[Feature Request] Validate whether the user is a local network user and only allow log in locally

[Kreach37]

Description

I can login with an user that is only for local use only using external URL.

Jellyseerr was set up using jellyfin local ip.

"Allow remote connections to this server" is uncheck in jellyfin config for the user.

I'm running the develop branch on docker and have set the external URL to fix profile picture and play on jellyfin button.

This is a security concern for my use case since that user doesn't have a password.

What I would like:

1. ability to use that user locally when accessing jellyseerr from my local ip.
2. not being able to access jellyseerr from external URL with that user.

Possible quick fix:
Use external URL for the login process, that would resolve my security concern but not allow local user when on local network.

I will add a password to the user for now!

Version

5298e5f

Steps to Reproduce

1. setup a local user in jellyfin with or without a password
2. login with the local user on jellyseerr using external URL

Code of Conduct

• I agree to follow Overseerr's Code of Conduct

[Fallenbagel]

I'm not sure I understand but I'm guessing what you want is when the user with no password tries to log in, not allow him to be logged in?

You could do that by going into jellyseerr settings and turning off enable new jellyfin login. And if the user already exists you can remove him from jellyseerr. That way that user won't be able to log in, and you can have everyone else imported using the import user button and for that user you can have a local user in jellyseerr.

Previously we had it so that even if you did not have a password you could not log in to jellyseerr with no password, but due to popular request we added in the ability to log in to jellyseerr without password.

[Kreach37]

Thanks for the suggestion!

My problem was that using an external Url lets say jellyseerr.domain.com, I should not be able to login with my username "NoPassword", since jellyfin (jellyfin.domain.com) would not allow it, because that user is local only.

jellyfin settings in the dashboard

The fact that this user has no password should not matter, any user mark as local in jellyfin should not be allowed to be use not locally.

[Fallenbagel]

Ohh I think I get it. Currently it does not validate whether the user is local or remote. Have to try and see how to implement that through api

Let me change the tag to feature request

Meanwhile you can use my suggestion where new jellyfin log in is disabled and removing that user from jellyseerr user list and just creating a local user for that user only