Hotfix authapi #1244
Hotfix authapi #1244
Conversation
Don't accept pre-hashed (not-plaintext) passwords as the auth provider no longer supports this due to sha1+salting the passwords in the database.
|
CC @Tolriq I think this is what you're hoping for with the API return! |
MediaBrowser.Api/UserService.cs
Outdated
| @@ -379,6 +379,11 @@ public object Post(AuthenticateUser request) | |||
| throw new ResourceNotFoundException("User not found"); | |||
| } | |||
|
|
|||
| if (request.Pw == "") | |||
There was a problem hiding this comment.
I’m no genius, but I think you want a string.IsNullOrEmpty(request.Pw) here.
There was a problem hiding this comment.
So here’s the suggestion:
| if (request.Pw == "") | |
| if (string.IsNullOrEmpty(request.Pw)) |
|
The 405 error yes but I'm not sure the check is OK as Jellyfin allows to have users without password. (The default created account is the server name without one for example) And since it seems pre hashed password have priority later in code, proper check is probably |
|
@Tolriq @cvium @anthonylavado So I guess this construct would be the best of both? |
|
Well no you still return the error for empty password. Proper would be |
joshuaboniface
requested review from
anthonylavado and
cvium
and removed request for
anthonylavado
|
Thanks for all the changes. Do you plan to make an RC3? Do you have an approximative date for official 10.3 release? |
|
@Tolriq Happy to help keep Yatse compatible ;-) I'm hoping for final release in the next day or so, no RC3 unless a showstopper comes up. |
|
Hum ok :( Bad timing so as I've just released without support for auto fixing connexion. Will see if there's too much support to push a quick fix release. |
|
Ah darn, yea, will probably release tonight. Keep me updated either way, and I can adjust release notes accordingly. |
|
@Tolriq What version would you target for the updated changes? Just writing a note in the release notes for Yatse users to avoid upgrading until your release is out. |
|
My release is out and support Jellyfin 10.3 if they add it manually. The issue is about users that already have Jellyfin configured, it's currently seen as an Emby device and so won't be automatically migrated until I handle the error 405 case. You can just add a note that they may need to remove / add again the host as Jellyfin to ensure. |
|
Sounds good to me, thanks @Tolriq! |
Changes
Add a
MethodNotAllowedExceptionto the HTTP handler. Checks the/Users/AuthenticateByNameAPI call to see if a plaintext password has been provided; if not, return theMethodNotAllowedExceptionto the client.Issues
Addresses #1222