fix: add authentication for sync queue API#110
Open
Theta-Dev wants to merge 2 commits intojellyfin:masterfrom
Open
fix: add authentication for sync queue API#110Theta-Dev wants to merge 2 commits intojellyfin:masterfrom
Theta-Dev wants to merge 2 commits intojellyfin:masterfrom
Conversation
crobibero
approved these changes
Apr 1, 2025
Shadowghost
approved these changes
Apr 1, 2025
Author
|
I have updated my pull request and added a check of the authenticated user ID, so users can only fetch their own sync queue. Administrators can fetch any queue. The RequestHelpers.GetUserId method as well as the methods under ClaimsPrincipalExtensions to extract authenticated user attributes are not part of the Jellyfin SDK, is that correct? I have reimplemented this method in the plugin to get the authenticated user ID. |
Theta-Dev
force-pushed
the
fix/add-authentication
branch
from
9746ea4 to
27e5bd3
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
I have just reviewed the security of my Jellyfin server and figured out that the API of the Kodi Sync queue plugin is completely unauthenticated.
This allows anyone to fetch the entire playback history of an user as long as they know the UserID.
Since the Kodi plugin sends the authorization token for all Jellyfin requests, there is no reason to leave the sync queue endpoints unprotected. I have just updated the plugin on my server and Kodi synchronization works as expected.