harden search parsing and qobuz refresh validation

2026-06-17 15:05:39 +02:00 · 2026-04-21 19:04:33 +02:00
parent de4e561377
commit c67be72869
5 changed files with 86 additions and 2 deletions
--- a/internal/provider/qobuz/client.go
+++ b/internal/provider/qobuz/client.go
@@ -146,9 +146,21 @@ func (c *Client) refreshAppCredentials(ctx context.Context, q *config.QobuzConfi
 		return err
 	}
 	q.AppID = strings.TrimSpace(appID)
-	q.Secrets = append([]string(nil), secrets...)
+	if q.AppID == "" {
+		return errors.New("qobuz app credential refresh returned empty app_id")
+	}
+	clean := make([]string, 0, len(secrets))
+	for _, s := range secrets {
+		if v := strings.TrimSpace(s); v != "" {
+			clean = append(clean, v)
+		}
+	}
+	if len(clean) == 0 {
+		return errors.New("qobuz app credential refresh returned no secrets")
+	}
+	q.Secrets = append([]string(nil), clean...)
 	c.cfg.File.Qobuz.AppID = q.AppID
-	c.cfg.File.Qobuz.Secrets = append([]string(nil), secrets...)
+	c.cfg.File.Qobuz.Secrets = append([]string(nil), clean...)
 	_ = c.cfg.SaveFile()
 	return nil
 }
--- a/internal/provider/qobuz/client_test.go
+++ b/internal/provider/qobuz/client_test.go
@@ -373,3 +373,15 @@ func qobuzSecretSig(requestTS, secret string) string {
 	hash := md5.Sum([]byte(raw))
 	return hex.EncodeToString(hash[:])
 }
+
+func TestRefreshAppCredentialsRejectsEmptyData(t *testing.T) {
+	d := config.DefaultConfigData()
+	c := New(&config.Config{File: d, Session: d})
+	c.fetchCfg = func(context.Context) (string, []string, error) {
+		return "", []string{" "}, nil
+	}
+	err := c.refreshAppCredentials(context.Background(), &c.cfg.Session.Qobuz)
+	if err == nil {
+		t.Fatalf("expected error for empty refreshed app credentials")
+	}
+}