release: v1.5.8 — mobile playback fixes, security hardening, lint cleanup

Fix 4 mobile/iOS playback bugs: infinite network retry loop, silence keepalive
running during active playback, play button failing outside gesture window, and
MediaSession handlers never registering after app restore. Add resumeWithGesture()
across 13 call sites.

Security hardening: safeError() across ~82 catch blocks to prevent error leakage,
SSRF protection on cover art proxy, login timing normalization, crypto.randomInt()
for device links, select clauses on user queries, metrics auth gate, registration
gate with rate limiting, admin role check fix.

Production cleanup: remove dead code/imports, fix all ESLint warnings, add cover
art fetch retry for transient network errors.

Author: Your Name

CHANGELOG.md

@@ -5,6 +5,34 @@ All notable changes to Kima will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.5.8] - 2026-02-26
+
+### Fixed
+
+- **Mobile playback: infinite network retry loop**: On mobile networks, transient `MEDIA_ERR_NETWORK` errors triggered a retry cycle that never terminated -- `canplay` and `playing` events reset the retry counter to 0 on every cycle, and `audio.load()` reset `currentTime` to 0, causing the "2-3 seconds then starts over" symptom. Fixed by removing the premature counter resets (counter now only resets on new track load) and saving/restoring playback position across retries.
+- **Mobile playback: silence keepalive running during active playback**: The silence keepalive element (used to hold the iOS/Android audio session while paused in background) was started via `prime()` from a non-gesture context, then `stop()` failed to pause it because the `play()` promise hadn't resolved yet, making `el.paused` still true. Fixed by adding proper async play-promise tracking with a `pendingStop` flag, and removing the non-gesture `prime()`/`stop()` calls from the audio engine's `playing` event handler.
+- **Mobile playback: play button tap fails to resume on iOS**: All in-app play buttons called `resume()` which only set React state; the actual `audio.play()` ran in a `useEffect` after re-render, outside the iOS user-gesture activation window. Fixed by adding a `resumeWithGesture()` helper that calls `audioEngine.tryResume()` and `silenceKeepalive.prime()` synchronously within the gesture context -- the same pattern already used by MediaSession lock-screen handlers. Applied across all 13 play/resume call sites.
+- **Mobile playback: lock screen / notification controls unresponsive after app restore**: MediaSession action handlers were never registered when the app loaded with a server-restored track because the `hasPlayedLocallyRef` guard blocked registration, and the handler registration effect's dependency array was missing `isPlaying`, so it never re-ran when the flag was set. Fixed by adding `isPlaying` to the dependency array.
+- **Cover art proxy transient fetch errors**: External cover art fetches that hit transient TCP errors (`ECONNRESET`, `ETIMEDOUT`, `UND_ERR_SOCKET`) now retry once with a 500ms delay before failing.
+
+### Security
+
+- **Error message leakage**: All ~82 backend route catch blocks replaced with a `safeError()` helper that logs the full error server-side but returns only `"Internal server error"` to the client. Prevents stack traces, file paths, and internal details from leaking to users.
+- **SSRF protection on cover art proxy**: The cover-art proxy endpoint now validates URLs before fetching -- blocks private/loopback IPs, non-HTTP schemes, and resolves DNS to check for rebinding attacks. Audiobook cover paths also block directory traversal.
+- **Login timing side-channel**: Login endpoint previously returned early on user-not-found, allowing username enumeration via response timing. Now runs a dummy bcrypt compare against an invalid hash to normalize response times regardless of whether the user exists.
+- **Device link code generation**: Replaced `Math.random()` with `crypto.randomInt()` for cryptographically secure device link codes.
+- **Unscoped user queries**: Added `select` clauses to all Prisma user queries that previously loaded full rows (including `passwordHash`) when only the ID or specific fields were needed.
+- **Metrics endpoint authentication**: `/api/metrics` now requires authentication.
+- **Registration gate**: Added `registrationOpen` system setting (default: closed) and rate limiter on the registration endpoint. After the first user is created, new registrations require an admin to explicitly open registration.
+- **Admin password reset role check**: Fixed case mismatch (`"ADMIN"` vs `"admin"`) that could allow non-admin users to trigger password resets.
+
+### Housekeeping
+
+- Removed unused `sectionIndex` variables in audiobooks, home, and podcasts pages.
+- Removed dead commented-out album cover grid code and unused imports in DiscoverHero.
+- Fixed missing `useCallback` wrapper for `loadPresets` in MoodMixer.
+- Added missing `previewLoadState` to effect dependency array in usePodcastData.
+
 ## [1.5.7] - 2026-02-23
 
 ### Added

backend/package.json

@@ -1,6 +1,6 @@
 {
     "name": "kima-backend",
-    "version": "1.5.7",
+    "version": "1.5.8",
     "description": "Kima backend API server",
     "license": "GPL-3.0",
     "repository": {

backend/prisma/migrations/20260226000000_add_registration_open_setting/migration.sql

@@ -0,0 +1,2 @@
+-- AlterTable
+ALTER TABLE "SystemSettings" ADD COLUMN "registrationOpen" BOOLEAN NOT NULL DEFAULT false;

backend/prisma/schema.prisma

@@ -570,6 +570,7 @@ model SystemSettings {
   lastfmUserKey               String?
   lastfmEnabled               Boolean?
   publicUrl                   String?
+  registrationOpen            Boolean  @default(false)
 }
 
 model Track {

backend/src/index.ts

@@ -132,7 +132,8 @@ app.use(
 app.use("/api/auth/login", authLimiter);
 app.use("/api/auth/register", authLimiter);
 app.use("/api/auth", authRoutes);
-app.use("/api/onboarding", onboardingRoutes); // Public onboarding routes
+app.use("/api/onboarding/register", authLimiter);
+app.use("/api/onboarding", onboardingRoutes);
 
 // Apply general API rate limiting to all API routes
 app.use("/api/api-keys", apiLimiter, apiKeysRoutes);
@@ -181,7 +182,7 @@ app.get("/api/health", (req, res) => {
 });
 
 // Prometheus metrics endpoint
-app.get("/api/metrics", async (req, res) => {
+app.get("/api/metrics", requireAuth, async (req, res) => {
     try {
         const { getMetrics } = await import("./utils/metrics");
         res.set("Content-Type", "text/plain; version=0.0.4; charset=utf-8");
@@ -270,7 +271,10 @@ async function checkPasswordReset() {
     if (!resetPassword) return;
 
     const bcrypt = await import("bcrypt");
-    const adminUser = await prisma.user.findFirst({ where: { role: "ADMIN" } });
+    const adminUser = await prisma.user.findFirst({
+        where: { role: "admin" },
+        select: { id: true },
+    });
     if (!adminUser) {
         logger.warn("[Password Reset] No admin user found");
         return;

backend/src/routes/artists.ts

@@ -7,6 +7,7 @@ import { deezerService } from "../services/deezer";
 import { redisClient } from "../utils/redis";
 import { normalizeToArray } from "../utils/normalize";
 import { requireAuthOrToken } from "../middleware/auth";
+import { safeError } from "../utils/errors";
 
 const router = Router();
 router.use(requireAuthOrToken);
@@ -35,12 +36,8 @@ router.get("/preview/:artistName/:trackTitle", async (req, res) => {
         } else {
             res.status(404).json({ error: "Preview not found" });
         }
-    } catch (error: any) {
-        logger.error("Preview fetch error:", error);
-        res.status(500).json({
-            error: "Failed to fetch preview",
-            message: error.message,
-        });
+    } catch (error) {
+        safeError(res, "Track preview fetch", error);
     }
 });
 
@@ -375,12 +372,8 @@ router.get("/discover/:nameOrMbid", async (req, res) => {
         }
 
         res.json(response);
-    } catch (error: any) {
-        logger.error("Artist discovery error:", error);
-        res.status(500).json({
-            error: "Failed to fetch artist details",
-            message: error.message,
-        });
+    } catch (error) {
+        safeError(res, "Artist discovery", error);
     }
 });
 
@@ -574,12 +567,8 @@ router.get("/album/:mbid", async (req, res) => {
         }
 
         res.json(response);
-    } catch (error: any) {
-        logger.error("Album discovery error:", error);
-        res.status(500).json({
-            error: "Failed to fetch album details",
-            message: error.message,
-        });
+    } catch (error) {
+        safeError(res, "Album discovery", error);
     }
 });
 

backend/src/routes/audiobooks.ts

@@ -2,6 +2,7 @@ import { Router } from "express";
 import * as fs from "fs";
 import * as path from "path";
 import { logger } from "../utils/logger";
+import { safeError } from "../utils/errors";
 import { audiobookshelfService } from "../services/audiobookshelf";
 import { audiobookCacheService } from "../services/audiobookCache";
 import { prisma } from "../utils/db";
@@ -58,12 +59,8 @@ router.get(
             });
 
             res.json(transformed);
-        } catch (error: any) {
-            logger.error("Error fetching continue listening:", error);
-            res.status(500).json({
-                error: "Failed to fetch continue listening",
-                message: error.message,
-            });
+        } catch (error) {
+            safeError(res, "Failed to fetch continue listening", error);
         }
     }
 );
@@ -107,12 +104,8 @@ router.post("/sync", requireAuthOrToken, apiLimiter, async (req, res) => {
             success: true,
             result,
         });
-    } catch (error: any) {
-        logger.error("Audiobook sync failed:", error);
-        res.status(500).json({
-            error: "Sync failed",
-            message: error.message,
-        });
+    } catch (error) {
+        safeError(res, "Audiobook sync failed", error);
     }
 });
 
@@ -180,9 +173,8 @@ router.get("/debug-series", requireAuthOrToken, async (req, res) => {
             sampleSeriesData: allSeriesInfo,
             fullSampleWithSeries: fullSample,
         });
-    } catch (error: any) {
-        logger.error("[Audiobooks] Debug series error:", error);
-        res.status(500).json({ error: error.message });
+    } catch (error) {
+        safeError(res, "Debug series fetch failed", error);
     }
 });
 
@@ -206,12 +198,8 @@ router.get("/search", requireAuthOrToken, apiLimiter, async (req, res) => {
 
         const results = await audiobookshelfService.searchAudiobooks(q);
         res.json(results);
-    } catch (error: any) {
-        logger.error("Error searching audiobooks:", error);
-        res.status(500).json({
-            error: "Failed to search audiobooks",
-            message: error.message,
-        });
+    } catch (error) {
+        safeError(res, "Failed to search audiobooks", error);
     }
 });
 
@@ -293,12 +281,8 @@ router.get("/", requireAuthOrToken, apiLimiter, async (req, res) => {
         });
 
         res.json(audiobooksWithProgress);
-    } catch (error: any) {
-        logger.error("Error fetching audiobooks:", error);
-        res.status(500).json({
-            error: "Failed to fetch audiobooks",
-            message: error.message,
-        });
+    } catch (error) {
+        safeError(res, "Failed to fetch audiobooks", error);
     }
 });
 
@@ -387,12 +371,8 @@ router.get(
             });
 
             res.json(seriesBooks);
-        } catch (error: any) {
-            logger.error("Error fetching series:", error);
-            res.status(500).json({
-                error: "Failed to fetch series",
-                message: error.message,
-            });
+        } catch (error) {
+            safeError(res, "Failed to fetch series", error);
         }
     }
 );
@@ -492,12 +472,8 @@ router.get("/:id/cover", async (req, res) => {
 
         // No cover available
         return res.status(404).json({ error: "Cover not found" });
-    } catch (error: any) {
-        logger.error("Error serving cover:", error);
-        res.status(500).json({
-            error: "Failed to serve cover",
-            message: error.message,
-        });
+    } catch (error) {
+        safeError(res, "Failed to serve cover", error);
     }
 });
 
@@ -587,12 +563,8 @@ router.get("/:id", requireAuthOrToken, apiLimiter, async (req, res) => {
         };
 
         res.json(response);
-    } catch (error: any) {
-        logger.error("Error fetching audiobook__", error);
-        res.status(500).json({
-            error: "Failed to fetch audiobook",
-            message: error.message,
-        });
+    } catch (error) {
+        safeError(res, "Failed to fetch audiobook", error);
     }
 });
 
@@ -663,23 +635,16 @@ router.get("/:id/stream", requireAuthOrToken, async (req, res) => {
 
         stream.pipe(res);
 
-        stream.on("error", (error: any) => {
+        stream.on("error", (error: unknown) => {
             logger.error("[Audiobook Stream] Stream error:", error);
             if (!res.headersSent) {
-                res.status(500).json({
-                    error: "Failed to stream audiobook",
-                    message: error.message,
-                });
+                safeError(res, "Audiobook stream error", error);
             } else {
                 res.end();
             }
         });
-    } catch (error: any) {
-        logger.error("[Audiobook Stream] Error:", error.message);
-        res.status(500).json({
-            error: "Failed to stream audiobook",
-            message: error.message,
-        });
+    } catch (error) {
+        safeError(res, "Failed to stream audiobook", error);
     }
 });
 
@@ -844,12 +809,8 @@ router.post(
                     isFinished: progress.isFinished,
                 },
             });
-        } catch (error: any) {
-            logger.error("Error updating progress:", error);
-            res.status(500).json({
-                error: "Failed to update progress",
-                message: error.message,
-            });
+        } catch (error) {
+            safeError(res, "Failed to update progress", error);
         }
     }
 );
@@ -905,12 +866,8 @@ router.delete(
                 success: true,
                 message: "Progress removed",
             });
-        } catch (error: any) {
-            logger.error("Error removing progress:", error);
-            res.status(500).json({
-                error: "Failed to remove progress",
-                message: error.message,
-            });
+        } catch (error) {
+            safeError(res, "Failed to remove progress", error);
         }
     }
 );

backend/src/routes/auth.ts

@@ -69,15 +69,12 @@ router.post("/login", async (req, res) => {
         const { token } = req.body; // 2FA token if provided
 
         const user = await prisma.user.findUnique({ where: { username } });
-        if (!user) {
-            logger.debug(`[AUTH] User not found: ${username}`);
-            return res.status(401).json({ error: "Invalid credentials" });
-        }
 
-        logger.debug(`[AUTH] Verifying password for user: ${username}`);
-        const valid = await bcrypt.compare(password, user.passwordHash);
-        if (!valid) {
-            logger.debug(`[AUTH] Invalid password for user: ${username}`);
+        // Timing-safe: always run bcrypt to prevent username enumeration
+        const dummyHash = "$2b$10$invalidhashfortimingsafety.00000000000000000000";
+        const valid = await bcrypt.compare(password, user?.passwordHash ?? dummyHash);
+        if (!user || !valid) {
+            logger.debug(`[AUTH] Invalid credentials for: ${username}`);
             return res.status(401).json({ error: "Invalid credentials" });
         }
         logger.debug(`[AUTH] Password verified for user: ${username}`);
@@ -292,6 +289,7 @@ router.post("/change-password", requireAuth, async (req, res) => {
         // Verify current password
         const user = await prisma.user.findUnique({
             where: { id: req.user!.id },
+            select: { id: true, passwordHash: true },
         });
 
         if (!user) {
@@ -548,6 +546,7 @@ router.post("/2fa/disable", requireAuth, async (req, res) => {
 
         const user = await prisma.user.findUnique({
             where: { id: req.user!.id },
+            select: { id: true, passwordHash: true, twoFactorSecret: true },
         });
 
         if (!user) {