[Issue]: When changing password, Current Password is not required when user is admin

[jvherck]

Please describe your bug

Every time I save my profile on my jellyfin server, it automatically resets/removes my password. This means if I log out, and want to log in again, I only have to enter my username without a password... This happens even if I did not even change anything in my profile, or if I just changed my profile picture. How can I make it not do that? It should only change or reset the password when the "reset password" button is clicked, or if I actually enter something in the "new password" field...

In the screenshots I have attached I followed the reproduction steps below. I deleted my profile picture and clicked save, and it says my new password is saved even though I did not enter any password in any field.

Steps to reproduce:

1. Click on profile icon in the right top
2. Click on "Profile" at the top
3. [Optional]: change profile picture
4. Click "Save" (even if you didn't edit any of your profile settings)
5. Sign out
6. Try signing in again with your credentials (it won't work, but it will work if you don't provide any password)

Jellyfin Version

Other

if other:

10.8.9

Environment

- OS: Windows
- Virtualization: no clue
- Clients: Browser
- Browser: Brave (chrome client)
- FFmpeg Version: I can't find this info, but not important anyway
- Playback Method: N/A
- Hardware Acceleration: none
- Plugins: none
- Reverse Proxy: none
- Base URL: none
- Networking: self-host? I ran it on my Windows pc to test it out
- Storage: local

Jellyfin logs

[2023-01-30 11:30:26.792 +01:00] [INF] [15] Emby.Server.Implementations.HttpServer.WebSocketManager: WS "<my local ip>" closed
[2023-01-30 11:30:27.101 +01:00] [INF] [81] Emby.Server.Implementations.HttpServer.WebSocketManager: WS "<my local ip>" request
[2023-01-30 11:30:27.856 +01:00] [INF] [81] Emby.Server.Implementations.HttpServer.WebSocketManager: WS "<my local ip>" closed
[2023-01-30 11:30:28.073 +01:00] [INF] [81] Emby.Server.Implementations.HttpServer.WebSocketManager: WS "<my local ip>" request
[2023-01-30 11:30:40.895 +01:00] [INF] [64] Emby.Server.Implementations.HttpServer.WebSocketManager: WS "<my local ip>" closed
[2023-01-30 11:30:41.100 +01:00] [INF] [70] Emby.Server.Implementations.HttpServer.WebSocketManager: WS "<my local ip>" request
[2023-01-30 11:31:00.260 +01:00] [INF] [42] Emby.Server.Implementations.HttpServer.WebSocketManager: WS "<my local ip>" closed
[2023-01-30 11:31:00.485 +01:00] [INF] [42] Emby.Server.Implementations.HttpServer.WebSocketManager: WS "<my local ip>" request
[2023-01-30 11:31:07.406 +01:00] [INF] [41] Emby.Server.Implementations.HttpServer.WebSocketManager: WS "<my local ip>" closed
[2023-01-30 11:31:07.604 +01:00] [INF] [42] Emby.Server.Implementations.HttpServer.WebSocketManager: WS "<my local ip>" request
[2023-01-30 11:31:51.235 +01:00] [INF] [64] Emby.Server.Implementations.Session.SessionManager: Logging out access token "aeae118793534c9f8503168493108e56"
[2023-01-30 11:31:58.671 +01:00] [INF] [76] Emby.Server.Implementations.HttpServer.WebSocketManager: WS "<my local ip>" closed
[2023-01-30 11:31:58.878 +01:00] [INF] [76] Emby.Server.Implementations.HttpServer.WebSocketManager: WS "<my local ip>" request
[2023-01-30 11:32:02.216 +01:00] [INF] [84] Emby.Server.Implementations.HttpServer.WebSocketManager: WS "<my local ip>" closed
[2023-01-30 11:32:02.222 +01:00] [INF] [42] Emby.Server.Implementations.Session.SessionManager: Logging out access token "990854c5f22342189879639ea318721d"
[2023-01-30 11:32:04.769 +01:00] [INF] [64] Jellyfin.Api.Auth.CustomAuthenticationHandler: "CustomAuthentication" was not authenticated. Failure message: "Invalid token."
[2023-01-30 11:32:04.771 +01:00] [INF] [64] Jellyfin.Api.Auth.CustomAuthenticationHandler: "CustomAuthentication" was not authenticated. Failure message: "Invalid token."
[2023-01-30 11:32:04.775 +01:00] [INF] [64] Jellyfin.Api.Auth.CustomAuthenticationHandler: AuthenticationScheme: "CustomAuthentication" was challenged.
[2023-01-30 11:32:15.269 +01:00] [ERR] [41] Jellyfin.Server.Implementations.Users.UserManager: Error authenticating with provider "Default"
MediaBrowser.Controller.Authentication.AuthenticationException: Invalid username or password
   at Jellyfin.Server.Implementations.Users.DefaultAuthenticationProvider.Authenticate(String username, String password, User resolvedUser)
   at Jellyfin.Server.Implementations.Users.UserManager.AuthenticateWithProvider(IAuthenticationProvider provider, String username, String password, User resolvedUser)
[2023-01-30 11:32:15.277 +01:00] [INF] [41] Jellyfin.Server.Implementations.Users.UserManager: Authentication request for "janva" has been denied (IP: "<my local ip>").
[2023-01-30 11:32:15.281 +01:00] [ERR] [41] Jellyfin.Server.Middleware.ExceptionMiddleware: Error processing request: "Invalid username or password entered". URL "POST" "/Users/authenticatebyname".
[2023-01-30 11:32:27.315 +01:00] [ERR] [41] Jellyfin.Server.Implementations.Users.UserManager: Error authenticating with provider "Default"
MediaBrowser.Controller.Authentication.AuthenticationException: Invalid username or password
   at Jellyfin.Server.Implementations.Users.DefaultAuthenticationProvider.Authenticate(String username, String password, User resolvedUser)
   at Jellyfin.Server.Implementations.Users.UserManager.AuthenticateWithProvider(IAuthenticationProvider provider, String username, String password, User resolvedUser)
[2023-01-30 11:32:27.323 +01:00] [INF] [41] Jellyfin.Server.Implementations.Users.UserManager: Authentication request for "janva" has been denied (IP: "<my local ip>").
[2023-01-30 11:32:27.325 +01:00] [ERR] [41] Jellyfin.Server.Middleware.ExceptionMiddleware: Error processing request: "Invalid username or password entered". URL "POST" "/Users/authenticatebyname".
[2023-01-30 11:32:52.752 +01:00] [ERR] [64] Jellyfin.Server.Implementations.Users.UserManager: Error authenticating with provider "Default"
MediaBrowser.Controller.Authentication.AuthenticationException: Invalid username or password
   at Jellyfin.Server.Implementations.Users.DefaultAuthenticationProvider.Authenticate(String username, String password, User resolvedUser)
   at Jellyfin.Server.Implementations.Users.UserManager.AuthenticateWithProvider(IAuthenticationProvider provider, String username, String password, User resolvedUser)
[2023-01-30 11:32:52.760 +01:00] [INF] [64] Jellyfin.Server.Implementations.Users.UserManager: Authentication request for "janva" has been denied (IP: "<my local ip>").
[2023-01-30 11:32:52.762 +01:00] [ERR] [64] Jellyfin.Server.Middleware.ExceptionMiddleware: Error processing request: "Invalid username or password entered". URL "POST" "/Users/authenticatebyname".
[2023-01-30 11:33:04.698 +01:00] [ERR] [41] Jellyfin.Server.Implementations.Users.UserManager: Error authenticating with provider "Default"
MediaBrowser.Controller.Authentication.AuthenticationException: Invalid username or password
   at Jellyfin.Server.Implementations.Users.DefaultAuthenticationProvider.Authenticate(String username, String password, User resolvedUser)
   at Jellyfin.Server.Implementations.Users.UserManager.AuthenticateWithProvider(IAuthenticationProvider provider, String username, String password, User resolvedUser)
[2023-01-30 11:33:04.707 +01:00] [INF] [41] Jellyfin.Server.Implementations.Users.UserManager: Authentication request for "janva" has been denied (IP: "<my local ip>").
[2023-01-30 11:33:04.710 +01:00] [ERR] [41] Jellyfin.Server.Middleware.ExceptionMiddleware: Error processing request: "Invalid username or password entered". URL "POST" "/Users/authenticatebyname".
[2023-01-30 11:33:11.689 +01:00] [WRN] [64] Jellyfin.Api.Controllers.UserController: Password reset proccess initiated from outside the local network with IP: "<my local ip>"
[2023-01-30 11:34:07.099 +01:00] [ERR] [66] Jellyfin.Server.Implementations.Users.UserManager: Error authenticating with provider "Default"
MediaBrowser.Controller.Authentication.AuthenticationException: Invalid username or password
   at Jellyfin.Server.Implementations.Users.DefaultAuthenticationProvider.Authenticate(String username, String password, User resolvedUser)
   at Jellyfin.Server.Implementations.Users.UserManager.AuthenticateWithProvider(IAuthenticationProvider provider, String username, String password, User resolvedUser)
[2023-01-30 11:34:07.109 +01:00] [INF] [66] Jellyfin.Server.Implementations.Users.UserManager: Authentication request for "janva" has been denied (IP: "<my local ip>").
[2023-01-30 11:34:07.111 +01:00] [ERR] [66] Jellyfin.Server.Middleware.ExceptionMiddleware: Error processing request: "Invalid username or password entered". URL "POST" "/Users/authenticatebyname".
[2023-01-30 11:34:08.817 +01:00] [INF] [83] Jellyfin.Server.Implementations.Users.UserManager: Authentication request for "janva" has succeeded.
[2023-01-30 11:34:08.819 +01:00] [INF] [83] Emby.Server.Implementations.Session.SessionManager: Current/Max sessions for user "janva": 0/0
[2023-01-30 11:34:08.822 +01:00] [INF] [83] Emby.Server.Implementations.Session.SessionManager: Creating new access token for user 04fabadf-0967-43aa-aa7f-b203b517e443
[2023-01-30 11:34:08.835 +01:00] [INF] [83] Emby.Server.Implementations.HttpServer.WebSocketManager: WS "<my local ip>" request
[2023-01-30 11:34:20.216 +01:00] [INF] [72] Emby.Server.Implementations.HttpServer.WebSocketManager: WS "<my local ip>" closed
[2023-01-30 11:34:20.218 +01:00] [INF] [75] Emby.Server.Implementations.Session.SessionManager: Logging out access token "660db8dcc7b046898385930fa2d9fd88"
[2023-01-30 11:34:23.201 +01:00] [INF] [15] Jellyfin.Server.Implementations.Users.UserManager: Authentication request for "janva" has succeeded.
[2023-01-30 11:34:23.202 +01:00] [INF] [15] Emby.Server.Implementations.Session.SessionManager: Current/Max sessions for user "janva": 0/0
[2023-01-30 11:34:23.206 +01:00] [INF] [15] Emby.Server.Implementations.Session.SessionManager: Creating new access token for user 04fabadf-0967-43aa-aa7f-b203b517e443

FFmpeg logs

No response

Please attach any browser or client logs here

No response

Please attach any screenshots here

Code of Conduct

• I agree to follow this project's Code of Conduct

[Mavyre]

Do you input the current password while saving the profile?

[jvherck]

No, it seemed unnecessary to have to provide the password to just update the profile picture. I thought it was only necessary for creating a new password. Do you think the problem should be solved if I just enter my current password into the "current password" input field?

[cvium]

Is your browser or a browser extension automatically filling out the password? Try in private browsing mode

[jvherck]

No, I never saved the password, it's not filling everything in. I guess it's just automatically always saving whatever is in the "new password" in our field for some reason. Even though I have not entered my current password...

[chrisb92]

I think I see what's happening here, there are 2 save buttons on the profile page when a password is already set on the profile. One for changing the password and one for setting up a PIN code:

Clicking on the top Save button will submit the New password form successfully without validating that any value exists in the current password field or new password fields.

The edit profile page seems very unclear on what the save buttons are for at first glance, and whether you need to click one of them to set a profile picture.

[thornbill]

This issue was also reported by Dor Tumarkin, Research Director at Checkmarx