+ ? _jellyfinSettings.EnableExternalPlaylists
+ : _subsonicSettings.EnableExternalPlaylists;
+ var fallbackPlaylistsDirectory = useJellyfinSettings
+ ? _jellyfinSettings.PlaylistsDirectory
+ : _subsonicSettings.PlaylistsDirectory;
+ var fallbackStorageMode = useJellyfinSettings
+ ? _jellyfinSettings.StorageMode.ToString()
+ : _subsonicSettings.StorageMode.ToString();
+ var fallbackCacheDurationHours = useJellyfinSettings
+ ? _jellyfinSettings.CacheDurationHours
+ : _subsonicSettings.CacheDurationHours;
+ var fallbackDownloadMode = useJellyfinSettings
+ ? _jellyfinSettings.DownloadMode.ToString()
+ : _subsonicSettings.DownloadMode.ToString();
+
+ var storageModeValue = GetEnvString(envVars, "STORAGE_MODE", fallbackStorageMode);
+ var isCacheStorageMode = storageModeValue.Equals(nameof(StorageMode.Cache), StringComparison.OrdinalIgnoreCase);
+
+ var libraryDownloadRoot = GetEnvString(
+ envVars,
+ "LIBRARY_DOWNLOAD_PATH",
+ GetEnvString(
+ envVars,
+ "Library__DownloadPath",
+ _configuration["Library:DownloadPath"] ?? "./downloads",
+ treatEmptyAsMissing: true),
+ treatEmptyAsMissing: true);
+ var libraryKeptPath = GetEnvString(
+ envVars,
+ "LIBRARY_KEPT_PATH",
+ Path.Combine(libraryDownloadRoot, "kept"),
+ treatEmptyAsMissing: true);
+
+ var envPlaylists = await _helperService.ReadPlaylistsFromEnvFileAsync();
+ var hasEnvPlaylistKey = envVars.ContainsKey("SPOTIFY_IMPORT_PLAYLISTS");
+ var effectivePlaylists = hasEnvPlaylistKey ? envPlaylists : _spotifyImportSettings.Playlists;
+ var sessionUserId = GetAuthenticatedUserId();
+ var cookieStatus = await _spotifySessionCookieService.GetCookieStatusAsync(sessionUserId);
+ var effectiveSessionCookie = await _spotifySessionCookieService.ResolveSessionCookieAsync(sessionUserId);
+ var userCookieSetDate = !string.IsNullOrWhiteSpace(sessionUserId)
+ ? await _spotifySessionCookieService.GetCookieSetDateAsync(sessionUserId)
+ : null;
+ var effectiveCookieSetDate = userCookieSetDate?.ToString("o");
+
+ if (string.IsNullOrWhiteSpace(effectiveCookieSetDate) && cookieStatus.UsingGlobalFallback)
+ {
+ effectiveCookieSetDate = GetEnvString(
+ envVars,
+ "SPOTIFY_API_SESSION_COOKIE_SET_DATE",
+ _spotifyApiSettings.SessionCookieSetDate ?? string.Empty);
+ }
+
return Ok(new
{
- backendType = _configuration.GetValue("Backend:Type") ?? "Jellyfin",
- musicService = _configuration.GetValue("MusicService") ?? "SquidWTF",
- explicitFilter = _configuration.GetValue("ExplicitFilter") ?? "All",
- enableExternalPlaylists = _configuration.GetValue("EnableExternalPlaylists", false),
- playlistsDirectory = _configuration.GetValue("PlaylistsDirectory") ?? "(not set)",
- redisEnabled = _configuration.GetValue("Redis:Enabled", false),
+ backendType,
+ musicService = GetEnvString(envVars, "MUSIC_SERVICE", fallbackMusicService),
+ explicitFilter = GetEnvString(envVars, "EXPLICIT_FILTER", fallbackExplicitFilter),
+ enableExternalPlaylists = GetEnvBool(envVars, "ENABLE_EXTERNAL_PLAYLISTS", fallbackEnableExternalPlaylists),
+ playlistsDirectory = GetEnvString(envVars, "PLAYLISTS_DIRECTORY", fallbackPlaylistsDirectory),
+ redisEnabled = GetEnvBool(envVars, "REDIS_ENABLED", _configuration.GetValue("Redis:Enabled", false)),
debug = new
{
- logAllRequests = _configuration.GetValue("Debug:LogAllRequests", false)
+ logAllRequests = GetEnvBool(envVars, "DEBUG_LOG_ALL_REQUESTS", _configuration.GetValue("Debug:LogAllRequests", false)),
+ redactSensitiveRequestValues = GetEnvBool(
+ envVars,
+ "DEBUG_REDACT_SENSITIVE_REQUEST_VALUES",
+ _configuration.GetValue("Debug:RedactSensitiveRequestValues", false))
+ },
+ admin = new
+ {
+ bindAnyIp = GetEnvBool(envVars, "ADMIN_BIND_ANY_IP", AdminNetworkBindingPolicy.ShouldBindAdminAnyIp(_configuration)),
+ trustedSubnets = GetEnvString(envVars, "ADMIN_TRUSTED_SUBNETS", _configuration.GetValue("Admin:TrustedSubnets") ?? string.Empty),
+ allowEnvExport = IsEnvExportEnabled()
},
spotifyApi = new
{
- enabled = _spotifyApiSettings.Enabled,
- sessionCookie = AdminHelperService.MaskValue(_spotifyApiSettings.SessionCookie, showLast: 8),
- sessionCookieSetDate = _spotifyApiSettings.SessionCookieSetDate,
- cacheDurationMinutes = _spotifyApiSettings.CacheDurationMinutes,
+ enabled = GetEnvBool(envVars, "SPOTIFY_API_ENABLED", _spotifyApiSettings.Enabled),
+ sessionCookie = AdminHelperService.MaskValue(effectiveSessionCookie, showLast: 8),
+ sessionCookieSetDate = effectiveCookieSetDate ?? string.Empty,
+ usingGlobalFallback = cookieStatus.UsingGlobalFallback,
+ cacheDurationMinutes = GetEnvInt(envVars, "SPOTIFY_API_CACHE_DURATION_MINUTES", _spotifyApiSettings.CacheDurationMinutes),
rateLimitDelayMs = _spotifyApiSettings.RateLimitDelayMs,
- preferIsrcMatching = _spotifyApiSettings.PreferIsrcMatching
+ preferIsrcMatching = GetEnvBool(envVars, "SPOTIFY_API_PREFER_ISRC_MATCHING", _spotifyApiSettings.PreferIsrcMatching)
},
spotifyImport = new
{
- enabled = _spotifyImportSettings.Enabled,
- matchingIntervalHours = _spotifyImportSettings.MatchingIntervalHours,
- playlists = _spotifyImportSettings.Playlists.Select(p => new
+ enabled = GetEnvBool(envVars, "SPOTIFY_IMPORT_ENABLED", _spotifyImportSettings.Enabled),
+ matchingIntervalHours = GetEnvInt(envVars, "SPOTIFY_IMPORT_MATCHING_INTERVAL_HOURS", _spotifyImportSettings.MatchingIntervalHours),
+ playlists = effectivePlaylists.Select(p => new
{
name = p.Name,
id = p.Id,
@@ -97,49 +179,152 @@ public class ConfigController : ControllerBase
},
jellyfin = new
{
- url = _jellyfinSettings.Url,
- apiKey = AdminHelperService.MaskValue(_jellyfinSettings.ApiKey),
- userId = _jellyfinSettings.UserId ?? "(not set)",
- libraryId = _jellyfinSettings.LibraryId
+ url = GetEnvString(envVars, "JELLYFIN_URL", _jellyfinSettings.Url ?? string.Empty),
+ apiKey = AdminHelperService.MaskValue(GetEnvString(envVars, "JELLYFIN_API_KEY", _jellyfinSettings.ApiKey ?? string.Empty)),
+ userId = GetEnvString(envVars, "JELLYFIN_USER_ID", _jellyfinSettings.UserId ?? string.Empty),
+ libraryId = GetEnvString(envVars, "JELLYFIN_LIBRARY_ID", _jellyfinSettings.LibraryId ?? string.Empty)
},
library = new
{
- downloadPath = _subsonicSettings.StorageMode == StorageMode.Cache
- ? Path.Combine(_configuration["Library:DownloadPath"] ?? "./downloads", "cache")
- : Path.Combine(_configuration["Library:DownloadPath"] ?? "./downloads", "permanent"),
- keptPath = Path.Combine(_configuration["Library:DownloadPath"] ?? "./downloads", "kept"),
- storageMode = _subsonicSettings.StorageMode.ToString(),
- cacheDurationHours = _subsonicSettings.CacheDurationHours,
- downloadMode = _subsonicSettings.DownloadMode.ToString()
+ downloadPath = isCacheStorageMode
+ ? Path.Combine(libraryDownloadRoot, "cache")
+ : Path.Combine(libraryDownloadRoot, "permanent"),
+ keptPath = libraryKeptPath,
+ storageMode = storageModeValue,
+ cacheDurationHours = GetEnvInt(envVars, "CACHE_DURATION_HOURS", fallbackCacheDurationHours),
+ downloadMode = GetEnvString(envVars, "DOWNLOAD_MODE", fallbackDownloadMode)
},
deezer = new
{
- arl = AdminHelperService.MaskValue(_deezerSettings.Arl, showLast: 8),
- arlFallback = AdminHelperService.MaskValue(_deezerSettings.ArlFallback, showLast: 8),
- quality = _deezerSettings.Quality ?? "FLAC"
+ arl = AdminHelperService.MaskValue(GetEnvString(envVars, "DEEZER_ARL", _deezerSettings.Arl ?? string.Empty), showLast: 8),
+ arlFallback = AdminHelperService.MaskValue(GetEnvString(envVars, "DEEZER_ARL_FALLBACK", _deezerSettings.ArlFallback ?? string.Empty), showLast: 8),
+ quality = GetEnvString(envVars, "DEEZER_QUALITY", _deezerSettings.Quality ?? "FLAC")
},
qobuz = new
{
- userAuthToken = AdminHelperService.MaskValue(_qobuzSettings.UserAuthToken, showLast: 8),
- userId = _qobuzSettings.UserId,
- quality = _qobuzSettings.Quality ?? "FLAC"
+ userAuthToken = AdminHelperService.MaskValue(GetEnvString(envVars, "QOBUZ_USER_AUTH_TOKEN", _qobuzSettings.UserAuthToken ?? string.Empty), showLast: 8),
+ userId = GetEnvString(envVars, "QOBUZ_USER_ID", _qobuzSettings.UserId ?? string.Empty),
+ quality = GetEnvString(envVars, "QOBUZ_QUALITY", _qobuzSettings.Quality ?? "FLAC")
},
squidWtf = new
{
- quality = _squidWtfSettings.Quality ?? "LOSSLESS"
+ quality = GetEnvString(envVars, "SQUIDWTF_QUALITY", _squidWtfSettings.Quality ?? "LOSSLESS")
},
musicBrainz = new
{
- enabled = _musicBrainzSettings.Enabled,
- username = _musicBrainzSettings.Username ?? "(not set)",
- password = AdminHelperService.MaskValue(_musicBrainzSettings.Password),
+ enabled = GetEnvBool(envVars, "MUSICBRAINZ_ENABLED", _musicBrainzSettings.Enabled),
+ username = GetEnvString(envVars, "MUSICBRAINZ_USERNAME", _musicBrainzSettings.Username ?? string.Empty),
+ password = AdminHelperService.MaskValue(GetEnvString(envVars, "MUSICBRAINZ_PASSWORD", _musicBrainzSettings.Password ?? string.Empty)),
baseUrl = _musicBrainzSettings.BaseUrl,
rateLimitMs = _musicBrainzSettings.RateLimitMs
},
+ cache = new
+ {
+ searchResultsMinutes = GetEnvInt(envVars, "CACHE_SEARCH_RESULTS_MINUTES", _configuration.GetValue("Cache:SearchResultsMinutes", 1)),
+ playlistImagesHours = GetEnvInt(envVars, "CACHE_PLAYLIST_IMAGES_HOURS", _configuration.GetValue("Cache:PlaylistImagesHours", 168)),
+ spotifyPlaylistItemsHours = GetEnvInt(envVars, "CACHE_SPOTIFY_PLAYLIST_ITEMS_HOURS", _configuration.GetValue("Cache:SpotifyPlaylistItemsHours", 168)),
+ spotifyMatchedTracksDays = GetEnvInt(envVars, "CACHE_SPOTIFY_MATCHED_TRACKS_DAYS", _configuration.GetValue("Cache:SpotifyMatchedTracksDays", 30)),
+ lyricsDays = GetEnvInt(envVars, "CACHE_LYRICS_DAYS", _configuration.GetValue("Cache:LyricsDays", 14)),
+ genreDays = GetEnvInt(envVars, "CACHE_GENRE_DAYS", _configuration.GetValue("Cache:GenreDays", 30)),
+ metadataDays = GetEnvInt(envVars, "CACHE_METADATA_DAYS", _configuration.GetValue("Cache:MetadataDays", 7)),
+ odesliLookupDays = GetEnvInt(envVars, "CACHE_ODESLI_LOOKUP_DAYS", _configuration.GetValue("Cache:OdesliLookupDays", 60)),
+ proxyImagesDays = GetEnvInt(envVars, "CACHE_PROXY_IMAGES_DAYS", _configuration.GetValue("Cache:ProxyImagesDays", 14))
+ },
scrobbling = await GetScrobblingSettingsFromEnvAsync()
});
}
-
+
+ private async Task> ReadEnvSettingsAsync()
+ {
+ var envVars = new Dictionary(StringComparer.OrdinalIgnoreCase);
+
+ try
+ {
+ var envPath = _helperService.GetEnvFilePath();
+ if (!System.IO.File.Exists(envPath))
+ {
+ return envVars;
+ }
+
+ var lines = await System.IO.File.ReadAllLinesAsync(envPath);
+ foreach (var line in lines)
+ {
+ if (AdminHelperService.ShouldSkipEnvLine(line))
+ continue;
+
+ var (key, value) = AdminHelperService.ParseEnvLine(line);
+ if (!string.IsNullOrWhiteSpace(key))
+ {
+ envVars[key] = value;
+ }
+ }
+ }
+ catch (Exception ex)
+ {
+ _logger.LogWarning(ex, "Failed to parse env settings for config view");
+ }
+
+ return envVars;
+ }
+
+ private static string GetEnvString(
+ IReadOnlyDictionary envVars,
+ string key,
+ string fallback,
+ bool treatEmptyAsMissing = false)
+ {
+ if (!envVars.TryGetValue(key, out var value))
+ {
+ return fallback;
+ }
+
+ if (treatEmptyAsMissing && string.IsNullOrWhiteSpace(value))
+ {
+ return fallback;
+ }
+
+ return value;
+ }
+
+ private static bool GetEnvBool(IReadOnlyDictionary envVars, string key, bool fallback)
+ {
+ if (!envVars.TryGetValue(key, out var rawValue))
+ {
+ return fallback;
+ }
+
+ if (bool.TryParse(rawValue, out var parsed))
+ {
+ return parsed;
+ }
+
+ if (rawValue.Equals("1", StringComparison.OrdinalIgnoreCase) ||
+ rawValue.Equals("yes", StringComparison.OrdinalIgnoreCase) ||
+ rawValue.Equals("on", StringComparison.OrdinalIgnoreCase))
+ {
+ return true;
+ }
+
+ if (rawValue.Equals("0", StringComparison.OrdinalIgnoreCase) ||
+ rawValue.Equals("no", StringComparison.OrdinalIgnoreCase) ||
+ rawValue.Equals("off", StringComparison.OrdinalIgnoreCase))
+ {
+ return false;
+ }
+
+ return fallback;
+ }
+
+ private static int GetEnvInt(IReadOnlyDictionary envVars, string key, int fallback)
+ {
+ if (!envVars.TryGetValue(key, out var rawValue))
+ {
+ return fallback;
+ }
+
+ return int.TryParse(rawValue, out var parsed) ? parsed : fallback;
+ }
+
///
/// Read scrobbling settings directly from .env file for real-time updates
///
@@ -154,6 +339,8 @@ public class ConfigController : ControllerBase
return new
{
enabled = _scrobblingSettings.Enabled,
+ localTracksEnabled = _scrobblingSettings.LocalTracksEnabled,
+ syntheticLocalPlayedSignalEnabled = _scrobblingSettings.SyntheticLocalPlayedSignalEnabled,
lastFm = new
{
enabled = _scrobblingSettings.LastFm.Enabled,
@@ -170,27 +357,33 @@ public class ConfigController : ControllerBase
}
};
}
-
+
var lines = await System.IO.File.ReadAllLinesAsync(envPath);
var envVars = new Dictionary();
-
+
foreach (var line in lines)
{
if (AdminHelperService.ShouldSkipEnvLine(line))
continue;
-
+
var (key, value) = AdminHelperService.ParseEnvLine(line);
if (!string.IsNullOrEmpty(key))
{
envVars[key] = value;
}
}
-
+
return new
{
- enabled = envVars.TryGetValue("SCROBBLING_ENABLED", out var scrobblingEnabled)
- ? scrobblingEnabled.Equals("true", StringComparison.OrdinalIgnoreCase)
+ enabled = envVars.TryGetValue("SCROBBLING_ENABLED", out var scrobblingEnabled)
+ ? scrobblingEnabled.Equals("true", StringComparison.OrdinalIgnoreCase)
: _scrobblingSettings.Enabled,
+ localTracksEnabled = envVars.TryGetValue("SCROBBLING_LOCAL_TRACKS_ENABLED", out var localTracksEnabled)
+ ? localTracksEnabled.Equals("true", StringComparison.OrdinalIgnoreCase)
+ : _scrobblingSettings.LocalTracksEnabled,
+ syntheticLocalPlayedSignalEnabled = envVars.TryGetValue("SCROBBLING_SYNTHETIC_LOCAL_PLAYED_SIGNAL_ENABLED", out var syntheticPlayedSignalEnabled)
+ ? syntheticPlayedSignalEnabled.Equals("true", StringComparison.OrdinalIgnoreCase)
+ : _scrobblingSettings.SyntheticLocalPlayedSignalEnabled,
lastFm = new
{
enabled = envVars.TryGetValue("SCROBBLING_LASTFM_ENABLED", out var lastFmEnabled)
@@ -230,6 +423,8 @@ public class ConfigController : ControllerBase
return new
{
enabled = _scrobblingSettings.Enabled,
+ localTracksEnabled = _scrobblingSettings.LocalTracksEnabled,
+ syntheticLocalPlayedSignalEnabled = _scrobblingSettings.SyntheticLocalPlayedSignalEnabled,
lastFm = new
{
enabled = _scrobblingSettings.LastFm.Enabled,
@@ -247,20 +442,26 @@ public class ConfigController : ControllerBase
};
}
}
-
+
///
/// Update configuration by modifying .env file
///
[HttpPost("config")]
public async Task UpdateConfig([FromBody] ConfigUpdateRequest request)
{
+ var adminCheck = RequireAdministratorForSensitiveOperation("config update");
+ if (adminCheck != null)
+ {
+ return adminCheck;
+ }
+
if (request == null || request.Updates == null || request.Updates.Count == 0)
{
return BadRequest(new { error = "No updates provided" });
}
-
+
_logger.LogDebug("Config update requested: {Count} changes", request.Updates.Count);
-
+
try
{
// Check if .env file exists
@@ -268,10 +469,10 @@ public class ConfigController : ControllerBase
{
_logger.LogWarning(".env file not found at {Path}, creating new file", _helperService.GetEnvFilePath());
}
-
+
// Read current .env file or create new one
var envContent = new Dictionary();
-
+
if (System.IO.File.Exists(_helperService.GetEnvFilePath()))
{
var lines = await System.IO.File.ReadAllLinesAsync(_helperService.GetEnvFilePath());
@@ -279,25 +480,25 @@ public class ConfigController : ControllerBase
{
if (string.IsNullOrWhiteSpace(line) || line.TrimStart().StartsWith('#'))
continue;
-
+
var eqIndex = line.IndexOf('=');
if (eqIndex > 0)
{
var key = line[..eqIndex].Trim();
var value = line[(eqIndex + 1)..].Trim();
-
+
// Remove surrounding quotes if present (for proper re-quoting)
if (value.StartsWith("\"") && value.EndsWith("\"") && value.Length >= 2)
{
value = value[1..^1];
}
-
+
envContent[key] = value;
}
}
_logger.LogDebug("Loaded {Count} existing env vars from {Path}", envContent.Count, _helperService.GetEnvFilePath());
}
-
+
// Apply updates with validation
var appliedUpdates = new List();
foreach (var (key, value) in request.Updates)
@@ -308,17 +509,17 @@ public class ConfigController : ControllerBase
_logger.LogWarning("Invalid env key rejected: {Key}", key);
return BadRequest(new { error = $"Invalid environment variable key: {key}" });
}
-
+
// IMPORTANT: Docker Compose does NOT need quotes in .env files
// It handles special characters correctly without them
// When quotes are used, they become part of the value itself
envContent[key] = value;
appliedUpdates.Add(key);
- _logger.LogInformation(" Setting {Key} = {Value}", key,
+ _logger.LogInformation(" Setting {Key} = {Value}", key,
key.Contains("COOKIE") || key.Contains("TOKEN") || key.Contains("KEY") || key.Contains("ARL") || key.Contains("PASSWORD")
- ? "***" + (value.Length > 8 ? value[^8..] : "")
+ ? "***" + (value.Length > 8 ? value[^8..] : "")
: value);
-
+
// Auto-set cookie date when Spotify session cookie is updated
if (key == "SPOTIFY_API_SESSION_COOKIE" && !string.IsNullOrEmpty(value))
{
@@ -329,19 +530,19 @@ public class ConfigController : ControllerBase
_logger.LogInformation(" Auto-setting {Key} to {Value}", dateKey, dateValue);
}
}
-
+
// Write back to .env file (no quoting needed - Docker Compose handles special chars)
var newContent = string.Join("\n", envContent.Select(kv => $"{kv.Key}={kv.Value}"));
await System.IO.File.WriteAllTextAsync(_helperService.GetEnvFilePath(), newContent + "\n");
-
+
_logger.LogDebug("Config file updated successfully at {Path}", _helperService.GetEnvFilePath());
-
+
// Invalidate playlist summary cache if playlists were updated
if (appliedUpdates.Contains("SPOTIFY_IMPORT_PLAYLISTS"))
{
_helperService.InvalidatePlaylistSummaryCache();
}
-
+
return Ok(new
{
message = "Configuration updated. Restart container to apply changes.",
@@ -353,23 +554,20 @@ public class ConfigController : ControllerBase
catch (UnauthorizedAccessException ex)
{
_logger.LogError(ex, "Permission denied writing to .env file at {Path}", _helperService.GetEnvFilePath());
- return StatusCode(500, new {
- error = "Permission denied",
- details = "Cannot write to .env file. Check file permissions and volume mount.",
- path = _helperService.GetEnvFilePath()
+ return StatusCode(500, new {
+ error = "Permission denied",
+ message = "Cannot write to .env file. Check file permissions and volume mount."
});
}
catch (Exception ex)
{
_logger.LogError(ex, "Failed to update configuration at {Path}", _helperService.GetEnvFilePath());
- return StatusCode(500, new {
- error = "Failed to update configuration",
- details = ex.Message,
- path = _helperService.GetEnvFilePath()
+ return StatusCode(500, new {
+ error = "Failed to update configuration"
});
}
}
-
+
///
/// Add a new playlist to the configuration
///
@@ -377,10 +575,10 @@ public class ConfigController : ControllerBase
public async Task ClearCache()
{
_logger.LogDebug("Cache clear requested from admin UI");
-
+
var clearedFiles = 0;
var clearedRedisKeys = 0;
-
+
// Clear file cache
if (Directory.Exists(CacheDirectory))
{
@@ -397,7 +595,7 @@ public class ConfigController : ControllerBase
}
}
}
-
+
// Clear ALL Redis cache keys for Spotify playlists
// This includes matched tracks, ordered tracks, missing tracks, playlist items, etc.
foreach (var playlist in _spotifyImportSettings.Playlists)
@@ -410,7 +608,7 @@ public class ConfigController : ControllerBase
CacheKeyBuilder.BuildSpotifyMatchedTracksKey(playlist.Name),
CacheKeyBuilder.BuildSpotifyPlaylistItemsKey(playlist.Name)
};
-
+
foreach (var key in keysToDelete)
{
if (await _cache.DeleteAsync(key))
@@ -420,54 +618,60 @@ public class ConfigController : ControllerBase
}
}
}
-
+
// Clear all search cache keys (pattern-based deletion)
var searchKeysDeleted = await _cache.DeleteByPatternAsync("search:*");
clearedRedisKeys += searchKeysDeleted;
-
+
// Clear all image cache keys (pattern-based deletion)
var imageKeysDeleted = await _cache.DeleteByPatternAsync("image:*");
clearedRedisKeys += imageKeysDeleted;
-
- _logger.LogInformation("Cache cleared: {Files} files, {RedisKeys} Redis keys (including {SearchKeys} search keys, {ImageKeys} image keys)",
+
+ _logger.LogInformation("Cache cleared: {Files} files, {RedisKeys} Redis keys (including {SearchKeys} search keys, {ImageKeys} image keys)",
clearedFiles, clearedRedisKeys, searchKeysDeleted, imageKeysDeleted);
-
- return Ok(new {
- message = "Cache cleared successfully",
+
+ return Ok(new {
+ message = "Cache cleared successfully",
filesDeleted = clearedFiles,
redisKeysDeleted = clearedRedisKeys
});
}
-
+
///
/// Restart the allstarr container to apply configuration changes
///
[HttpPost("restart")]
public async Task RestartContainer()
{
+ var adminCheck = RequireAdministratorForSensitiveOperation("container restart");
+ if (adminCheck != null)
+ {
+ return adminCheck;
+ }
+
_logger.LogDebug("Container restart requested from admin UI");
-
+
try
{
// Use Docker socket to restart the container
var socketPath = "/var/run/docker.sock";
-
+
if (!System.IO.File.Exists(socketPath))
{
_logger.LogWarning("Docker socket not available at {Path}", socketPath);
- return StatusCode(503, new {
- error = "Docker socket not available",
- message = "Please restart manually: docker-compose restart allstarr"
+ return StatusCode(503, new {
+ error = "Docker socket not available",
+ message = "Please restart manually: docker-compose restart allstarr"
});
}
-
+
// Get container ID from hostname (Docker sets hostname to container ID by default)
// Or use the well-known container name
var containerId = Environment.MachineName;
var containerName = "allstarr";
-
+
_logger.LogDebug("Attempting to restart container {ContainerId} / {ContainerName}", containerId, containerName);
-
+
// Create Unix socket HTTP client
var handler = new SocketsHttpHandler
{
@@ -477,28 +681,28 @@ public class ConfigController : ControllerBase
System.Net.Sockets.AddressFamily.Unix,
System.Net.Sockets.SocketType.Stream,
System.Net.Sockets.ProtocolType.Unspecified);
-
+
var endpoint = new System.Net.Sockets.UnixDomainSocketEndPoint(socketPath);
await socket.ConnectAsync(endpoint, cancellationToken);
-
+
return new System.Net.Sockets.NetworkStream(socket, ownsSocket: true);
}
};
-
+
using var dockerClient = new HttpClient(handler)
{
BaseAddress = new Uri("http://localhost")
};
-
+
// Try to restart by container name first, then by ID
var response = await dockerClient.PostAsync($"/containers/{containerName}/restart?t=5", null);
-
+
if (!response.IsSuccessStatusCode)
{
// Try by container ID
response = await dockerClient.PostAsync($"/containers/{containerId}/restart?t=5", null);
}
-
+
if (response.IsSuccessStatusCode)
{
_logger.LogInformation("Container restart initiated successfully");
@@ -508,42 +712,47 @@ public class ConfigController : ControllerBase
{
var errorBody = await response.Content.ReadAsStringAsync();
_logger.LogError("Failed to restart container: {StatusCode} - {Body}", response.StatusCode, errorBody);
- return StatusCode((int)response.StatusCode, new {
- error = "Failed to restart container",
- message = "Please restart manually: docker-compose restart allstarr"
+ return StatusCode((int)response.StatusCode, new {
+ error = "Failed to restart container",
+ message = "Please restart manually: docker-compose restart allstarr"
});
}
}
catch (Exception ex)
{
_logger.LogError(ex, "Error restarting container");
- return StatusCode(500, new {
- error = "Failed to restart container",
- details = ex.Message,
- message = "Please restart manually: docker-compose restart allstarr"
+ return StatusCode(500, new {
+ error = "Failed to restart container",
+ message = "Please restart manually: docker-compose restart allstarr"
});
}
}
-
+
///
/// Initialize cookie date to current date if cookie exists but date is not set
///
[HttpPost("config/init-cookie-date")]
public async Task InitCookieDate()
{
+ var adminCheck = RequireAdministratorForSensitiveOperation("init cookie date");
+ if (adminCheck != null)
+ {
+ return adminCheck;
+ }
+
// Only init if cookie exists but date is not set
if (string.IsNullOrEmpty(_spotifyApiSettings.SessionCookie))
{
return BadRequest(new { error = "No cookie set" });
}
-
+
if (!string.IsNullOrEmpty(_spotifyApiSettings.SessionCookieSetDate))
{
return Ok(new { message = "Cookie date already set", date = _spotifyApiSettings.SessionCookieSetDate });
}
-
+
_logger.LogInformation("Initializing cookie date to current date (cookie existed without date tracking)");
-
+
var updateRequest = new ConfigUpdateRequest
{
Updates = new Dictionary
@@ -551,16 +760,32 @@ public class ConfigController : ControllerBase
["SPOTIFY_API_SESSION_COOKIE_SET_DATE"] = DateTime.UtcNow.ToString("o")
}
};
-
+
return await UpdateConfig(updateRequest);
}
-
+
///
/// Get all Jellyfin users
///
[HttpGet("export-env")]
public IActionResult ExportEnv()
{
+ var adminCheck = RequireAdministratorForSensitiveOperation("export env");
+ if (adminCheck != null)
+ {
+ return adminCheck;
+ }
+
+ if (!IsEnvExportEnabled())
+ {
+ _logger.LogWarning("Blocked export-env request because ADMIN__ENABLE_ENV_EXPORT is disabled");
+ return NotFound(new
+ {
+ error = "Export endpoint is disabled by default",
+ message = "Set ADMIN__ENABLE_ENV_EXPORT=true to temporarily enable .env export."
+ });
+ }
+
try
{
if (!System.IO.File.Exists(_helperService.GetEnvFilePath()))
@@ -570,22 +795,28 @@ public class ConfigController : ControllerBase
var envContent = System.IO.File.ReadAllText(_helperService.GetEnvFilePath());
var bytes = System.Text.Encoding.UTF8.GetBytes(envContent);
-
+
return File(bytes, "text/plain", ".env");
}
catch (Exception ex)
{
_logger.LogError(ex, "Failed to export .env file");
- return StatusCode(500, new { error = "Failed to export .env file", details = ex.Message });
+ return StatusCode(500, new { error = "Failed to export .env file" });
}
}
-
+
///
/// Import .env file from upload
///
[HttpPost("import-env")]
public async Task ImportEnv([FromForm] IFormFile file)
{
+ var adminCheck = RequireAdministratorForSensitiveOperation("import env");
+ if (adminCheck != null)
+ {
+ return adminCheck;
+ }
+
if (file == null || file.Length == 0)
{
return BadRequest(new { error = "No file provided" });
@@ -601,7 +832,7 @@ public class ConfigController : ControllerBase
// Read uploaded file
using var reader = new StreamReader(file.OpenReadStream());
var content = await reader.ReadToEndAsync();
-
+
// Validate it's a valid .env file (basic check)
if (string.IsNullOrWhiteSpace(content))
{
@@ -618,22 +849,66 @@ public class ConfigController : ControllerBase
// Write new .env file
await System.IO.File.WriteAllTextAsync(_helperService.GetEnvFilePath(), content);
-
+
_logger.LogInformation(".env file imported successfully");
-
- return Ok(new
- {
- success = true,
- message = ".env file imported successfully. Restart the application for changes to take effect."
+
+ return Ok(new
+ {
+ success = true,
+ message = ".env file imported successfully. Restart the application for changes to take effect."
});
}
catch (Exception ex)
{
_logger.LogError(ex, "Failed to import .env file");
- return StatusCode(500, new { error = "Failed to import .env file", details = ex.Message });
+ return StatusCode(500, new { error = "Failed to import .env file" });
}
}
-
+
+ private string? GetAuthenticatedUserId()
+ {
+ if (HttpContext.Items.TryGetValue(AdminAuthSessionService.HttpContextSessionItemKey, out var sessionObj) &&
+ sessionObj is AdminAuthSession session &&
+ !string.IsNullOrWhiteSpace(session.UserId))
+ {
+ return session.UserId;
+ }
+
+ return null;
+ }
+
+ private IActionResult? RequireAdministratorForSensitiveOperation(string operationName)
+ {
+ if (HttpContext.Items.TryGetValue(AdminAuthSessionService.HttpContextSessionItemKey, out var sessionObj) &&
+ sessionObj is AdminAuthSession session &&
+ session.IsAdministrator)
+ {
+ return null;
+ }
+
+ _logger.LogWarning("Blocked sensitive admin operation '{Operation}' due to missing administrator session", operationName);
+ return StatusCode(StatusCodes.Status403Forbidden, new
+ {
+ error = "Administrator permissions required",
+ message = "This operation is restricted to Jellyfin administrators."
+ });
+ }
+
+ private bool IsEnvExportEnabled()
+ {
+ if (_configuration.GetValue("Admin:EnableEnvExport"))
+ {
+ return true;
+ }
+
+ if (_configuration.GetValue("ADMIN__ENABLE_ENV_EXPORT"))
+ {
+ return true;
+ }
+
+ return _configuration.GetValue("ADMIN_ENABLE_ENV_EXPORT");
+ }
+
///
/// Gets detailed memory usage statistics for debugging.
///
diff --git a/allstarr/Controllers/DiagnosticsController.cs b/allstarr/Controllers/DiagnosticsController.cs
index 7872a4c..90eaf0c 100644
--- a/allstarr/Controllers/DiagnosticsController.cs
+++ b/allstarr/Controllers/DiagnosticsController.cs
@@ -2,8 +2,13 @@ using Microsoft.AspNetCore.Mvc;
using Microsoft.Extensions.Options;
using allstarr.Models.Settings;
using allstarr.Filters;
+using allstarr.Models.Admin;
using allstarr.Services.Jellyfin;
using allstarr.Services.Common;
+using allstarr.Services.Admin;
+using allstarr.Services.Spotify;
+using allstarr.Services.Scrobbling;
+using allstarr.Services.SquidWTF;
using System.Runtime;
namespace allstarr.Controllers;
@@ -22,6 +27,7 @@ public class DiagnosticsController : ControllerBase
private readonly QobuzSettings _qobuzSettings;
private readonly SquidWTFSettings _squidWtfSettings;
private readonly RedisCacheService _cache;
+ private readonly SpotifySessionCookieService _spotifySessionCookieService;
private readonly List _squidWtfApiUrls;
private static int _urlIndex = 0;
private static readonly object _urlIndexLock = new();
@@ -35,6 +41,8 @@ public class DiagnosticsController : ControllerBase
IOptions deezerSettings,
IOptions qobuzSettings,
IOptions squidWtfSettings,
+ SpotifySessionCookieService spotifySessionCookieService,
+ SquidWtfEndpointCatalog squidWtfEndpointCatalog,
RedisCacheService cache)
{
_logger = logger;
@@ -45,52 +53,42 @@ public class DiagnosticsController : ControllerBase
_deezerSettings = deezerSettings.Value;
_qobuzSettings = qobuzSettings.Value;
_squidWtfSettings = squidWtfSettings.Value;
+ _spotifySessionCookieService = spotifySessionCookieService;
_cache = cache;
- _squidWtfApiUrls = DecodeSquidWtfUrls();
- }
-
- private static List DecodeSquidWtfUrls()
- {
- var encodedUrls = new[]
- {
- "aHR0cHM6Ly90cml0b24uc3F1aWQud3Rm",
- "aHR0cHM6Ly90aWRhbC5raW5vcGx1cy5vbmxpbmU=",
- "aHR0cHM6Ly9oaWZpLXR3by5zcG90aXNhdmVyLm5ldA==",
- "aHR0cHM6Ly9oaWZpLW9uZS5zcG90aXNhdmVyLm5ldA==",
- "aHR0cHM6Ly93b2xmLnFxZGwuc2l0ZQ==",
- "aHR0cDovL2h1bmQucXFkbC5zaXRl",
- "aHR0cHM6Ly9rYXR6ZS5xcWRsLnNpdGU=",
- "aHR0cHM6Ly92b2dlbC5xcWRsLnNpdGU=",
- "aHR0cHM6Ly9tYXVzLnFxZGwuc2l0ZQ==",
- "aHR0cHM6Ly9ldS1jZW50cmFsLm1vbm9jaHJvbWUudGY=",
- "aHR0cHM6Ly91cy13ZXN0Lm1vbm9jaHJvbWUudGY=",
- "aHR0cHM6Ly9hcnJhbi5tb25vY2hyb21lLnRm",
- "aHR0cHM6Ly9hcGkubW9ub2Nocm9tZS50Zg==",
- "aHR0cHM6Ly9odW5kLnFxZGwuc2l0ZQ=="
- };
- return encodedUrls.Select(encoded => System.Text.Encoding.UTF8.GetString(Convert.FromBase64String(encoded))).ToList();
+ _squidWtfApiUrls = squidWtfEndpointCatalog.ApiUrls;
}
[HttpGet("status")]
- public IActionResult GetStatus()
+ public async Task GetStatus()
{
// Determine Spotify auth status based on configuration only
// DO NOT call Spotify API here - this endpoint is polled frequently
var spotifyAuthStatus = "not_configured";
string? spotifyUser = null;
-
- if (_spotifyApiSettings.Enabled && !string.IsNullOrEmpty(_spotifyApiSettings.SessionCookie))
+ var sessionUserId = GetAuthenticatedUserId();
+ var cookieStatus = await _spotifySessionCookieService.GetCookieStatusAsync(sessionUserId);
+ var userCookieSetDate = !string.IsNullOrWhiteSpace(sessionUserId)
+ ? await _spotifySessionCookieService.GetCookieSetDateAsync(sessionUserId)
+ : null;
+ var effectiveCookieSetDate = userCookieSetDate?.ToString("o");
+
+ if (string.IsNullOrWhiteSpace(effectiveCookieSetDate) && cookieStatus.UsingGlobalFallback)
+ {
+ effectiveCookieSetDate = _spotifyApiSettings.SessionCookieSetDate;
+ }
+
+ if (_spotifyApiSettings.Enabled && cookieStatus.HasCookie)
{
// If cookie is set, assume it's working until proven otherwise
// Actual validation happens when playlists are fetched
spotifyAuthStatus = "configured";
- spotifyUser = "(cookie set)";
+ spotifyUser = cookieStatus.UsingGlobalFallback ? "(global fallback cookie set)" : "(user cookie set)";
}
else if (_spotifyApiSettings.Enabled)
{
spotifyAuthStatus = "missing_cookie";
}
-
+
return Ok(new
{
version = AppVersion.Version,
@@ -101,8 +99,9 @@ public class DiagnosticsController : ControllerBase
apiEnabled = _spotifyApiSettings.Enabled,
authStatus = spotifyAuthStatus,
user = spotifyUser,
- hasCookie = !string.IsNullOrEmpty(_spotifyApiSettings.SessionCookie),
- cookieSetDate = _spotifyApiSettings.SessionCookieSetDate,
+ hasCookie = cookieStatus.HasCookie,
+ usingGlobalFallback = cookieStatus.UsingGlobalFallback,
+ cookieSetDate = effectiveCookieSetDate,
cacheDurationMinutes = _spotifyApiSettings.CacheDurationMinutes,
preferIsrcMatching = _spotifyApiSettings.PreferIsrcMatching
},
@@ -128,7 +127,19 @@ public class DiagnosticsController : ControllerBase
}
});
}
-
+
+ private string? GetAuthenticatedUserId()
+ {
+ if (HttpContext.Items.TryGetValue(AdminAuthSessionService.HttpContextSessionItemKey, out var sessionObj) &&
+ sessionObj is AdminAuthSession session &&
+ !string.IsNullOrWhiteSpace(session.UserId))
+ {
+ return session.UserId;
+ }
+
+ return null;
+ }
+
///
/// Get a random SquidWTF base URL for searching (round-robin)
///
@@ -139,21 +150,21 @@ public class DiagnosticsController : ControllerBase
{
return NotFound(new { error = "No SquidWTF base URLs configured" });
}
-
+
string baseUrl;
lock (_urlIndexLock)
{
baseUrl = _squidWtfApiUrls[_urlIndex];
_urlIndex = (_urlIndex + 1) % _squidWtfApiUrls.Count;
}
-
+
return Ok(new { baseUrl });
}
-
+
///
/// Get current configuration including cache settings
///
-
+
///
/// Get list of configured playlists with their current data
///
@@ -167,7 +178,7 @@ public class DiagnosticsController : ControllerBase
var gen0Before = GC.CollectionCount(0);
var gen1Before = GC.CollectionCount(1);
var gen2Before = GC.CollectionCount(2);
-
+
// Force garbage collection to get accurate numbers
GC.Collect();
GC.WaitForPendingFinalizers();
@@ -177,10 +188,10 @@ public class DiagnosticsController : ControllerBase
var gen0After = GC.CollectionCount(0);
var gen1After = GC.CollectionCount(1);
var gen2After = GC.CollectionCount(2);
-
+
// Get process memory info
var process = System.Diagnostics.Process.GetCurrentProcess();
-
+
return Ok(new {
Timestamp = DateTime.UtcNow,
BeforeGC = new {
@@ -215,7 +226,8 @@ public class DiagnosticsController : ControllerBase
}
catch (Exception ex)
{
- return BadRequest(new { error = ex.Message });
+ _logger.LogError(ex, "Failed to collect memory statistics");
+ return BadRequest(new { error = "Failed to collect memory statistics" });
}
}
@@ -229,15 +241,15 @@ public class DiagnosticsController : ControllerBase
{
var memoryBefore = GC.GetTotalMemory(false);
var processBefore = System.Diagnostics.Process.GetCurrentProcess().WorkingSet64;
-
+
// Force full garbage collection
GC.Collect(2, GCCollectionMode.Forced);
GC.WaitForPendingFinalizers();
GC.Collect(2, GCCollectionMode.Forced);
-
+
var memoryAfter = GC.GetTotalMemory(false);
var processAfter = System.Diagnostics.Process.GetCurrentProcess().WorkingSet64;
-
+
return Ok(new {
Timestamp = DateTime.UtcNow,
MemoryFreedMB = Math.Round((memoryBefore - memoryAfter) / (1024.0 * 1024.0), 2),
@@ -250,7 +262,8 @@ public class DiagnosticsController : ControllerBase
}
catch (Exception ex)
{
- return BadRequest(new { error = ex.Message });
+ _logger.LogError(ex, "Failed to force garbage collection");
+ return BadRequest(new { error = "Failed to force garbage collection" });
}
}
@@ -273,7 +286,32 @@ public class DiagnosticsController : ControllerBase
}
catch (Exception ex)
{
- return BadRequest(new { error = ex.Message });
+ _logger.LogError(ex, "Failed to get active sessions");
+ return BadRequest(new { error = "Failed to get active sessions" });
+ }
+ }
+
+ ///
+ /// Gets current active scrobbling sessions for debugging.
+ ///
+ [HttpGet("scrobbling-sessions")]
+ public IActionResult GetScrobblingSessions()
+ {
+ try
+ {
+ var scrobblingOrchestrator = HttpContext.RequestServices.GetService();
+ if (scrobblingOrchestrator == null)
+ {
+ return BadRequest(new { error = "Scrobbling orchestrator not available" });
+ }
+
+ var sessionInfo = scrobblingOrchestrator.GetSessionsInfo();
+ return Ok(sessionInfo);
+ }
+ catch (Exception ex)
+ {
+ _logger.LogError(ex, "Failed to get scrobbling sessions");
+ return BadRequest(new { error = "Failed to get scrobbling sessions" });
}
}
@@ -288,24 +326,24 @@ public class DiagnosticsController : ControllerBase
try
{
var logFile = "/app/cache/endpoint-usage/endpoints.csv";
-
+
if (!System.IO.File.Exists(logFile))
{
- return Ok(new {
+ return Ok(new {
message = "No endpoint usage data available",
endpoints = new object[0]
});
}
-
+
var lines = await System.IO.File.ReadAllLinesAsync(logFile);
var usage = new Dictionary();
DateTime? sinceDate = null;
-
+
if (!string.IsNullOrEmpty(since) && DateTime.TryParse(since, out var parsedDate))
{
sinceDate = parsedDate;
}
-
+
foreach (var line in lines.Skip(1)) // Skip header
{
var parts = line.Split(',');
@@ -314,27 +352,27 @@ public class DiagnosticsController : ControllerBase
var timestamp = parts[0];
var method = parts[1];
var endpoint = parts[2];
-
+
// Combine method and endpoint for better clarity
var fullEndpoint = $"{method} {endpoint}";
-
+
// Filter by date if specified
if (sinceDate.HasValue && DateTime.TryParse(timestamp, out var logDate))
{
if (logDate < sinceDate.Value)
continue;
}
-
+
usage[fullEndpoint] = usage.GetValueOrDefault(fullEndpoint, 0) + 1;
}
}
-
+
var topEndpoints = usage
.OrderByDescending(kv => kv.Value)
.Take(top)
.Select(kv => new { endpoint = kv.Key, count = kv.Value })
.ToArray();
-
+
return Ok(new {
totalEndpoints = usage.Count,
totalRequests = usage.Values.Sum(),
@@ -359,20 +397,20 @@ public class DiagnosticsController : ControllerBase
try
{
var logFile = "/app/cache/endpoint-usage/endpoints.csv";
-
+
if (System.IO.File.Exists(logFile))
{
System.IO.File.Delete(logFile);
_logger.LogDebug("Cleared endpoint usage log via admin endpoint");
-
- return Ok(new {
+
+ return Ok(new {
message = "Endpoint usage log cleared successfully",
timestamp = DateTime.UtcNow
});
}
else
{
- return Ok(new {
+ return Ok(new {
message = "No endpoint usage log file found",
timestamp = DateTime.UtcNow
});
@@ -385,8 +423,8 @@ public class DiagnosticsController : ControllerBase
}
}
-
-
+
+
///
/// Saves a manual mapping to file for persistence across restarts.
/// Manual mappings NEVER expire - they are permanent user decisions.
diff --git a/allstarr/Controllers/DownloadsController.cs b/allstarr/Controllers/DownloadsController.cs
index 62e872a..412dc7c 100644
--- a/allstarr/Controllers/DownloadsController.cs
+++ b/allstarr/Controllers/DownloadsController.cs
@@ -26,34 +26,34 @@ public class DownloadsController : ControllerBase
try
{
var keptPath = Path.Combine(_configuration["Library:DownloadPath"] ?? "./downloads", "kept");
-
+
if (!Directory.Exists(keptPath))
{
return Ok(new { files = new List