-
-
Notifications
You must be signed in to change notification settings - Fork 2.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Hotfix authapi #1244
Hotfix authapi #1244
Conversation
Don't accept pre-hashed (not-plaintext) passwords as the auth provider no longer supports this due to sha1+salting the passwords in the database.
CC @Tolriq I think this is what you're hoping for with the API return! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just check with the other C# folk to see if my comment is valid or not. I haven’t tested this, but it looks okay to me.
MediaBrowser.Api/UserService.cs
Outdated
@@ -379,6 +379,11 @@ public object Post(AuthenticateUser request) | |||
throw new ResourceNotFoundException("User not found"); | |||
} | |||
|
|||
if (request.Pw == "") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I’m no genius, but I think you want a string.IsNullOrEmpty(request.Pw)
here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So here’s the suggestion:
if (request.Pw == "") | |
if (string.IsNullOrEmpty(request.Pw)) |
The 405 error yes but I'm not sure the check is OK as Jellyfin allows to have users without password. (The default created account is the server name without one for example) And since it seems pre hashed password have priority later in code, proper check is probably |
@Tolriq @cvium @anthonylavado So I guess this construct would be the best of both?
|
Well no you still return the error for empty password. Proper would be |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me.
Thanks for all the changes. Do you plan to make an RC3? Do you have an approximative date for official 10.3 release? |
@Tolriq Happy to help keep Yatse compatible ;-) I'm hoping for final release in the next day or so, no RC3 unless a showstopper comes up. |
Hum ok :( Bad timing so as I've just released without support for auto fixing connexion. Will see if there's too much support to push a quick fix release. |
Ah darn, yea, will probably release tonight. Keep me updated either way, and I can adjust release notes accordingly. |
@Tolriq What version would you target for the updated changes? Just writing a note in the release notes for Yatse users to avoid upgrading until your release is out. |
My release is out and support Jellyfin 10.3 if they add it manually. The issue is about users that already have Jellyfin configured, it's currently seen as an Emby device and so won't be automatically migrated until I handle the error 405 case. You can just add a note that they may need to remove / add again the host as Jellyfin to ensure. |
Sounds good to me, thanks @Tolriq! |
Changes
Add a
MethodNotAllowedException
to the HTTP handler. Checks the/Users/AuthenticateByName
API call to see if a plaintext password has been provided; if not, return theMethodNotAllowedException
to the client.Issues
Addresses #1222