From d80e1a260bed86cef0ef6bbaa85b9346bd0488f1 Mon Sep 17 00:00:00 2001
From: Deluan <deluan@navidrome.org>
Date: Mon, 11 Dec 2023 19:32:03 -0500
Subject: [PATCH] Fix possible authentication bypass

---
 core/auth/auth.go | 6 ++++--
 server/server.go  | 2 +-
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/core/auth/auth.go b/core/auth/auth.go
index 2dd7923ee..7725de8d6 100644
--- a/core/auth/auth.go
+++ b/core/auth/auth.go
@@ -6,6 +6,7 @@ import (
 	"time"
 
 	"github.com/go-chi/jwtauth/v5"
+	"github.com/google/uuid"
 	"github.com/lestrrat-go/jwx/v2/jwt"
 	"github.com/navidrome/navidrome/conf"
 	"github.com/navidrome/navidrome/consts"
@@ -23,9 +24,10 @@ var (
 func Init(ds model.DataStore) {
 	once.Do(func() {
 		log.Info("Setting Session Timeout", "value", conf.Server.SessionTimeout)
-		secret, err := ds.Property(context.TODO()).DefaultGet(consts.JWTSecretKey, "not so secret")
-		if err != nil {
+		secret, err := ds.Property(context.TODO()).Get(consts.JWTSecretKey)
+		if err != nil || secret == "" {
 			log.Error("No JWT secret found in DB. Setting a temp one, but please report this error", err)
+			secret = uuid.NewString()
 		}
 		Secret = []byte(secret)
 		TokenAuth = jwtauth.New("HS256", Secret, nil)
diff --git a/server/server.go b/server/server.go
index 2ee7022bc..889ca6dbb 100644
--- a/server/server.go
+++ b/server/server.go
@@ -34,8 +34,8 @@ type Server struct {
 
 func New(ds model.DataStore, broker events.Broker) *Server {
 	s := &Server{ds: ds, broker: broker}
-	auth.Init(s.ds)
 	initialSetup(ds)
+	auth.Init(s.ds)
 	s.initRoutes()
 	s.mountAuthenticationRoutes()
 	s.mountRootRedirector()