Security
- CRITICAL — credential leak via /setup/ after the wizard is completed.* The setup wizard pages (
/setup/tmdb,/setup/managers,/setup/indexers,/setup/downloads) were markedPUBLIC_ACCESSto allow first-time install without login, and stayed reachable even aftersetup_completed=1. They pre-rendered the values of every saved API key / password in plain<input type="text" value="...">for the "Back" button UX, so any unauthenticated client able to reach the Prismarr port couldcurl /setup/tmdband harvest the stored TMDb / Radarr / Sonarr / Prowlarr / Jellyseerr / Gluetun API keys plus the qBittorrent password. Fixed with two layers of defense:SetupController::guardSetupNotCompleted()— every wizard step (tmdb/managers/indexers/downloads/finish) now redirects to the home page whensetup_completed=1. Re-configuration is only available via the auth-protected/admin/settings(ROLE_ADMIN).SetupController::prefill()— values whose key ends with_api_key,_password,_secretor_tokenare NEVER copied from the DB into the wizard render. Even if the redirect ever gets bypassed, the HTML emitted by the wizard cannot contain the secret. Trade-off: navigating "Back" through the wizard during the initial install no longer pre-fills these fields, the user has to re-paste them. This is acceptable on a one-time install flow.
- 6 new PHPUnit tests covering both layers (216 tests / 448 assertions total).
- Action required for users running v1.0.0 - v1.0.4: rotate every API key configured in Prismarr (TMDb, Radarr, Sonarr, Prowlarr, Jellyseerr, Gluetun) and the qBittorrent password, then upgrade to 1.0.5 immediately. Even if your Prismarr instance is on a private LAN, anyone with network access (housemates, guests, smart-home devices, exposed reverse proxy) could have read these values.