Skip to content

qBit compatibility auth can fail open when session RNG is unavailable

Summary

The qBittorrent compatibility session helper can fail open if session ID generation fails. GetSessionId() returns an empty string when BCryptGenRandom fails, and the cookie verifier can then accept an empty SID= cookie for protected qBit-compatible routes.

This blocks Beta 0.7.3 because it is a remote authentication failure mode on the web API surface.

Evidence

  • srchybrid/WebServerQBitCompat.cpp:91 builds the process-wide session ID.
  • srchybrid/WebServerQBitCompat.cpp:97 returns an empty string on RNG failure.
  • srchybrid/WebServerQBitCompat.cpp:104 passes that empty string into cookie validation.
  • srchybrid/WebServerQBitCompatSeams.h:286 rejects empty cookie names but not empty expected values.

Execution Plan

  1. Revalidate the current qBit login and protected-route flow on main.
  2. Add a seam or injectable helper for qBit session ID generation so RNG failure can be tested deterministically.
  3. Make session validation fail closed whenever the generated session ID is empty.
  4. Reject Cookie: SID= and duplicate/ambiguous SID cookies for protected qBit routes.
  5. Keep /api/v2/auth/login returning a service-unavailable style failure when the session cannot be generated.
  6. Add targeted tests for:
  7. successful login with working RNG
  8. RNG failure during login
  9. empty SID cookie on a protected route
  10. wrong SID cookie on a protected route
  11. valid SID cookie on a protected route

Acceptance Criteria

  • No protected qBit-compatible route can authenticate with an empty SID.
  • RNG failure never creates an authenticated session.
  • Native /api/v1 API-key authentication is unchanged.
  • The fix lands with targeted regression coverage.

Validation

  • 2026-05-08: Done in app commit 02fd5bf and test commit dfc86d6.
  • python -m emule_workspace validate --workspace-root .
  • python -m emule_workspace build tests --workspace-root . --config Release --platform x64 --test-run-variant main
  • repos\emulebb-build-tests\build\eMulebb-workspace-v0.72a-eMule-main\x64\Release\emule-tests.exe --test-case="Web API validates qBittorrent session cookies by exact pair": 13 assertions passed.
  • python -m emule_workspace build app --workspace-root . --config Release --platform x64 --variant main