jellyfin/Jellyfin.Server.Implementat.../Security/AuthorizationContext.cs

#pragma warning disable CS1591

using System;
using System.Collections.Generic;
using System.Linq;
using System.Net;
using System.Threading.Tasks;
using MediaBrowser.Controller.Library;
using MediaBrowser.Controller.Net;
using Microsoft.AspNetCore.Http;
using Microsoft.Net.Http.Headers;

namespace Jellyfin.Server.Implementations.Security
{
    public class AuthorizationContext : IAuthorizationContext
    {
        private readonly JellyfinDb _jellyfinDb;
        private readonly IUserManager _userManager;

        public AuthorizationContext(JellyfinDb jellyfinDb, IUserManager userManager)
        {
            _jellyfinDb = jellyfinDb;
            _userManager = userManager;
        }

        public Task<AuthorizationInfo> GetAuthorizationInfo(HttpContext requestContext)
        {
            if (requestContext.Request.HttpContext.Items.TryGetValue("AuthorizationInfo", out var cached) && cached != null)
            {
                return Task.FromResult((AuthorizationInfo)cached);
            }

            return GetAuthorization(requestContext);
        }

        public async Task<AuthorizationInfo> GetAuthorizationInfo(HttpRequest requestContext)
        {
            var auth = GetAuthorizationDictionary(requestContext);
            var authInfo = await GetAuthorizationInfoFromDictionary(auth, requestContext.Headers, requestContext.Query).ConfigureAwait(false);
            return authInfo;
        }

        /// <summary>
        /// Gets the authorization.
        /// </summary>
        /// <param name="httpReq">The HTTP req.</param>
        /// <returns>Dictionary{System.StringSystem.String}.</returns>
        private async Task<AuthorizationInfo> GetAuthorization(HttpContext httpReq)
        {
            var auth = GetAuthorizationDictionary(httpReq);
            var authInfo = await GetAuthorizationInfoFromDictionary(auth, httpReq.Request.Headers, httpReq.Request.Query).ConfigureAwait(false);

            httpReq.Request.HttpContext.Items["AuthorizationInfo"] = authInfo;
            return authInfo;
        }

        private async Task<AuthorizationInfo> GetAuthorizationInfoFromDictionary(
            IReadOnlyDictionary<string, string>? auth,
            IHeaderDictionary headers,
            IQueryCollection queryString)
        {
            string? deviceId = null;
            string? deviceName = null;
            string? client = null;
            string? version = null;
            string? token = null;

            if (auth != null)
            {
                auth.TryGetValue("DeviceId", out deviceId);
                auth.TryGetValue("Device", out deviceName);
                auth.TryGetValue("Client", out client);
                auth.TryGetValue("Version", out version);
                auth.TryGetValue("Token", out token);
            }

#pragma warning disable CA1508
            // headers can return StringValues.Empty
            if (string.IsNullOrEmpty(token))
            {
                token = headers["X-Emby-Token"];
            }

            if (string.IsNullOrEmpty(token))
            {
                token = headers["X-MediaBrowser-Token"];
            }

            if (string.IsNullOrEmpty(token))
            {
                token = queryString["ApiKey"];
            }

            // TODO deprecate this query parameter.
            if (string.IsNullOrEmpty(token))
            {
                token = queryString["api_key"];
            }

            var authInfo = new AuthorizationInfo
            {
                Client = client,
                Device = deviceName,
                DeviceId = deviceId,
                Version = version,
                Token = token,
                IsAuthenticated = false,
                HasToken = false
            };

            if (string.IsNullOrWhiteSpace(token))
            {
                // Request doesn't contain a token.
                return authInfo;
            }
#pragma warning restore CA1508

            authInfo.HasToken = true;
            var device = await _jellyfinDb.Devices.FirstOrDefaultAsync(d => d.AccessToken == token).ConfigureAwait(false);

            if (device != null)
            {
                authInfo.IsAuthenticated = true;
            }

            if (device != null)
            {
                var updateToken = false;

                // TODO: Remove these checks for IsNullOrWhiteSpace
                if (string.IsNullOrWhiteSpace(authInfo.Client))
                {
                    authInfo.Client = device.AppName;
                }

                if (string.IsNullOrWhiteSpace(authInfo.DeviceId))
                {
                    authInfo.DeviceId = device.DeviceId;
                }

                // Temporary. TODO - allow clients to specify that the token has been shared with a casting device
                var allowTokenInfoUpdate = !authInfo.Client.Contains("chromecast", StringComparison.OrdinalIgnoreCase);

                if (string.IsNullOrWhiteSpace(authInfo.Device))
                {
                    authInfo.Device = device.DeviceName;
                }
                else if (!string.Equals(authInfo.Device, device.DeviceName, StringComparison.OrdinalIgnoreCase))
                {
                    if (allowTokenInfoUpdate)
                    {
                        updateToken = true;
                        device.DeviceName = authInfo.Device;
                    }
                }

                if (string.IsNullOrWhiteSpace(authInfo.Version))
                {
                    authInfo.Version = device.AppVersion;
                }
                else if (!string.Equals(authInfo.Version, device.AppVersion, StringComparison.OrdinalIgnoreCase))
                {
                    if (allowTokenInfoUpdate)
                    {
                        updateToken = true;
                        device.AppVersion = authInfo.Version;
                    }
                }

                if ((DateTime.UtcNow - device.DateLastActivity).TotalMinutes > 3)
                {
                    device.DateLastActivity = DateTime.UtcNow;
                    updateToken = true;
                }

                if (!device.UserId.Equals(Guid.Empty))
                {
                    authInfo.User = _userManager.GetUserById(device.UserId);
                    authInfo.IsApiKey = false;
                }
                else
                {
                    authInfo.IsApiKey = true;
                }

                if (updateToken)
                {
                    _jellyfinDb.Devices.Update(device);
                    await _jellyfinDb.SaveChangesAsync().ConfigureAwait(false);
                }
            }

            return authInfo;
        }

        /// <summary>
        /// Gets the auth.
        /// </summary>
        /// <param name="httpReq">The HTTP req.</param>
        /// <returns>Dictionary{System.StringSystem.String}.</returns>
        private Dictionary<string, string>? GetAuthorizationDictionary(HttpContext httpReq)
        {
            var auth = httpReq.Request.Headers["X-Emby-Authorization"];

            if (string.IsNullOrEmpty(auth))
            {
                auth = httpReq.Request.Headers[HeaderNames.Authorization];
            }

            return GetAuthorization(auth);
        }

        /// <summary>
        /// Gets the auth.
        /// </summary>
        /// <param name="httpReq">The HTTP req.</param>
        /// <returns>Dictionary{System.StringSystem.String}.</returns>
        private Dictionary<string, string>? GetAuthorizationDictionary(HttpRequest httpReq)
        {
            var auth = httpReq.Headers["X-Emby-Authorization"];

            if (string.IsNullOrEmpty(auth))
            {
                auth = httpReq.Headers[HeaderNames.Authorization];
            }

            return GetAuthorization(auth);
        }

        /// <summary>
        /// Gets the authorization.
        /// </summary>
        /// <param name="authorizationHeader">The authorization header.</param>
        /// <returns>Dictionary{System.StringSystem.String}.</returns>
        private Dictionary<string, string>? GetAuthorization(string? authorizationHeader)
        {
            if (authorizationHeader == null)
            {
                return null;
            }

            var parts = authorizationHeader.Split(' ', 2);

            // There should be at least to parts
            if (parts.Length != 2)
            {
                return null;
            }

            var acceptedNames = new[] { "MediaBrowser", "Emby" };

            // It has to be a digest request
            if (!acceptedNames.Contains(parts[0], StringComparer.OrdinalIgnoreCase))
            {
                return null;
            }

            // Remove uptil the first space
            authorizationHeader = parts[1];
            parts = authorizationHeader.Split(',');

            var result = new Dictionary<string, string>(StringComparer.OrdinalIgnoreCase);

            foreach (var item in parts)
            {
                var param = item.Trim().Split('=', 2);

                if (param.Length == 2)
                {
                    var value = NormalizeValue(param[1].Trim('"'));
                    result[param[0]] = value;
                }
            }

            return result;
        }

        private static string NormalizeValue(string value)
        {
            return string.IsNullOrEmpty(value) ? value : WebUtility.HtmlEncode(value);
        }
    }
}
Fix more warnings 5 years ago			`#pragma warning disable CS1591`

revise endpoint attributes 10 years ago			`using System;`
			`using System.Collections.Generic;`
3.2.30.3 7 years ago			`using System.Linq;`
Fix warnings, improve performance (#1665) * Fix warnings, improve performance `QueryResult.Items` is now a `IReadOnlyList` so we don't need to allocate a new `Array` when we have a `List` (and `Items` shouldn't need to be mutable anyway) * Update Providers .csproj to latest C# * Remove extra newline from DtoService.cs * Remove extra newline from UserLibraryService.cs 5 years ago			`using System.Net;`
Migrate authentication db to EF Core 4 years ago			`using System.Threading.Tasks;`
Update to 3.5.2 and .net core 2.1 6 years ago			`using MediaBrowser.Controller.Library;`
Visual Studio Reformat: Emby.Server.Implementations Part De-H 6 years ago			`using MediaBrowser.Controller.Net;`
Add GetAuthorizationInfo for netcore HttpRequest 4 years ago			`using Microsoft.AspNetCore.Http;`
Switch to HeaderNames instead of hardcoded strings (and other header related fixes) 6 years ago			`using Microsoft.Net.Http.Headers;`
fixes #789 - Security Issue: API allows access to any folder of the PC running MediaBrowser 10 years ago
Migrate authentication db to EF Core 4 years ago			`namespace Jellyfin.Server.Implementations.Security`
fixes #789 - Security Issue: API allows access to any folder of the PC running MediaBrowser 10 years ago			`{`
			`public class AuthorizationContext : IAuthorizationContext`
			`{`
Migrate authentication db to EF Core 4 years ago			`private readonly JellyfinDb _jellyfinDb;`
Update to 3.5.2 and .net core 2.1 6 years ago			`private readonly IUserManager _userManager;`
revise endpoint attributes 10 years ago
Migrate authentication db to EF Core 4 years ago			`public AuthorizationContext(JellyfinDb jellyfinDb, IUserManager userManager)`
revise endpoint attributes 10 years ago			`{`
Migrate authentication db to EF Core 4 years ago			`_jellyfinDb = jellyfinDb;`
Update to 3.5.2 and .net core 2.1 6 years ago			`_userManager = userManager;`
revise endpoint attributes 10 years ago			`}`

Migrate authentication db to EF Core 4 years ago			`public Task<AuthorizationInfo> GetAuthorizationInfo(HttpContext requestContext)`
revise endpoint attributes 10 years ago			`{`
Migrate authentication db to EF Core 4 years ago			`if (requestContext.Request.HttpContext.Items.TryGetValue("AuthorizationInfo", out var cached) && cached != null)`
revise endpoint attributes 10 years ago			`{`
Migrate authentication db to EF Core 4 years ago			`return Task.FromResult((AuthorizationInfo)cached);`
revise endpoint attributes 10 years ago			`}`

fixes #789 - Security Issue: API allows access to any folder of the PC running MediaBrowser 10 years ago			`return GetAuthorization(requestContext);`
			`}`

Migrate authentication db to EF Core 4 years ago			`public async Task<AuthorizationInfo> GetAuthorizationInfo(HttpRequest requestContext)`
Add GetAuthorizationInfo for netcore HttpRequest 4 years ago			`{`
			`var auth = GetAuthorizationDictionary(requestContext);`
Migrate authentication db to EF Core 4 years ago			`var authInfo = await GetAuthorizationInfoFromDictionary(auth, requestContext.Headers, requestContext.Query).ConfigureAwait(false);`
Add GetAuthorizationInfo for netcore HttpRequest 4 years ago			`return authInfo;`
			`}`

fixes #789 - Security Issue: API allows access to any folder of the PC running MediaBrowser 10 years ago			`/// <summary>`
			`/// Gets the authorization.`
			`/// </summary>`
			`/// <param name="httpReq">The HTTP req.</param>`
			`/// <returns>Dictionary{System.StringSystem.String}.</returns>`
Migrate authentication db to EF Core 4 years ago			`private async Task<AuthorizationInfo> GetAuthorization(HttpContext httpReq)`
fixes #789 - Security Issue: API allows access to any folder of the PC running MediaBrowser 10 years ago			`{`
			`var auth = GetAuthorizationDictionary(httpReq);`
Migrate authentication db to EF Core 4 years ago			`var authInfo = await GetAuthorizationInfoFromDictionary(auth, httpReq.Request.Headers, httpReq.Request.Query).ConfigureAwait(false);`
fixes #789 - Security Issue: API allows access to any folder of the PC running MediaBrowser 10 years ago
Remove ServiceStack and related stuff 4 years ago			`httpReq.Request.HttpContext.Items["AuthorizationInfo"] = authInfo;`
Add GetAuthorizationInfo for netcore HttpRequest 4 years ago			`return authInfo;`
			`}`

Migrate authentication db to EF Core 4 years ago			`private async Task<AuthorizationInfo> GetAuthorizationInfoFromDictionary(`
			`IReadOnlyDictionary<string, string>? auth,`
			`IHeaderDictionary headers,`
			`IQueryCollection queryString)`
Add GetAuthorizationInfo for netcore HttpRequest 4 years ago			`{`
Migrate authentication db to EF Core 4 years ago			`string? deviceId = null;`
			`string? deviceName = null;`
			`string? client = null;`
			`string? version = null;`
			`string? token = null;`
fixes #789 - Security Issue: API allows access to any folder of the PC running MediaBrowser 10 years ago
			`if (auth != null)`
			`{`
			`auth.TryGetValue("DeviceId", out deviceId);`
Migrate authentication db to EF Core 4 years ago			`auth.TryGetValue("Device", out deviceName);`
fixes #789 - Security Issue: API allows access to any folder of the PC running MediaBrowser 10 years ago			`auth.TryGetValue("Client", out client);`
			`auth.TryGetValue("Version", out version);`
update components 8 years ago			`auth.TryGetValue("Token", out token);`
fixes #789 - Security Issue: API allows access to any folder of the PC running MediaBrowser 10 years ago			`}`

Migrate authentication db to EF Core 4 years ago			`#pragma warning disable CA1508`
			`// headers can return StringValues.Empty`
Add GetAuthorizationInfo for netcore HttpRequest 4 years ago			`if (string.IsNullOrEmpty(token))`
			`{`
			`token = headers["X-Emby-Token"];`
update components 8 years ago			`}`
fixes #762 - Marking unwatched doesn't update display 10 years ago
Update to 3.5.2 and .net core 2.1 6 years ago			`if (string.IsNullOrEmpty(token))`
update logging levels 9 years ago			`{`
Add GetAuthorizationInfo for netcore HttpRequest 4 years ago			`token = headers["X-MediaBrowser-Token"];`
update logging levels 9 years ago			`}`
Add GetAuthorizationInfo for netcore HttpRequest 4 years ago
Update to 3.5.2 and .net core 2.1 6 years ago			`if (string.IsNullOrEmpty(token))`
fixes #762 - Marking unwatched doesn't update display 10 years ago			`{`
Add GetAuthorizationInfo for netcore HttpRequest 4 years ago			`token = queryString["ApiKey"];`
fixes #762 - Marking unwatched doesn't update display 10 years ago			`}`

Update Emby.Server.Implementations/HttpServer/Security/AuthorizationContext.cs Co-authored-by: Patrick Barron <18354464+barronpm@users.noreply.github.com> 4 years ago			`// TODO deprecate this query parameter.`
Add GetAuthorizationInfo for netcore HttpRequest 4 years ago			`if (string.IsNullOrEmpty(token))`
			`{`
			`token = queryString["api_key"];`
			`}`

			`var authInfo = new AuthorizationInfo`
fixes #789 - Security Issue: API allows access to any folder of the PC running MediaBrowser 10 years ago			`{`
			`Client = client,`
Migrate authentication db to EF Core 4 years ago			`Device = deviceName,`
fixes #789 - Security Issue: API allows access to any folder of the PC running MediaBrowser 10 years ago			`DeviceId = deviceId,`
update to jquery mobile 1.4.3 10 years ago			`Version = version,`
Remove OriginalAuthenticationInfo and add IsAuthenticated property 4 years ago			`Token = token,`
Return NoResult only when request doesn't have a token. 4 years ago			`IsAuthenticated = false,`
			`HasToken = false`
fixes #789 - Security Issue: API allows access to any folder of the PC running MediaBrowser 10 years ago			`};`
revise endpoint attributes 10 years ago
Allow apikey to authenticate as admin 4 years ago			`if (string.IsNullOrWhiteSpace(token))`
revise endpoint attributes 10 years ago			`{`
Allow apikey to authenticate as admin 4 years ago			`// Request doesn't contain a token.`
Remove OriginalAuthenticationInfo and add IsAuthenticated property 4 years ago			`return authInfo;`
Allow apikey to authenticate as admin 4 years ago			`}`
Migrate authentication db to EF Core 4 years ago			`#pragma warning restore CA1508`
revise endpoint attributes 10 years ago
Return NoResult only when request doesn't have a token. 4 years ago			`authInfo.HasToken = true;`
Migrate authentication db to EF Core 4 years ago			`var device = await _jellyfinDb.Devices.FirstOrDefaultAsync(d => d.AccessToken == token).ConfigureAwait(false);`
revise endpoint attributes 10 years ago
Migrate authentication db to EF Core 4 years ago			`if (device != null)`
Remove OriginalAuthenticationInfo and add IsAuthenticated property 4 years ago			`{`
			`authInfo.IsAuthenticated = true;`
			`}`

Migrate authentication db to EF Core 4 years ago			`if (device != null)`
Allow apikey to authenticate as admin 4 years ago			`{`
			`var updateToken = false;`
resolve version changing in now playing display 7 years ago
Allow apikey to authenticate as admin 4 years ago			`// TODO: Remove these checks for IsNullOrWhiteSpace`
			`if (string.IsNullOrWhiteSpace(authInfo.Client))`
			`{`
Migrate authentication db to EF Core 4 years ago			`authInfo.Client = device.AppName;`
Allow apikey to authenticate as admin 4 years ago			`}`
resolve version changing in now playing display 7 years ago
Allow apikey to authenticate as admin 4 years ago			`if (string.IsNullOrWhiteSpace(authInfo.DeviceId))`
			`{`
Migrate authentication db to EF Core 4 years ago			`authInfo.DeviceId = device.DeviceId;`
Allow apikey to authenticate as admin 4 years ago			`}`
resolve version changing in now playing display 7 years ago
Allow apikey to authenticate as admin 4 years ago			`// Temporary. TODO - allow clients to specify that the token has been shared with a casting device`
Migrate authentication db to EF Core 4 years ago			`var allowTokenInfoUpdate = !authInfo.Client.Contains("chromecast", StringComparison.OrdinalIgnoreCase);`
resolve version changing in now playing display 7 years ago
Allow apikey to authenticate as admin 4 years ago			`if (string.IsNullOrWhiteSpace(authInfo.Device))`
			`{`
Migrate authentication db to EF Core 4 years ago			`authInfo.Device = device.DeviceName;`
Allow apikey to authenticate as admin 4 years ago			`}`
Migrate authentication db to EF Core 4 years ago			`else if (!string.Equals(authInfo.Device, device.DeviceName, StringComparison.OrdinalIgnoreCase))`
Allow apikey to authenticate as admin 4 years ago			`{`
			`if (allowTokenInfoUpdate)`
resolve version changing in now playing display 7 years ago			`{`
Allow apikey to authenticate as admin 4 years ago			`updateToken = true;`
Migrate authentication db to EF Core 4 years ago			`device.DeviceName = authInfo.Device;`
Update to 3.5.2 and .net core 2.1 6 years ago			`}`
Allow apikey to authenticate as admin 4 years ago			`}`
Update to 3.5.2 and .net core 2.1 6 years ago
Allow apikey to authenticate as admin 4 years ago			`if (string.IsNullOrWhiteSpace(authInfo.Version))`
			`{`
Migrate authentication db to EF Core 4 years ago			`authInfo.Version = device.AppVersion;`
Allow apikey to authenticate as admin 4 years ago			`}`
Migrate authentication db to EF Core 4 years ago			`else if (!string.Equals(authInfo.Version, device.AppVersion, StringComparison.OrdinalIgnoreCase))`
Allow apikey to authenticate as admin 4 years ago			`{`
			`if (allowTokenInfoUpdate)`
Update to 3.5.2 and .net core 2.1 6 years ago			`{`
resolve version changing in now playing display 7 years ago			`updateToken = true;`
Migrate authentication db to EF Core 4 years ago			`device.AppVersion = authInfo.Version;`
Update to 3.5.2 and .net core 2.1 6 years ago			`}`
Allow apikey to authenticate as admin 4 years ago			`}`
Update to 3.5.2 and .net core 2.1 6 years ago
Migrate authentication db to EF Core 4 years ago			`if ((DateTime.UtcNow - device.DateLastActivity).TotalMinutes > 3)`
Allow apikey to authenticate as admin 4 years ago			`{`
Migrate authentication db to EF Core 4 years ago			`device.DateLastActivity = DateTime.UtcNow;`
Allow apikey to authenticate as admin 4 years ago			`updateToken = true;`
			`}`
Update to 3.5.2 and .net core 2.1 6 years ago
Migrate authentication db to EF Core 4 years ago			`if (!device.UserId.Equals(Guid.Empty))`
Allow apikey to authenticate as admin 4 years ago			`{`
Migrate authentication db to EF Core 4 years ago			`authInfo.User = _userManager.GetUserById(device.UserId);`
Fix inverted condition when authenticating with an ApiKey 4 years ago			`authInfo.IsApiKey = false;`
Use proper IsApiKey flag 4 years ago			`}`
			`else`
			`{`
Fix inverted condition when authenticating with an ApiKey 4 years ago			`authInfo.IsApiKey = true;`
revise endpoint attributes 10 years ago			`}`
Allow apikey to authenticate as admin 4 years ago
			`if (updateToken)`
			`{`
Migrate authentication db to EF Core 4 years ago			`_jellyfinDb.Devices.Update(device);`
			`await _jellyfinDb.SaveChangesAsync().ConfigureAwait(false);`
revise endpoint attributes 10 years ago			`}`
			`}`

Remove OriginalAuthenticationInfo and add IsAuthenticated property 4 years ago			`return authInfo;`
fixes #789 - Security Issue: API allows access to any folder of the PC running MediaBrowser 10 years ago			`}`

			`/// <summary>`
			`/// Gets the auth.`
			`/// </summary>`
			`/// <param name="httpReq">The HTTP req.</param>`
			`/// <returns>Dictionary{System.StringSystem.String}.</returns>`
Migrate authentication db to EF Core 4 years ago			`private Dictionary<string, string>? GetAuthorizationDictionary(HttpContext httpReq)`
fixes #789 - Security Issue: API allows access to any folder of the PC running MediaBrowser 10 years ago			`{`
Remove ServiceStack and related stuff 4 years ago			`var auth = httpReq.Request.Headers["X-Emby-Authorization"];`
Add GetAuthorizationInfo for netcore HttpRequest 4 years ago
			`if (string.IsNullOrEmpty(auth))`
			`{`
Remove ServiceStack and related stuff 4 years ago			`auth = httpReq.Request.Headers[HeaderNames.Authorization];`
Add GetAuthorizationInfo for netcore HttpRequest 4 years ago			`}`

			`return GetAuthorization(auth);`
			`}`

			`/// <summary>`
			`/// Gets the auth.`
			`/// </summary>`
			`/// <param name="httpReq">The HTTP req.</param>`
			`/// <returns>Dictionary{System.StringSystem.String}.</returns>`
Migrate authentication db to EF Core 4 years ago			`private Dictionary<string, string>? GetAuthorizationDictionary(HttpRequest httpReq)`
Add GetAuthorizationInfo for netcore HttpRequest 4 years ago			`{`
revert adding Jellyfin to auth header 4 years ago			`var auth = httpReq.Headers["X-Emby-Authorization"];`
update shared item page 9 years ago
Update to 3.5.2 and .net core 2.1 6 years ago			`if (string.IsNullOrEmpty(auth))`
update shared item page 9 years ago			`{`
Switch to HeaderNames instead of hardcoded strings (and other header related fixes) 6 years ago			`auth = httpReq.Headers[HeaderNames.Authorization];`
update shared item page 9 years ago			`}`
fixes #789 - Security Issue: API allows access to any folder of the PC running MediaBrowser 10 years ago
			`return GetAuthorization(auth);`
			`}`

			`/// <summary>`
			`/// Gets the authorization.`
			`/// </summary>`
			`/// <param name="authorizationHeader">The authorization header.</param>`
			`/// <returns>Dictionary{System.StringSystem.String}.</returns>`
Migrate authentication db to EF Core 4 years ago			`private Dictionary<string, string>? GetAuthorization(string? authorizationHeader)`
fixes #789 - Security Issue: API allows access to any folder of the PC running MediaBrowser 10 years ago			`{`
Fix warnings, improve performance (#1665) * Fix warnings, improve performance `QueryResult.Items` is now a `IReadOnlyList` so we don't need to allocate a new `Array` when we have a `List` (and `Items` shouldn't need to be mutable anyway) * Update Providers .csproj to latest C# * Remove extra newline from DtoService.cs * Remove extra newline from UserLibraryService.cs 5 years ago			`if (authorizationHeader == null)`
			`{`
			`return null;`
			`}`
fixes #789 - Security Issue: API allows access to any folder of the PC running MediaBrowser 10 years ago
Use string.Split(char) where possible instead of string.Split(char[]) 4 years ago			`var parts = authorizationHeader.Split(' ', 2);`
fixes #789 - Security Issue: API allows access to any folder of the PC running MediaBrowser 10 years ago
			`// There should be at least to parts`
Fix warnings, improve performance (#1665) * Fix warnings, improve performance `QueryResult.Items` is now a `IReadOnlyList` so we don't need to allocate a new `Array` when we have a `List` (and `Items` shouldn't need to be mutable anyway) * Update Providers .csproj to latest C# * Remove extra newline from DtoService.cs * Remove extra newline from UserLibraryService.cs 5 years ago			`if (parts.Length != 2)`
			`{`
			`return null;`
			`}`
fixes #789 - Security Issue: API allows access to any folder of the PC running MediaBrowser 10 years ago
revert adding Jellyfin to auth header 4 years ago			`var acceptedNames = new[] { "MediaBrowser", "Emby" };`
update components 8 years ago
fixes #789 - Security Issue: API allows access to any folder of the PC running MediaBrowser 10 years ago			`// It has to be a digest request`
Fix warnings, improve performance (#1665) * Fix warnings, improve performance `QueryResult.Items` is now a `IReadOnlyList` so we don't need to allocate a new `Array` when we have a `List` (and `Items` shouldn't need to be mutable anyway) * Update Providers .csproj to latest C# * Remove extra newline from DtoService.cs * Remove extra newline from UserLibraryService.cs 5 years ago			`if (!acceptedNames.Contains(parts[0], StringComparer.OrdinalIgnoreCase))`
fixes #789 - Security Issue: API allows access to any folder of the PC running MediaBrowser 10 years ago			`{`
			`return null;`
			`}`

			`// Remove uptil the first space`
added dlna music folders 10 years ago			`authorizationHeader = parts[1];`
fixes #789 - Security Issue: API allows access to any folder of the PC running MediaBrowser 10 years ago			`parts = authorizationHeader.Split(',');`

			`var result = new Dictionary<string, string>(StringComparer.OrdinalIgnoreCase);`

			`foreach (var item in parts)`
			`{`
Use string.Split(char) where possible instead of string.Split(char[]) 4 years ago			`var param = item.Trim().Split('=', 2);`
added dlna music folders 10 years ago
			`if (param.Length == 2)`
			`{`
Use string.Trim(char) instead of string.Trim(char[]) where possible 4 years ago			`var value = NormalizeValue(param[1].Trim('"'));`
Fix setting duplicate keys from auth header 4 years ago			`result[param[0]] = value;`
added dlna music folders 10 years ago			`}`
fixes #789 - Security Issue: API allows access to any folder of the PC running MediaBrowser 10 years ago			`}`

			`return result;`
			`}`
fixes #1075 - XSS in "Active Devices" Panel of Admin Dashboard 9 years ago
Mayor code cleanup Add ArgumentExceptions now use proper nameof operators. Added exception messages to quite a few ArgumentExceptions. Fixed rethorwing to be proper syntax. Added a ton of null checkes. (This is only a start, there are about 500 places that need proper null handling) Added some TODOs to log certain exceptions. Fix sln again. Fixed all AssemblyInfo's and added proper copyright (where I could find them) We live in current year. Fixed the use of braces. Fixed a ton of properties, and made a fair amount of functions static that should be and can be static. Made more Methods that should be static static. You can now use static to find bad functions! Removed unused variable. And added one more proper XML comment. 6 years ago			`private static string NormalizeValue(string value)`
update components 8 years ago			`{`
Add GetAuthorizationInfo for netcore HttpRequest 4 years ago			`return string.IsNullOrEmpty(value) ? value : WebUtility.HtmlEncode(value);`
update components 8 years ago			`}`
fixes #789 - Security Issue: API allows access to any folder of the PC running MediaBrowser 10 years ago			`}`
			`}`