Bump version for 10.3.5

Merge pull request #1447 from joshuaboniface/implement-invalidauth
Implement InvalidAuthProvider
2026-01-16 16:18:06 +00:00 · 2019-06-09 21:47:45 -04:00 · 2019-06-09 15:36:25 -04:00 · 2019-06-09 15:29:43 -04:00 · 2019-06-09 13:57:49 -04:00 · 2019-06-09 13:46:53 -04:00
15 changed files with 122 additions and 48 deletions
--- a/CONTRIBUTORS.md
+++ b/CONTRIBUTORS.md
@@ -24,6 +24,7 @@
 - [Lynxy](https://github.com/Lynxy)
 - [fasheng](https://github.com/fasheng)
 - [ploughpuff](https://github.com/ploughpuff) 
+ - [pjeanjean](https://github.com/pjeanjean)

 # Emby Contributors

--- a/2
+++ b/2
@@ -21,7 +21,7 @@ RUN apt-get update \
 COPY --from=ffmpeg / /
 COPY --from=builder /jellyfin /jellyfin

-ARG JELLYFIN_WEB_VERSION=10.3.3
+ARG JELLYFIN_WEB_VERSION=10.3.5
 RUN curl -L https://github.com/jellyfin/jellyfin-web/archive/v${JELLYFIN_WEB_VERSION}.tar.gz | tar zxf - \
 && rm -rf /jellyfin/jellyfin-web \
 && mv jellyfin-web-${JELLYFIN_WEB_VERSION} /jellyfin/jellyfin-web
--- a/Dockerfile.arm
+++ b/Dockerfile.arm
@@ -3,11 +3,6 @@
 ARG DOTNET_VERSION=3.0


-FROM multiarch/qemu-user-static:x86_64-arm as qemu
-FROM alpine as qemu_extract
-COPY --from=qemu /usr/bin qemu-arm-static.tar.gz
-RUN tar -xzvf qemu-arm-static.tar.gz
-
 FROM mcr.microsoft.com/dotnet/core/sdk:${DOTNET_VERSION} as builder
 WORKDIR /repo
 COPY . .
@@ -21,8 +16,9 @@ RUN bash -c "source deployment/common.build.sh && \
    build_jellyfin Jellyfin.Server Release linux-arm /jellyfin"


+FROM multiarch/qemu-user-static:x86_64-arm as qemu
 FROM mcr.microsoft.com/dotnet/core/runtime:${DOTNET_VERSION}-stretch-slim-arm32v7
-COPY --from=qemu_extract qemu-arm-static /usr/bin
+COPY --from=qemu /usr/bin/qemu-arm-static /usr/bin
 RUN apt-get update \
 && apt-get install --no-install-recommends --no-install-suggests -y ffmpeg \
 && rm -rf /var/lib/apt/lists/* \
@@ -30,7 +26,7 @@ RUN apt-get update \
 && chmod 777 /cache /config /media
 COPY --from=builder /jellyfin /jellyfin

-ARG JELLYFIN_WEB_VERSION=10.3.3
+ARG JELLYFIN_WEB_VERSION=10.3.5
 RUN curl -L https://github.com/jellyfin/jellyfin-web/archive/v${JELLYFIN_WEB_VERSION}.tar.gz | tar zxf - \
 && rm -rf /jellyfin/jellyfin-web \
 && mv jellyfin-web-${JELLYFIN_WEB_VERSION} /jellyfin/jellyfin-web
--- a/Dockerfile.arm64
+++ b/Dockerfile.arm64
@@ -3,12 +3,6 @@
 ARG DOTNET_VERSION=3.0


-FROM multiarch/qemu-user-static:x86_64-aarch64 as qemu
-FROM alpine as qemu_extract
-COPY --from=qemu /usr/bin qemu-aarch64-static.tar.gz
-RUN tar -xzvf qemu-aarch64-static.tar.gz
-
-
 FROM mcr.microsoft.com/dotnet/core/sdk:${DOTNET_VERSION} as builder
 WORKDIR /repo
 COPY . .
@@ -22,8 +16,9 @@ RUN bash -c "source deployment/common.build.sh && \
    build_jellyfin Jellyfin.Server Release linux-arm64 /jellyfin"


+FROM multiarch/qemu-user-static:x86_64-aarch64 as qemu
 FROM mcr.microsoft.com/dotnet/core/runtime:${DOTNET_VERSION}-stretch-slim-arm64v8
-COPY --from=qemu_extract qemu-aarch64-static /usr/bin
+COPY --from=qemu /usr/bin/qemu-aarch64-static /usr/bin
 RUN apt-get update \
 && apt-get install --no-install-recommends --no-install-suggests -y ffmpeg \
 && rm -rf /var/lib/apt/lists/* \
@@ -31,7 +26,7 @@ RUN apt-get update \
 && chmod 777 /cache /config /media
 COPY --from=builder /jellyfin /jellyfin

-ARG JELLYFIN_WEB_VERSION=10.3.3
+ARG JELLYFIN_WEB_VERSION=10.3.5
 RUN curl -L https://github.com/jellyfin/jellyfin-web/archive/v${JELLYFIN_WEB_VERSION}.tar.gz | tar zxf - \
 && rm -rf /jellyfin/jellyfin-web \
 && mv jellyfin-web-${JELLYFIN_WEB_VERSION} /jellyfin/jellyfin-web
--- a/Emby.Server.Implementations/Library/DefaultAuthenticationProvider.cs
+++ b/Emby.Server.Implementations/Library/DefaultAuthenticationProvider.cs
@@ -165,6 +165,34 @@ namespace Emby.Server.Implementations.Library
            return user.Password;
        }

+        public void ChangeEasyPassword(User user, string newPassword, string newPasswordHash)
+        {
+            ConvertPasswordFormat(user);
+
+            if (newPassword != null)
+            {
+                newPasswordHash = string.Format("$SHA1${0}", GetHashedString(user, newPassword));
+            }
+
+            if (string.IsNullOrWhiteSpace(newPasswordHash))
+            {
+                throw new ArgumentNullException(nameof(newPasswordHash));
+            }
+
+            user.EasyPassword = newPasswordHash;
+        }
+
+        public string GetEasyPasswordHash(User user)
+        {
+            // This should be removed in the future. This was added to let user login after
+            // Jellyfin 10.3.3 failed to save a well formatted PIN.
+            ConvertPasswordFormat(user);
+
+            return string.IsNullOrEmpty(user.EasyPassword)
+                ? null
+                : (new PasswordHash(user.EasyPassword)).Hash;
+        }
+
        public string GetHashedStringChangeAuth(string newPassword, PasswordHash passwordHash)
        {
            passwordHash.HashBytes = Encoding.UTF8.GetBytes(newPassword);
--- a/Emby.Server.Implementations/Library/InvalidAuthProvider.cs
+++ b/Emby.Server.Implementations/Library/InvalidAuthProvider.cs
@@ -0,0 +1,47 @@
+using System;
+using System.Collections.Generic;
+using System.Text;
+using System.Threading.Tasks;
+using MediaBrowser.Controller.Authentication;
+using MediaBrowser.Controller.Entities;
+using MediaBrowser.Controller.Net;
+
+namespace Emby.Server.Implementations.Library
+{
+    public class InvalidAuthProvider : IAuthenticationProvider
+    {
+        public string Name => "InvalidOrMissingAuthenticationProvider";
+
+        public bool IsEnabled => true;
+
+        public Task<ProviderAuthenticationResult> Authenticate(string username, string password)
+        {
+            throw new SecurityException("User Account cannot login with this provider. The Normal provider for this user cannot be found");
+        }
+
+        public Task<bool> HasPassword(User user)
+        {
+            return Task.FromResult(true);
+        }
+
+        public Task ChangePassword(User user, string newPassword)
+        {
+            return Task.CompletedTask;
+        }
+
+        public void ChangeEasyPassword(User user, string newPassword, string newPasswordHash)
+        {
+            // Nothing here   
+        }
+
+        public string GetPasswordHash(User user)
+        {
+            return string.Empty;
+        }
+
+        public string GetEasyPasswordHash(User user)
+        {
+            return string.Empty;
+        }
+    }
+}
--- a/Emby.Server.Implementations/Library/UserManager.cs
+++ b/Emby.Server.Implementations/Library/UserManager.cs
@@ -79,6 +79,8 @@ namespace Emby.Server.Implementations.Library
        private IAuthenticationProvider[] _authenticationProviders;
        private DefaultAuthenticationProvider _defaultAuthenticationProvider;

+        private InvalidAuthProvider _invalidAuthProvider;
+
        private IPasswordResetProvider[] _passwordResetProviders;
        private DefaultPasswordResetProvider _defaultPasswordResetProvider;

@@ -141,6 +143,8 @@ namespace Emby.Server.Implementations.Library

            _defaultAuthenticationProvider = _authenticationProviders.OfType<DefaultAuthenticationProvider>().First();

+            _invalidAuthProvider = _authenticationProviders.OfType<InvalidAuthProvider>().First();
+
            _passwordResetProviders = passwordResetProviders.ToArray();

            _defaultPasswordResetProvider = passwordResetProviders.OfType<DefaultPasswordResetProvider>().First();
@@ -307,8 +311,7 @@ namespace Emby.Server.Implementations.Library
                    user = Users
                        .FirstOrDefault(i => string.Equals(username, i.Name, StringComparison.OrdinalIgnoreCase));

-                    var hasNewUserPolicy = authenticationProvider as IHasNewUserPolicy;
-                    if (hasNewUserPolicy != null)
+                    if (authenticationProvider is IHasNewUserPolicy hasNewUserPolicy)
                    {
                        var policy = hasNewUserPolicy.GetNewUserPolicy();
                        UpdateUserPolicy(user, policy, true);
@@ -400,7 +403,9 @@ namespace Emby.Server.Implementations.Library

            if (providers.Length == 0)
            {
-                providers = new IAuthenticationProvider[] { _defaultAuthenticationProvider };
+                // Assign the user to the InvalidAuthProvider since no configured auth provider was valid/found
+                _logger.LogWarning("User {UserName} was found with invalid/missing Authentication Provider {AuthenticationProviderId}. Assigning user to InvalidAuthProvider until this is corrected", user.Name, user.Policy.AuthenticationProviderId);
+                providers = new IAuthenticationProvider[] { _invalidAuthProvider };
            }

            return providers;
@@ -471,7 +476,7 @@ namespace Emby.Server.Implementations.Library
            if (password == null)
            {
                // legacy
-                success = string.Equals(_defaultAuthenticationProvider.GetPasswordHash(user), hashedPassword.Replace("-", string.Empty), StringComparison.OrdinalIgnoreCase);
+                success = string.Equals(GetAuthenticationProvider(user).GetPasswordHash(user), hashedPassword.Replace("-", string.Empty), StringComparison.OrdinalIgnoreCase);
            }
            else
            {
@@ -497,11 +502,11 @@ namespace Emby.Server.Implementations.Library
                    if (password == null)
                    {
                        // legacy
-                        success = string.Equals(GetLocalPasswordHash(user), hashedPassword.Replace("-", string.Empty), StringComparison.OrdinalIgnoreCase);
+                        success = string.Equals(GetAuthenticationProvider(user).GetEasyPasswordHash(user), hashedPassword.Replace("-", string.Empty), StringComparison.OrdinalIgnoreCase);
                    }
                    else
                    {
-                        success = string.Equals(GetLocalPasswordHash(user), _defaultAuthenticationProvider.GetHashedString(user, password), StringComparison.OrdinalIgnoreCase);
+                        success = string.Equals(GetAuthenticationProvider(user).GetEasyPasswordHash(user), _defaultAuthenticationProvider.GetHashedString(user, password), StringComparison.OrdinalIgnoreCase);
                    }
                }
            }
@@ -546,13 +551,6 @@ namespace Emby.Server.Implementations.Library
            }
        }

-        private string GetLocalPasswordHash(User user)
-        {
-            return string.IsNullOrEmpty(user.EasyPassword)
-                ? null
-                : (new PasswordHash(user.EasyPassword)).Hash;
-        }
-
        /// <summary>
        /// Loads the users from the repository
        /// </summary>
@@ -596,7 +594,7 @@ namespace Emby.Server.Implementations.Library
            }

            bool hasConfiguredPassword = GetAuthenticationProvider(user).HasPassword(user).Result;
-            bool hasConfiguredEasyPassword = !string.IsNullOrEmpty(GetLocalPasswordHash(user));
+            bool hasConfiguredEasyPassword = !string.IsNullOrEmpty(GetAuthenticationProvider(user).GetEasyPasswordHash(user));

            bool hasPassword = user.Configuration.EnableLocalPassword && !string.IsNullOrEmpty(remoteEndPoint) && _networkManager.IsInLocalNetwork(remoteEndPoint) ?
                hasConfiguredEasyPassword :
@@ -884,17 +882,7 @@ namespace Emby.Server.Implementations.Library
                throw new ArgumentNullException(nameof(user));
            }

-            if (newPassword != null)
-            {
-                newPasswordHash = _defaultAuthenticationProvider.GetHashedString(user, newPassword);
-            }
-
-            if (string.IsNullOrWhiteSpace(newPasswordHash))
-            {
-                throw new ArgumentNullException(nameof(newPasswordHash));
-            }
-
-            user.EasyPassword = newPasswordHash;
+            GetAuthenticationProvider(user).ChangeEasyPassword(user, newPassword, newPasswordHash);

            UpdateUser(user);

--- a/MediaBrowser.Api/UserLibrary/ItemsService.cs
+++ b/MediaBrowser.Api/UserLibrary/ItemsService.cs
@@ -224,7 +224,7 @@ namespace MediaBrowser.Api.UserLibrary
                request.IncludeItemTypes = "Playlist";
            }

-            if (!user.Policy.EnableAllFolders && !user.Policy.EnabledFolders.Any(i => new Guid(i) == item.Id))
+            if (!(item is UserRootFolder) && !user.Policy.EnableAllFolders && !user.Policy.EnabledFolders.Any(i => new Guid(i) == item.Id))
            {
                Logger.LogWarning("{UserName} is not permitted to access Library {ItemName}.", user.Name, item.Name);
                return new QueryResult<BaseItem>
--- a/MediaBrowser.Controller/Authentication/IAuthenticationProvider.cs
+++ b/MediaBrowser.Controller/Authentication/IAuthenticationProvider.cs
@@ -11,6 +11,9 @@ namespace MediaBrowser.Controller.Authentication
        Task<ProviderAuthenticationResult> Authenticate(string username, string password);
        Task<bool> HasPassword(User user);
        Task ChangePassword(User user, string newPassword);
+        void ChangeEasyPassword(User user, string newPassword, string newPasswordHash);
+        string GetPasswordHash(User user);
+        string GetEasyPasswordHash(User user);
    }

    public interface IRequiresResolvedUser
--- a/MediaBrowser.Providers/TV/TheTVDB/TvDbClientManager.cs
+++ b/MediaBrowser.Providers/TV/TheTVDB/TvDbClientManager.cs
@@ -33,7 +33,7 @@ namespace MediaBrowser.Providers.TV.TheTVDB
            get
            {
                // Refresh if necessary
-                if (_tokenCreatedAt > DateTime.Now.Subtract(TimeSpan.FromHours(20)))
+                if (_tokenCreatedAt < DateTime.Now.Subtract(TimeSpan.FromHours(20)))
                {
                    try
                    {
--- a/MediaBrowser.WebDashboard/jellyfin-web
+++ b/MediaBrowser.WebDashboard/jellyfin-web
--- a/SharedVersion.cs
+++ b/SharedVersion.cs
@@ -1,4 +1,4 @@
 using System.Reflection;

-[assembly: AssemblyVersion("10.3.3")]
-[assembly: AssemblyFileVersion("10.3.3")]
+[assembly: AssemblyVersion("10.3.5")]
+[assembly: AssemblyFileVersion("10.3.5")]
--- a/build.yaml
+++ b/build.yaml
@@ -1,7 +1,7 @@
 ---
 # We just wrap `build` so this is really it
 name: "jellyfin"
-version: "10.3.3"
+version: "10.3.5"
 packages:
  - debian-package-x64
  - debian-package-armhf
--- a/deployment/debian-package-x64/pkg-src/changelog
+++ b/deployment/debian-package-x64/pkg-src/changelog
@@ -1,3 +1,15 @@
+jellyfin (10.3.5-1) unstable; urgency=medium
+
+  * New upstream version 10.3.5; release changelog at https://github.com/jellyfin/jellyfin/releases/tag/v10.3.5
+
+ -- Jellyfin Packaging Team <packaging@jellyfin.org>  Sun, 09 Jun 2019 21:47:35 -0400
+
+jellyfin (10.3.4-1) unstable; urgency=medium
+
+  * New upstream version 10.3.4; release changelog at https://github.com/jellyfin/jellyfin/releases/tag/v10.3.4
+
+ -- Jellyfin Packaging Team <packaging@jellyfin.org>  Thu, 06 Jun 2019 22:45:31 -0400
+
 jellyfin (10.3.3-1) unstable; urgency=medium

  * New upstream version 10.3.3; release changelog at https://github.com/jellyfin/jellyfin/releases/tag/v10.3.3
--- a/deployment/fedora-package-x64/pkg-src/jellyfin.spec
+++ b/deployment/fedora-package-x64/pkg-src/jellyfin.spec
@@ -7,7 +7,7 @@
 %endif

 Name:           jellyfin
-Version:        10.3.3
+Version:        10.3.5
 Release:        1%{?dist}
 Summary:        The Free Software Media Browser
 License:        GPLv2
@@ -140,6 +140,10 @@ fi
 %systemd_postun_with_restart jellyfin.service

 %changelog
+* Sun Jun 09 2019 Jellyfin Packaging Team <packaging@jellyfin.org>
+- New upstream version 10.3.5; release changelog at https://github.com/jellyfin/jellyfin/releases/tag/v10.3.5
+* Thu Jun 06 2019 Jellyfin Packaging Team <packaging@jellyfin.org>
+- New upstream version 10.3.4; release changelog at https://github.com/jellyfin/jellyfin/releases/tag/v10.3.4
 * Fri May 17 2019 Jellyfin Packaging Team <packaging@jellyfin.org>
 - New upstream version 10.3.3; release changelog at https://github.com/jellyfin/jellyfin/releases/tag/v10.3.3
 * Tue Apr 30 2019 Jellyfin Packaging Team <packaging@jellyfin.org>
Author	SHA1	Message	Date
Joshua M. Boniface	d5fe82314e	Bump version for 10.3.5	2019-06-09 21:47:45 -04:00
Joshua M. Boniface	06834fefef	Merge pull request #1447 from joshuaboniface/implement-invalidauth Implement InvalidAuthProvider	2019-06-09 15:36:25 -04:00
Joshua M. Boniface	2946ae1009	Revert "Don't set a default reset provider" This reverts commit `c230d49d7c`. This reenables an edge case where an admin might want to reset, with the default auth provider, the password of an externally-provided user so they could "unlock" the account while it was failing. There might be minor security implications to this, but the malicious actor would need FS access to do it (as they would with any password resets) so it's probably best to keep it as-is. Removing this in the first place was due to a misunderstanding anyways so no harm.	2019-06-09 15:29:43 -04:00
Joshua M. Boniface	4b8f735cb8	Remove superfluous conditional This wasn't needed to prevent updating the policy on-disk from my tests and can be removed as suggested by @Bond-009	2019-06-09 13:57:49 -04:00
Joshua M. Boniface	c230d49d7c	Don't set a default reset provider	2019-06-09 13:46:53 -04:00
Joshua M. Boniface	20e2cb2d86	Use SecurityException for auth failure	2019-06-09 13:45:51 -04:00
Joshua M. Boniface	b70083f3b3	Apply suggestions from code review Co-Authored-By: Claus Vium <cvium@users.noreply.github.com> Co-Authored-By: Bond-009 <bond.009@outlook.com>	2019-06-09 13:41:14 -04:00
Joshua M. Boniface	74ef389879	Add nicer log message and comment	2019-06-09 11:07:35 -04:00
Joshua M. Boniface	d78a55adb4	Implement InvalidAuthProvider Implements the InvalidAuthProvider, which acts as a fallback if a configured authentication provider, e.g. LDAP, is unavailable due to a load failure or removal. Until the user or the authentication plugin is corrected, this will cause users with the missing provider to be locked out, while throwing errors in the logs about the issue. Fixes #1445 part 2	2019-06-08 22:54:31 -04:00
Andrew Rabert	6f99ed3955	Merge pull request #1443 from jellyfin/qemu Docker - Update arm* Dockerfiles for latest multiarch	2019-06-07 18:41:35 -04:00
Andrew Rabert	247a5e12ab	Docker - Update arm* Dockerfiles for latest multiarch Relates to this change `7bdafb96ee`	2019-06-07 00:00:14 -04:00
Joshua M. Boniface	855911333a	Bump version for 10.3.4	2019-06-06 22:45:37 -04:00
Anthony Lavado	127bfc7d3b	Merge pull request #1437 from pjeanjean/master Fix issue #1436: media folders appear empty unless user has all libraries access	2019-06-06 17:21:20 -04:00
pjeanjean	7919dd81da	Skip user permission checking for UserRootFolder Fix #1436 UserRootFolders are used to represent virtual folders that exist outside of libraries. As such, it doesn't make sense to check if a user has the right to access their library (named `Media Folders`).	2019-06-06 08:30:56 +02:00
Anthony Lavado	e1da046960	Merge pull request #1426 from jellyfin/cvium-fix-tvdb-refresh Fix inverted comparison in the tvdb token refresh logic	2019-05-31 21:27:33 -04:00
Claus Vium	a756026962	Fix inverted comparison in the tvdb token refresh logic	2019-05-31 07:24:52 +02:00
Anthony Lavado	75260a960b	Merge pull request #1406 from DrPandemic/fix-pin-update Format the PIN when updating it	2019-05-31 00:58:53 -04:00
DrPandemic	69ee49bee6	Format correctly the PIN when updating it	2019-05-25 13:46:55 -04:00