diff --git a/backend/endpoints/roms/__init__.py b/backend/endpoints/roms/__init__.py index 40ca24feb..f4848e0c6 100644 --- a/backend/endpoints/roms/__init__.py +++ b/backend/endpoints/roms/__init__.py @@ -1282,7 +1282,7 @@ async def update_rom( path_screenshots = await fs_resource_handler.get_rom_screenshots( rom=rom, overwrite=bool(screenshots_changed), - url_screenshots=cleaned_data.get("url_screenshots", []), + url_screenshots=[add_ss_auth_to_url(u) for u in url_screenshots], ) cleaned_data.update( {"path_screenshots": path_screenshots, "url_screenshots": []} @@ -1353,7 +1353,7 @@ async def update_rom( path_cover_s, path_cover_l = await fs_resource_handler.get_cover( entity=rom, overwrite=url_cover != rom.url_cover, - url_cover=str(url_cover), + url_cover=add_ss_auth_to_url(str(url_cover)), ) cleaned_data.update( { @@ -1373,7 +1373,7 @@ async def update_rom( path_manual = await fs_resource_handler.get_manual( rom=rom, overwrite=url_manual != rom.url_manual, - url_manual=str(url_manual) if url_manual else None, + url_manual=add_ss_auth_to_url(str(url_manual)) if url_manual else None, ) cleaned_data.update( { diff --git a/backend/endpoints/sockets/scan.py b/backend/endpoints/sockets/scan.py index 456ebd7d3..908682440 100644 --- a/backend/endpoints/sockets/scan.py +++ b/backend/endpoints/sockets/scan.py @@ -396,13 +396,21 @@ async def _identify_rom( path_cover_s, path_cover_l = await fs_resource_handler.get_cover( entity=_added_rom, overwrite=_added_rom.url_cover != rom.url_cover, - url_cover=_added_rom.url_cover, + url_cover=( + add_ss_auth_to_url(_added_rom.url_cover) + if _added_rom.url_cover + else _added_rom.url_cover + ), ) path_manual = await fs_resource_handler.get_manual( rom=_added_rom, overwrite=_added_rom.url_manual != rom.url_manual, - url_manual=_added_rom.url_manual, + url_manual=( + add_ss_auth_to_url(_added_rom.url_manual) + if _added_rom.url_manual + else _added_rom.url_manual + ), ) screenshots_changed = pydash.xor( @@ -411,7 +419,9 @@ async def _identify_rom( path_screenshots = await fs_resource_handler.get_rom_screenshots( rom=_added_rom, overwrite=bool(screenshots_changed), - url_screenshots=_added_rom.url_screenshots, + url_screenshots=[ + add_ss_auth_to_url(u) for u in (_added_rom.url_screenshots or []) + ], ) _added_rom.path_cover_s = path_cover_s diff --git a/backend/handler/metadata/ss_handler.py b/backend/handler/metadata/ss_handler.py index 2ab2b3797..a80628a03 100644 --- a/backend/handler/metadata/ss_handler.py +++ b/backend/handler/metadata/ss_handler.py @@ -34,8 +34,17 @@ from .base_handler import ( SENSITIVE_KEYS = {"ssid", "sspassword"} +SS_DOMAIN = "screenscraper.fr" + + def add_ss_auth_to_url(url: str) -> str: - """Re-add SS user credentials to a media URL at download time (never stored).""" + """Re-add SS user credentials to a media URL at download time (never stored). + + Only injects credentials for screenscraper.fr URLs; returns other URLs + unchanged to avoid leaking credentials to third-party sources. + """ + if not url or SS_DOMAIN not in url: + return url if not SCREENSCRAPER_USER or not SCREENSCRAPER_PASSWORD: return url diff --git a/backend/handler/scan_handler.py b/backend/handler/scan_handler.py index afe659a67..c7e3d3fbf 100644 --- a/backend/handler/scan_handler.py +++ b/backend/handler/scan_handler.py @@ -1045,7 +1045,7 @@ async def scan_rom( extra=LOGGER_MODULE_NAME, ) - if rom.has_nested_single_file or rom.has_multiple_files: + if fs_rom["nested"]: for file in fs_rom["files"]: log.info( f"\t ยท {hl(file.file_name, color=LIGHTYELLOW)}",