Skip to content

v2.5.18

Latest

Choose a tag to compare

@github-actions github-actions released this 03 Jul 03:46

v2.5.18 — Recovery codes on the verify screen, accurate security score, tidier SSO hint

In-place upgrade from any 2.5.x — no schema or data migration, no config changes required. Supports Jellyfin 10.11.x (10.11.9+). Sigstore-signed + SLSA build-provenance attested.

Fixed

  • Recovery codes are now offered on the "verify your identity" 2FA screen. When an already–signed-in session is asked to confirm 2FA, the challenge page now shows a Recovery tab (alongside Authenticator / Email) whenever the account has unused recovery codes — so a user who's lost their authenticator can fall back to a recovery code mid-session. Previously that tab only appeared during an emergency-lockout, even though the full login portal always offered "Use a recovery code instead"; the two are now consistent.
  • Security-posture score no longer counts deleted users. The "2FA coverage" factor divided by every stored 2FA record, including leftovers from deleted accounts — so the score was capped (e.g. "10 / 30 — enroll 8 users" when every current user was already enrolled). It now counts live Jellyfin users only, so coverage reflects reality. Anyone who's ever removed a user was seeing an artificially low score.
  • SSO redirect-URI hint renders correctly. On the Sign-in Methods tab, the OIDC callback-URL hint (/TwoFactorAuth/Oidc/Callback/<providerId>) showed its raw <code> markup as literal text instead of a formatted code snippet. It now renders properly in all eight languages (via an opt-in HTML-translation path in the i18n loader).

Notes

Screenshots of the admin dashboard, login, 2FA enrollment, and audit log are now in the README and on the wiki Screenshots page.