fix(api): prevent checking first admin account for plex server access

2025-09-17 17:24:35 +02:00 · 2020-12-21 20:51:54 +09:00
parent e7ee85c29b
commit 22006e9dbd
3 changed files with 38 additions and 40 deletions
--- a/server/lib/notifications/agents/discord.ts
+++ b/server/lib/notifications/agents/discord.ts
@@ -143,8 +143,6 @@ class DiscordAgent
          }
        );
        break;
-      default:
-        color = EmbedColors.DARK_PURPLE;
    }

    return {
--- a/server/routes/auth.ts
+++ b/server/routes/auth.ts
@@ -71,44 +71,48 @@ authRoutes.post('/login', async (req, res, next) => {
        await userRepository.save(user);
      }

-      // If we get to this point, the user does not already exist so we need to create the
-      // user _assuming_ they have access to the plex server
-      const mainUser = await userRepository.findOneOrFail({
-        select: ['id', 'plexToken'],
-        order: { id: 'ASC' },
-      });
-      const mainPlexTv = new PlexTvAPI(mainUser.plexToken ?? '');
-      if (await mainPlexTv.checkUserAccess(account)) {
-        user = new User({
-          email: account.email,
-          username: account.username,
-          plexId: account.id,
-          plexToken: account.authToken,
-          permissions: settings.main.defaultPermissions,
-          avatar: account.thumb,
-        });
-        await userRepository.save(user);
-      } else {
-        logger.info(
-          'Failed login attempt from user without access to plex server',
-          {
-            label: 'Auth',
-            account: {
-              ...account,
-              authentication_token: '__REDACTED__',
-              authToken: '__REDACTED__',
-            },
-          }
-        );
-        return next({
-          status: 403,
-          message: 'You do not have access to this Plex server',
+      // Double check that we didn't create the first admin user before running this
+      if (!user) {
+        // If we get to this point, the user does not already exist so we need to create the
+        // user _assuming_ they have access to the plex server
+        const mainUser = await userRepository.findOneOrFail({
+          select: ['id', 'plexToken'],
+          order: { id: 'ASC' },
        });
+        const mainPlexTv = new PlexTvAPI(mainUser.plexToken ?? '');
+
+        if (await mainPlexTv.checkUserAccess(account)) {
+          user = new User({
+            email: account.email,
+            username: account.username,
+            plexId: account.id,
+            plexToken: account.authToken,
+            permissions: settings.main.defaultPermissions,
+            avatar: account.thumb,
+          });
+          await userRepository.save(user);
+        } else {
+          logger.info(
+            'Failed login attempt from user without access to plex server',
+            {
+              label: 'Auth',
+              account: {
+                ...account,
+                authentication_token: '__REDACTED__',
+                authToken: '__REDACTED__',
+              },
+            }
+          );
+          return next({
+            status: 403,
+            message: 'You do not have access to this Plex server',
+          });
+        }
      }
    }

    // Set logged in session
-    if (req.session && user) {
+    if (req.session) {
      req.session.userId = user.id;
    }

--- a/src/components/Settings/SettingsAbout/index.tsx
+++ b/src/components/Settings/SettingsAbout/index.tsx
@@ -26,16 +26,12 @@ const SettingsAbout: React.FC = () => {
    '/api/v1/settings/about'
  );

-  if (error) {
-    return <Error statusCode={500} />;
-  }
-
  if (!data && !error) {
    return <LoadingSpinner />;
  }

  if (!data) {
-    return <LoadingSpinner />;
+    return <Error statusCode={500} />;
  }

  return (