quasarr 2.1.0__py3-none-any.whl → 2.1.2__py3-none-any.whl

quasarr/downloads/__init__.py

@@ -7,6 +7,7 @@ import json
 import re
 
 from quasarr.downloads.linkcrypters.hide import decrypt_links_if_hide
+from quasarr.downloads.packages import get_packages
 from quasarr.downloads.sources.al import get_al_download_links
 from quasarr.downloads.sources.by import get_by_download_links
 from quasarr.downloads.sources.dd import get_dd_download_links
@@ -295,6 +296,23 @@ def process_links(shared_state, source_result, title, password, package_id, imdb
 # MAIN ENTRY POINT
 # =============================================================================
 
+def package_id_exists(shared_state, package_id):
+    # DB checks
+    if shared_state.get_db("protected").retrieve(package_id):
+        return True
+    if shared_state.get_db("failed").retrieve(package_id):
+        return True
+
+    data = get_packages(shared_state) or {}
+
+    for section in ("queue", "history"):
+        for pkg in data.get(section, []) or []:
+            if pkg.get("nzo_id") == package_id:
+                return True
+
+    return False
+
+
 def download(shared_state, request_from, title, url, mirror, size_mb, password, imdb_id=None, source_key=None):
     """
     Main download entry point.
@@ -348,6 +366,11 @@ def download(shared_state, request_from, title, url, mirror, size_mb, password,
     # Generate DETERMINISTIC package_id
     package_id = generate_deterministic_package_id(title, final_source_key, client_type)
 
+    # Skip Download if package_id already exists
+    if package_id_exists(shared_state, package_id):
+        info(f"Package {package_id} already exists. Skipping download!")
+        return {"success": True, "package_id": package_id, "title": title}
+
     if source_result is None:
         info(f'Could not find matching source for "{title}" - "{url}"')
         StatsHelper(shared_state).increment_failed_downloads()

quasarr/providers/auth.py

@@ -5,13 +5,16 @@
 import base64
 import hashlib
 import hmac
+import json
 import os
 import time
+from functools import wraps
 
-from bottle import request, response, redirect
+from bottle import request, response, redirect, abort
 
 import quasarr.providers.html_images as images
 from quasarr.providers.version import get_version
+from quasarr.storage.config import Config
 
 # Auth configuration from environment
 AUTH_USER = os.environ.get('USER', '')
@@ -22,6 +25,9 @@ AUTH_TYPE = os.environ.get('AUTH', '').lower()
 COOKIE_NAME = 'quasarr_session'
 COOKIE_MAX_AGE = 30 * 24 * 60 * 60  # 30 days
 
+# Stable secret derived from PASS (restart-safe)
+_SECRET_KEY = hashlib.sha256(AUTH_PASS.encode('utf-8')).digest()
+
 
 def is_auth_enabled():
     """Check if authentication is enabled (both USER and PASS set)."""
@@ -33,32 +39,75 @@ def is_form_auth():
     return AUTH_TYPE == 'form'
 
 
-def _sign_cookie(user, expiry):
-    """Create HMAC signature for cookie."""
-    msg = f"{user}:{expiry}".encode()
-    return hmac.new(AUTH_PASS.encode(), msg, hashlib.sha256).hexdigest()
+def _b64encode(data: bytes) -> str:
+    return base64.urlsafe_b64encode(data).decode('ascii').rstrip('=')
+
+
+def _b64decode(data: str) -> bytes:
+    padding = '=' * (-len(data) % 4)
+    return base64.urlsafe_b64decode(data + padding)
+
 
+def _sign(data: bytes) -> bytes:
+    return hmac.new(_SECRET_KEY, data, hashlib.sha256).digest()
 
-def _create_session_cookie(user):
-    """Create a signed session cookie value."""
-    expiry = int(time.time()) + COOKIE_MAX_AGE
-    signature = _sign_cookie(user, expiry)
-    return f"{user}:{expiry}:{signature}"
+
+def _mask_user(user: str) -> str:
+    """
+    One-way masked user identifier.
+    Stable across restarts, not reversible.
+    """
+    return hashlib.sha256(f"user:{user}".encode('utf-8')).hexdigest()
 
 
-def _verify_session_cookie(cookie_value):
-    """Verify a session cookie. Returns True if valid."""
+def _create_session_cookie(user: str) -> str:
+    """
+    Stateless, signed cookie.
+    Stores only masked user + expiry.
+    """
+    payload = {
+        "u": _mask_user(user),
+        "exp": int(time.time()) + COOKIE_MAX_AGE,
+    }
+    raw = json.dumps(payload, separators=(',', ':')).encode('utf-8')
+    sig = _sign(raw)
+    return f"{_b64encode(raw)}.{_b64encode(sig)}"
+
+
+def _invalidate_cookie():
     try:
-        parts = cookie_value.split(':')
-        if len(parts) != 3:
-            return False
-        user, expiry, signature = parts
-        expiry = int(expiry)
-        if time.time() > expiry:
-            return False
-        expected_sig = _sign_cookie(user, expiry)
-        return hmac.compare_digest(signature, expected_sig)
-    except:
+        response.delete_cookie(COOKIE_NAME, path='/')
+    except Exception:
+        pass
+
+
+def _verify_session_cookie(value: str) -> bool:
+    """
+    Verify signature, expiry, and masked user.
+    On ANY failure → force logout (cookie deletion).
+    """
+    try:
+        if not value or '.' not in value:
+            raise ValueError
+
+        raw_b64, sig_b64 = value.split('.', 1)
+        raw = _b64decode(raw_b64)
+        sig = _b64decode(sig_b64)
+
+        if not hmac.compare_digest(sig, _sign(raw)):
+            raise ValueError
+
+        payload = json.loads(raw.decode('utf-8'))
+
+        if payload.get("u") != _mask_user(AUTH_USER):
+            raise ValueError
+
+        if int(time.time()) > int(payload.get("exp", 0)):
+            raise ValueError
+
+        return True
+    except Exception:
+        _invalidate_cookie()
         return False
 
 
@@ -78,7 +127,7 @@ def check_basic_auth():
 def check_form_auth():
     """Check session cookie. Returns True if valid."""
     cookie = request.get_cookie(COOKIE_NAME)
-    return cookie and _verify_session_cookie(cookie)
+    return bool(cookie and _verify_session_cookie(cookie))
 
 
 def require_basic_auth():
@@ -176,16 +225,25 @@ def _handle_login_post():
     next_url = request.forms.get('next', '/')
 
     if username == AUTH_USER and password == AUTH_PASS:
-        cookie_value = _create_session_cookie(username)
-        response.set_cookie(COOKIE_NAME, cookie_value, max_age=COOKIE_MAX_AGE, path='/', httponly=True)
+        cookie = _create_session_cookie(username)
+        secure_flag = request.url.startswith('https://')
+        response.set_cookie(
+            COOKIE_NAME,
+            cookie,
+            max_age=COOKIE_MAX_AGE,
+            path='/',
+            httponly=True,
+            secure=secure_flag,
+            samesite='Lax'
+        )
         redirect(next_url)
     else:
-        return _render_login_page(error="Invalid username or password")
+        _invalidate_cookie()
+        return _render_login_page("Invalid username or password")
 
 
 def _handle_logout():
-    """Handle logout - clear cookie and redirect to login."""
-    response.delete_cookie(COOKIE_NAME, path='/')
+    _invalidate_cookie()
     redirect('/login')
 
 
@@ -244,7 +302,21 @@ def add_auth_hook(app, whitelist_prefixes=None):
         # Check authentication
         if is_form_auth():
             if not check_form_auth():
+                _invalidate_cookie()
                 redirect(f'/login?next={path}')
         else:
             if not check_basic_auth():
                 return require_basic_auth()
+
+
+def require_api_key(func):
+    @wraps(func)
+    def decorated(*args, **kwargs):
+        api_key = Config('API').get('key')
+        if not request.query.apikey:
+            return abort(401, "Missing API key")
+        if request.query.apikey != api_key:
+            return abort(403, "Invalid API key")
+        return func(*args, **kwargs)
+
+    return decorated

quasarr/providers/html_templates.py

@@ -86,13 +86,17 @@ def render_centered_html(inner_content, footer_content=""):
                 margin-top: 0;
                 color: var(--setup-border);
             }
+            a.action-card,
+            a.action-card {
+                text-decoration: none !important;
+            }
             /* Status pill styling */
             .status-pill {
                 display: inline-flex;
                 align-items: center;
                 gap: 6px;
                 padding: 6px 12px;
-                border-radius: 20px;
+                border-radius: 0.5rem;
                 font-size: 0.9rem;
                 font-weight: 500;
                 margin: 8px 0;