Security
- API key exposed to non-admin users —
GET /api/v1/auth/configreturned the global API key to every authenticated account. Since the key is also accepted via the?apikey=query string, any regular user could authenticate with full API access. The key is now redacted unless the caller hasrole=admin. - Cross-user author visibility —
GET /api/v1/authorreturned all authors regardless ofowner_user_id, letting one user see (and enumerate) another user's library. The list is now scoped to the authenticated user. - Non-admin auth-mode escalation —
PUT /api/v1/auth/modelacked aRequireAdminguard. A regular user could switch the instance tolocal-only, granting unauthenticated access to every client on the local network. The endpoint now requires admin role. - Untrusted
X-Forwarded-*header injection —X-Forwarded-ProtoandX-Forwarded-Hostwere accepted from any client whenBINDERY_TRUSTED_PROXYwas not set, enabling OPDS base-URL injection and spurious HSTS headers. All forwarded headers are now stripped from requests that do not originate from a configured trusted proxy.