It was brought to my attention that there was a significant security flaw with the authentication system where some api endpoints would expose Listenarrs apikey. I have fixed this exploit by making those endpoint require authorization when authentication is enabled. While looking into this security flaw, I found others as well that I have fixed, including one where the images were loaded by passing the apikey as a query param. Additionally, for clarity, there is now a banner warning you that authentication is disabled to make sure you're aware of the risk.
Audible seems to change ASINs for their books sometimes. so this release also adds the ability to add additional identifiers (ASIN, ISBN, or OLID), and the ability rescan for metadata based on the primary identifier. Additionally if audiobook covers or authors for items in your library go missing from the cache, then Listenarr will now try to automatically redownload it from the metadata provider and cache it in an attempt to recover and not show the placeholder. You can find a full list of changes and fixes below and in the CHANGELOG.md.
Changed
- Added no-auth deployment warnings (backend startup log + frontend banner).
- Improved API secret handling with caller-aware response redaction.
- Unified protected image loading behavior in AudiobooksView to match auth-safe blob loading used elsewhere.
- Streamlined AudiobooksView and AudiobookDetailView behavior (tab sync, status navigation, action config, selection/status handling).
- Added responsive shell offset handling using shared top-offset variables (App, AudiobooksView, SettingsView) so fixed toolbars/legends behave correctly with the security banner.
- Edit Audiobook modal now uses large layout.
Added
- Typed audiobook external identifiers (ASIN, ISBN, OLID) with migration/backfill and legacy compatibility.
- Identifier editing API and UI (including primary indicator/source badges).
- POST /api/library/{id}/rescan-metadata en...
Automated canary build