Commit Graph

111 Commits

Author SHA1 Message Date
Bond-009
62da4d0e5c
Merge pull request #2492 from Polpetta/fix-api-private-data-leak
Fix emby/user/public API leaking sensitive data
2020-05-07 14:52:10 +02:00
Davide Polonio
57cf19f058 Fix variable declaration and follow sonarcloud suggestions 2020-05-06 17:25:41 +02:00
Davide Polonio
472efeeec4
Remove extra line in UserManager
Co-authored-by: Bond-009 <bond.009@outlook.com>
2020-05-02 13:09:57 +02:00
dkanada
97d7ffc458
Merge pull request #2861 from mark-monteiro/fix-auth-response-codes
Fix Auth Response Codes
2020-04-23 14:10:22 +09:00
Bond-009
07326c1d9b
Merge branch 'master' into fix-auth-response-codes 2020-04-22 13:16:08 +02:00
Mark Monteiro
f815059698 Merge remote-tracking branch 'upstream/master' into register-services-correctly 2020-04-20 20:11:33 -04:00
Mark Monteiro
53380689ad Return correct status codes for authentication and authorization errors
- Use AuthenticatonException to return 401
- Use SecurityException to return 403
- Update existing throws to throw the correct exception for the circumstance
2020-04-13 13:17:46 -04:00
dafo90
dd128b5e30 Log message for each exception during login 2020-04-08 17:02:32 +02:00
dafo90
62b0db59aa Fix Authentication request log 2020-04-06 22:23:53 +02:00
Mark Monteiro
4daa5436fc Register and construct IUserManager and IUserRepository correctly 2020-04-04 19:31:14 -04:00
Didier Dafond
2fb9e36493
Authentication request log with IP 2020-04-02 22:02:14 +02:00
Bond_009
e9d1eabd53 Remove unused usings 2020-03-24 16:12:06 +01:00
Davide Polonio
5d760b7ee8 Fix emby/user/public API leaking private data
This commit fixes the emby/user/public API that was returning more data
than necessary. Now only the following information are returned:
- the account name
- the primary image tag
- the field hasPassword
- the field hasConfiguredPassword, useful for the first wizard only
(see
https://github.com/jellyfin/jellyfin/issues/880#issuecomment-465370051)
- the primary image aspect ratio

A new DTO class, PrivateUserDTO has been created, and the route has been
modified in order to return that data object.
2020-03-01 21:46:01 +01:00
Bond_009
07cc4be6a7 Fix some warnings
* Add analyzers to MediaBrowser.XbmcMetadata
* Enable TreatWarningsAsErrors for MediaBrowser.XbmcMetadata
* Add analyzers to MediaBrowser.WebDashboard
* Enable TreatWarningsAsErrors for MediaBrowser.WebDashboard
* Disable SA1600 in favor of CS1591
2020-02-23 12:11:43 +01:00
dkanada
fe325a6e73
Merge pull request #2359 from Bond-009/username
Allow changing capitalization of usernames
2020-02-03 17:14:50 +09:00
dkanada
692a9bfdd0
update some comments
Co-Authored-By: Bond-009 <bond.009@outlook.com>
2020-02-01 23:36:40 +09:00
dkanada
afe9ed977b improve scan progress and fix a few bugs 2020-02-01 22:44:27 +09:00
Bond_009
acc1846e3e Allow changing capitalization of usernames 2020-01-31 22:56:24 +01:00
Bond_009
bb236b9591 Merge branch 'master' into warn12 2020-01-10 21:18:16 +01:00
dkanada
aac0a1ed26
Merge pull request #2206 from Bond-009/userconfig
Delete user config dir on user deletion
2020-01-04 22:55:42 +09:00
Bond_009
ab57b504fe Delete user config dir on user deletion 2019-12-29 19:32:12 +01:00
Bond_009
5a8e972952 Enable TreatWarningsAsErrors for some projects
Analyzers are only run in debug build, so setting TreatWarningsAsErrors
for release build will catch the compiler warnings until we resolve all
analyzer warnings.
2019-12-13 20:11:37 +01:00
Bond_009
2ef4ffd698 More warnings (removed) 2019-12-11 00:13:57 +01:00
dkanada
67922dff50
Merge pull request #2041 from Bond-009/warn11
Fix more warnings
2019-12-11 01:14:55 +09:00
Bond-009
affb58ef9e
Apply suggestions from code review
Co-Authored-By: dkanada <dkanada@users.noreply.github.com>
2019-12-10 16:22:03 +01:00
Bond_009
42ffddc269 Fix more warnings 2019-11-27 16:29:56 +01:00
Bond_009
3221e837f9 * Add support for multi segment base urls
* Make baseurl case-insensitive
2019-11-25 11:55:24 +01:00
dkanada
51cdc6ea16
Merge pull request #1926 from Bond-009/auth
Add clearer exceptions, warnings and docs
2019-11-23 01:14:32 +09:00
Bond-009
413ae86dbc Fix easy password 2019-11-21 17:32:29 +01:00
Bond_009
a245f5a0d4 Rewrite hex encoder/decoder 2019-11-01 17:52:29 +01:00
Bond_009
d9a03c9bb1 Fix more warnings 2019-10-29 17:55:16 +01:00
Bond_009
fef35d0505 Add clearer exceptions, warnings and docs 2019-10-20 21:12:03 +02:00
Bond_009
c9820d30ed Fix multiple mistakes and warnings 2019-09-23 20:32:44 +02:00
Bond-009
6f17a0b7af Remove legacy auth code (#1677)
* Remove legacy auth code

* Adds tests so we don't break PasswordHash (again)
* Clean up interfaces
* Remove duplicate code

* Use auto properties

* static using

* Don't use 'this'

* Fix build
2019-09-17 12:07:15 -04:00
Bond-009
221b831bb2 Reset invalid login counter on successfull login 2019-09-13 17:18:45 +02:00
Bond_009
24fac4b191 Fix UserNotFoundError 2019-08-18 20:12:25 +02:00
Bond_009
8d3b5c851d Improvements to UserManager 2019-08-16 21:06:11 +02:00
Bond_009
0f897589ed Streamline authentication proccess 2019-07-06 14:52:24 +02:00
Bond_009
d961278b3d Reduce amount of raw sql 2019-06-28 12:14:27 +02:00
Joshua M. Boniface
2946ae1009 Revert "Don't set a default reset provider"
This reverts commit c230d49d7c.

This reenables an edge case where an admin might want to reset, with
the default auth provider, the password of an externally-provided
user so they could "unlock" the account while it was failing. There
might be minor security implications to this, but the malicious
actor would need FS access to do it (as they would with any password
resets) so it's probably best to keep it as-is.

Removing this in the first place was due to a misunderstanding
anyways so no harm.
2019-06-09 15:29:43 -04:00
Joshua M. Boniface
4b8f735cb8 Remove superfluous conditional
This wasn't needed to prevent updating the policy on-disk from my
tests and can be removed as suggested by @Bond-009
2019-06-09 13:57:49 -04:00
Joshua M. Boniface
c230d49d7c Don't set a default reset provider 2019-06-09 13:46:53 -04:00
Joshua M. Boniface
b70083f3b3
Apply suggestions from code review
Co-Authored-By: Claus Vium <cvium@users.noreply.github.com>
Co-Authored-By: Bond-009 <bond.009@outlook.com>
2019-06-09 13:41:14 -04:00
Joshua M. Boniface
74ef389879 Add nicer log message and comment 2019-06-09 11:07:35 -04:00
Joshua M. Boniface
d78a55adb4 Implement InvalidAuthProvider
Implements the InvalidAuthProvider, which acts as a fallback if a
configured authentication provider, e.g. LDAP, is unavailable due
to a load failure or removal. Until the user or the authentication
plugin is corrected, this will cause users with the missing provider
to be locked out, while throwing errors in the logs about the issue.

Fixes #1445 part 2
2019-06-08 22:54:31 -04:00
DrPandemic
69ee49bee6 Format correctly the PIN when updating it 2019-05-25 13:46:55 -04:00
DrPandemic
c22068d6b1
Fix pin bug introduced in 10.3.z.
The issue is that the new easyPassword format prepends the hash
function. This PR extract the hash from "$SHA1$_hash_".
2019-05-11 19:53:34 -04:00
bugfixin
1df73fdeba Fix incorrect hasPassword flag when easy pin set 2019-04-30 19:16:53 +00:00
Joshua Boniface
1af9c047fb Override username with AuthenticationProvider
Pass back the Username directive returned by an AuthenticationProvider
to the calling code, so we may override the user-provided Username
value if the authentication provider passes this back. Useful for
instance in an LDAP scenario where what the user types may not
necessarily be the "username" that is mapped in the system, e.g.
the user providing 'mail' while 'uid' is the "username" value.
Could also then be extensible to other authentication providers
as well, should they wish to do a similar thing.
2019-04-07 19:51:45 -04:00
LogicalPhallacy
740c95d557
Apply minor suggestions from code review
Co-Authored-By: LogicalPhallacy <44458166+LogicalPhallacy@users.noreply.github.com>
2019-03-25 21:40:10 -07:00