Don't remove all tokens if invalid header (#10490)

author: Cody Robibero <cody@robibe.ro> 2023-10-30 15:31:13 -0600
committer: GitHub <noreply@github.com> 2023-10-30 15:31:13 -0600
commit: 8c5fc8028240adec57a4b39147dbeac81a1835a0 (patch)
tree: 62bcba59fa6e86fa1dfd479b709bbecfaca1cf08
parent: b26eb7dd6bb928bd3e6f292833092fd518c6db0b (diff)
2 files changed, 121 insertions, 2 deletions
diff --git a/Emby.Server.Implementations/Session/SessionManager.cs b/Emby.Server.Implementations/Session/SessionManager.cs
index dc59a4523..e8e63d286 100644
--- a/Emby.Server.Implementations/Session/SessionManager.cs
+++ b/Emby.Server.Implementations/Session/SessionManager.cs
@@ -1453,10 +1453,15 @@ namespace Emby.Server.Implementations.Session
             return AuthenticateNewSessionInternal(request, false);
         }
 
-        private async Task<AuthenticationResult> AuthenticateNewSessionInternal(AuthenticationRequest request, bool enforcePassword)
+        internal async Task<AuthenticationResult> AuthenticateNewSessionInternal(AuthenticationRequest request, bool enforcePassword)
         {
             CheckDisposed();
 
+            ArgumentException.ThrowIfNullOrEmpty(request.App);
+            ArgumentException.ThrowIfNullOrEmpty(request.DeviceId);
+            ArgumentException.ThrowIfNullOrEmpty(request.DeviceName);
+            ArgumentException.ThrowIfNullOrEmpty(request.AppVersion);
+
             User user = null;
             if (!request.UserId.Equals(default))
             {
@@ -1517,8 +1522,11 @@ namespace Emby.Server.Implementations.Session
             return returnResult;
         }
 
-        private async Task<string> GetAuthorizationToken(User user, string deviceId, string app, string appVersion, string deviceName)
+        internal async Task<string> GetAuthorizationToken(User user, string deviceId, string app, string appVersion, string deviceName)
         {
+            // This should be validated above, but if it isn't don't delete all tokens.
+            ArgumentException.ThrowIfNullOrEmpty(deviceId);
+
             var existing = (await _deviceManager.GetDevices(
                 new DeviceQuery
                 {
diff --git a/tests/Jellyfin.Server.Implementations.Tests/SessionManager/SessionManagerTests.cs b/tests/Jellyfin.Server.Implementations.Tests/SessionManager/SessionManagerTests.cs
new file mode 100644
index 000000000..ebd3a3891
--- /dev/null
+++ b/tests/Jellyfin.Server.Implementations.Tests/SessionManager/SessionManagerTests.cs
@@ -0,0 +1,111 @@
+using System;
+using System.Threading.Tasks;
+using Jellyfin.Data.Entities;
+using MediaBrowser.Controller;
+using MediaBrowser.Controller.Configuration;
+using MediaBrowser.Controller.Devices;
+using MediaBrowser.Controller.Drawing;
+using MediaBrowser.Controller.Dto;
+using MediaBrowser.Controller.Events;
+using MediaBrowser.Controller.Library;
+using MediaBrowser.Controller.Session;
+using Microsoft.Extensions.Hosting;
+using Microsoft.Extensions.Logging.Abstractions;
+using Moq;
+using Xunit;
+
+namespace Jellyfin.Server.Implementations.Tests.SessionManager;
+
+public class SessionManagerTests
+{
+    [Theory]
+    [InlineData("", typeof(ArgumentException))]
+    [InlineData(null, typeof(ArgumentNullException))]
+    public async Task GetAuthorizationToken_Should_ThrowException(string deviceId, Type exceptionType)
+    {
+        await using var sessionManager = new Emby.Server.Implementations.Session.SessionManager(
+            NullLogger<Emby.Server.Implementations.Session.SessionManager>.Instance,
+            Mock.Of<IEventManager>(),
+            Mock.Of<IUserDataManager>(),
+            Mock.Of<IServerConfigurationManager>(),
+            Mock.Of<ILibraryManager>(),
+            Mock.Of<IUserManager>(),
+            Mock.Of<IMusicManager>(),
+            Mock.Of<IDtoService>(),
+            Mock.Of<IImageProcessor>(),
+            Mock.Of<IServerApplicationHost>(),
+            Mock.Of<IDeviceManager>(),
+            Mock.Of<IMediaSourceManager>(),
+            Mock.Of<IHostApplicationLifetime>());
+
+        await Assert.ThrowsAsync(exceptionType, () => sessionManager.GetAuthorizationToken(
+            new User("test", "default", "default"),
+            deviceId,
+            "app_name",
+            "0.0.0",
+            "device_name"));
+    }
+
+    [Theory]
+    [MemberData(nameof(AuthenticateNewSessionInternal_Exception_TestData))]
+    public async Task AuthenticateNewSessionInternal_Should_ThrowException(AuthenticationRequest authenticationRequest, Type exceptionType)
+    {
+        await using var sessionManager = new Emby.Server.Implementations.Session.SessionManager(
+            NullLogger<Emby.Server.Implementations.Session.SessionManager>.Instance,
+            Mock.Of<IEventManager>(),
+            Mock.Of<IUserDataManager>(),
+            Mock.Of<IServerConfigurationManager>(),
+            Mock.Of<ILibraryManager>(),
+            Mock.Of<IUserManager>(),
+            Mock.Of<IMusicManager>(),
+            Mock.Of<IDtoService>(),
+            Mock.Of<IImageProcessor>(),
+            Mock.Of<IServerApplicationHost>(),
+            Mock.Of<IDeviceManager>(),
+            Mock.Of<IMediaSourceManager>(),
+            Mock.Of<IHostApplicationLifetime>());
+
+        await Assert.ThrowsAsync(exceptionType, () => sessionManager.AuthenticateNewSessionInternal(authenticationRequest, false));
+    }
+
+    public static TheoryData<AuthenticationRequest, Type> AuthenticateNewSessionInternal_Exception_TestData()
+    {
+        var data = new TheoryData<AuthenticationRequest, Type>
+        {
+            {
+                new AuthenticationRequest { App = string.Empty, DeviceId = "device_id", DeviceName = "device_name", AppVersion = "app_version" },
+                typeof(ArgumentException)
+            },
+            {
+                new AuthenticationRequest { App = null, DeviceId = "device_id", DeviceName = "device_name", AppVersion = "app_version" },
+                typeof(ArgumentNullException)
+            },
+            {
+                new AuthenticationRequest { App = "app_name", DeviceId = string.Empty, DeviceName = "device_name", AppVersion = "app_version" },
+                typeof(ArgumentException)
+            },
+            {
+                new AuthenticationRequest { App = "app_name", DeviceId = null, DeviceName = "device_name", AppVersion = "app_version" },
+                typeof(ArgumentNullException)
+            },
+            {
+                new AuthenticationRequest { App = "app_name", DeviceId = "device_id", DeviceName = string.Empty, AppVersion = "app_version" },
+                typeof(ArgumentException)
+            },
+            {
+                new AuthenticationRequest { App = "app_name", DeviceId = "device_id", DeviceName = null, AppVersion = "app_version" },
+                typeof(ArgumentNullException)
+            },
+            {
+                new AuthenticationRequest { App = "app_name", DeviceId = "device_id", DeviceName = "device_name", AppVersion = string.Empty },
+                typeof(ArgumentException)
+            },
+            {
+                new AuthenticationRequest { App = "app_name", DeviceId = "device_id", DeviceName = "device_name", AppVersion = null },
+                typeof(ArgumentNullException)
+            }
+        };
+
+        return data;
+    }
+}
author	Cody Robibero <cody@robibe.ro>	2023-10-30 15:31:13 -0600
committer	GitHub <noreply@github.com>	2023-10-30 15:31:13 -0600
commit	8c5fc8028240adec57a4b39147dbeac81a1835a0 (patch)
tree	62bcba59fa6e86fa1dfd479b709bbecfaca1cf08
parent	b26eb7dd6bb928bd3e6f292833092fd518c6db0b (diff)