Skip to content

v2.5.16

Choose a tag to compare

@github-actions github-actions released this 27 Jun 22:54

v2.5.16 — App passwords on native clients, sturdier OIDC onboarding, contributor features

In-place upgrade from any 2.5.x — no schema or data migration, no config changes required. Supports Jellyfin 10.11.x (10.11.9+). Sigstore-signed + SLSA build-provenance attested.

Fixed

  • App passwords now work with native / third-party clients (#102, #107, #108). App passwords were only honoured for accounts that had signed in via passkey or OIDC; a TOTP-only account stayed on Jellyfin's default authentication provider, so apps like Symfonium, Seerr / Jellyseerr, and the mobile apps had their app password checked against the real password and rejected ("invalid password" / "credentials not correct"). Creating an app password now routes the account through the plugin's auth provider so the app-password check actually runs. If you already created an app password, make a fresh one after updating to pick up the change.
  • OIDC "set your password" onboarding is more robust (#100, Re4mstr). The page now always shows the configured complexity rules (length + character classes) instead of sometimes defaulting to "16 characters"; if the policy can't load it surfaces a clear error instead of silently using a weak default (with an escape hatch so you can never get locked out); and the step can no longer be skipped with the browser Back button.
  • Android in-app Google/OIDC sign-in: clearer recovery (#64). When the one-time sign-in code expires or is blocked (e.g. by a reverse proxy such as Cloudflare), the in-app dialog now tells you to restart the sign-in for a fresh code instead of uselessly retrying a dead one.

Added

  • Operator-configurable SSRF egress allowlist for OIDC endpoints (#103, @andrewdunndev). A per-provider "Additional allowed CIDRs" field lets you permit specific non-RFC1918 / link-local IdP addresses that the SSRF guard otherwise blocks even with "Allow private networks" on — e.g. the rootless Podman host-gateway 169.254.1.2/32. Opt-in and surgical (/0 and out-of-range prefixes are rejected).
  • Admin "require password setup" for SMTP-less recovery (#104, @andrewdunndev). An admin can re-arm an existing user's "set a new local password on next OIDC sign-in" from the Users tab — local-password recovery without needing SMTP. The user's existing password stays valid until they complete setup.
  • Login-page tidy-ups (#79, ZEROX7). New opt-in setting to place the injected SSO / 2FA / passkey links below the "Use Quick Connect" button, and the native "Forgot password" link is now hidden when there's no password field to recover (e.g. OIDC-only login).

Translations

  • Completed and aligned all eight languages (en, de, es, fr, it, ja, pt, zh), including translation entries for the new SSRF-allowlist and password-recovery admin UI that previously fell back to English only.

Thanks

Contributions and reports from @andrewdunndev, Re4mstr, ZEROX7, micjgam, DarkJackal87, MilesTEG1, and everyone who filed detailed issues. 🙏