Merge pull request #8734 from nielsvanvelzen/qc-revoke

2022-12-07 18:14:16 +01:00 · 2022-12-07 18:14:16 +01:00 · 8258d884f3
commit 8258d884f3
parent 08a43d8039 722ad3fe97
1 changed files with 20 additions and 6 deletions
--- a/Jellyfin.Api/Controllers/QuickConnectController.cs
+++ b/Jellyfin.Api/Controllers/QuickConnectController.cs
@ -1,3 +1,4 @@
+using System;
 using System.ComponentModel.DataAnnotations;
 using System.Threading.Tasks;
 using Jellyfin.Api.Constants;
@ -51,7 +52,7 @@ namespace Jellyfin.Api.Controllers
        /// <response code="200">Quick connect request successfully created.</response>
        /// <response code="401">Quick connect is not active on this server.</response>
        /// <returns>A <see cref="QuickConnectResult"/> with a secret and code for future use or an error message.</returns>
-        [HttpGet("Initiate")]
+        [HttpPost("Initiate")]
        [ProducesResponseType(StatusCodes.Status200OK)]
        public async Task<ActionResult<QuickConnectResult>> InitiateQuickConnect()
        {
@ -66,6 +67,16 @@ namespace Jellyfin.Api.Controllers
            }
        }

+        /// <summary>
+        /// Old version of <see cref="InitiateQuickConnect" /> using a GET method.
+        /// Still available to avoid breaking compatibility.
+        /// </summary>
+        /// <returns>The result of <see cref="InitiateQuickConnect" />.</returns>
+        [Obsolete("Use POST request instead")]
+        [HttpGet("Initiate")]
+        [ApiExplorerSettings(IgnoreApi = true)]
+        public Task<ActionResult<QuickConnectResult>> InitiateQuickConnectLegacy() => InitiateQuickConnect();
+
        /// <summary>
        /// Attempts to retrieve authentication information.
        /// </summary>
@ -96,6 +107,7 @@ namespace Jellyfin.Api.Controllers
        /// Authorizes a pending quick connect request.
        /// </summary>
        /// <param name="code">Quick connect code to authorize.</param>
+        /// <param name="userId">The user the authorize. Access to the requested user is required.</param>
        /// <response code="200">Quick connect result authorized successfully.</response>
        /// <response code="403">Unknown user id.</response>
        /// <returns>Boolean indicating if the authorization was successful.</returns>
@ -103,17 +115,19 @@ namespace Jellyfin.Api.Controllers
        [Authorize(Policy = Policies.DefaultAuthorization)]
        [ProducesResponseType(StatusCodes.Status200OK)]
        [ProducesResponseType(StatusCodes.Status403Forbidden)]
-        public async Task<ActionResult<bool>> AuthorizeQuickConnect([FromQuery, Required] string code)
+        public async Task<ActionResult<bool>> AuthorizeQuickConnect([FromQuery, Required] string code, [FromQuery] Guid? userId = null)
        {
-            var userId = User.GetUserId();
-            if (userId.Equals(default))
+            var currentUserId = User.GetUserId();
+            var actualUserId = userId ?? currentUserId;
+
+            if (actualUserId.Equals(default) || (!userId.Equals(currentUserId) && !User.IsInRole(UserRoles.Administrator)))
            {
-                return StatusCode(StatusCodes.Status403Forbidden, "Unknown user id");
+                return Forbid("Unknown user id");
            }

            try
            {
-                return await _quickConnect.AuthorizeRequest(userId, code).ConfigureAwait(false);
+                return await _quickConnect.AuthorizeRequest(actualUserId, code).ConfigureAwait(false);
            }
            catch (AuthenticationException)
            {