Streaming API respond with content even the provided API key is invalid #13777
Description
Description of the bug
Hello,
When setting up my Jellyfin server, I wanted to check the security of the streaming APIs.
I used curl to call the following API with valid parameters sent by JellyfinMediaPlayer, just modifying the api_key value: https://j.mydomain.tld/Videos/{itemId}/stream.mkv?Static=true&mediaSourceId={itemId}&deviceId={deviceId}&api_key={apiKey}&Tag={tagId}
In the Jellyfin server logs it shows me: [INF] [13] Jellyfin.Api.Auth.CustomAuthenticationHandler: “CustomAuthentication” was not authenticated. Failure message: “Invalid token.”
However the media content is sent, instead of returning an unauthorized response.
This behavior seems to occur only on direct stream APIs (at least /Videos and /Audio), but I haven't checked all APIs.
Reproduction steps
Get a Jellyfin server
Launch a direct stream (without transcoding)
Get the stream url
In a browser or via curl, call the stream url by changing the api_key value
What is the current bug behavior?
Stream content is sent despite invalid api_key
What is the expected correct behavior?
The stream content should not be sent and should return an authorization error
Jellyfin Server version
10.10.0+
Specify commit id
No response
Specify unstable release number
No response
Specify version number
No response
Specify the build version
10.10.6
Environment
- OS: Windows 11
- Playback Method: Direct Play
- Hardware Acceleration: NVENC
- GPU Model: GTX 1080
- Reverse Proxy: Nginx (no cache)
- Base URL: none
- Storage: localJellyfin logs
[2025-03-26 23:18:52.266 +01:00] [INF] [13] Jellyfin.Api.Auth.CustomAuthenticationHandler: "CustomAuthentication" was not authenticated. Failure message: "Invalid token."FFmpeg logs
Client / Browser logs
No response
Relevant screenshots or videos
No response
Additional information
No response