diff --git a/Jellyfin.Api/Controllers/QuickConnectController.cs b/Jellyfin.Api/Controllers/QuickConnectController.cs
index 77d88475ff..6dbcdae228 100644
--- a/Jellyfin.Api/Controllers/QuickConnectController.cs
+++ b/Jellyfin.Api/Controllers/QuickConnectController.cs
@@ -1,3 +1,4 @@
+using System;
using System.ComponentModel.DataAnnotations;
using System.Threading.Tasks;
using Jellyfin.Api.Constants;
@@ -51,7 +52,7 @@ namespace Jellyfin.Api.Controllers
/// Quick connect request successfully created.
/// Quick connect is not active on this server.
/// A with a secret and code for future use or an error message.
- [HttpGet("Initiate")]
+ [HttpPost("Initiate")]
[ProducesResponseType(StatusCodes.Status200OK)]
public async Task> InitiateQuickConnect()
{
@@ -66,6 +67,16 @@ namespace Jellyfin.Api.Controllers
}
}
+ ///
+ /// Old version of using a GET method.
+ /// Still available to avoid breaking compatibility.
+ ///
+ /// The result of .
+ [Obsolete("Use POST request instead")]
+ [HttpGet("Initiate")]
+ [ApiExplorerSettings(IgnoreApi = true)]
+ public Task> InitiateQuickConnectLegacy() => InitiateQuickConnect();
+
///
/// Attempts to retrieve authentication information.
///
@@ -96,6 +107,7 @@ namespace Jellyfin.Api.Controllers
/// Authorizes a pending quick connect request.
///
/// Quick connect code to authorize.
+ /// The user the authorize. Access to the requested user is required.
/// Quick connect result authorized successfully.
/// Unknown user id.
/// Boolean indicating if the authorization was successful.
@@ -103,17 +115,19 @@ namespace Jellyfin.Api.Controllers
[Authorize(Policy = Policies.DefaultAuthorization)]
[ProducesResponseType(StatusCodes.Status200OK)]
[ProducesResponseType(StatusCodes.Status403Forbidden)]
- public async Task> AuthorizeQuickConnect([FromQuery, Required] string code)
+ public async Task> AuthorizeQuickConnect([FromQuery, Required] string code, [FromQuery] Guid? userId = null)
{
- var userId = User.GetUserId();
- if (userId.Equals(default))
+ var currentUserId = User.GetUserId();
+ var actualUserId = userId ?? currentUserId;
+
+ if (actualUserId.Equals(default) || (!userId.Equals(currentUserId) && !User.IsInRole(UserRoles.Administrator)))
{
- return StatusCode(StatusCodes.Status403Forbidden, "Unknown user id");
+ return Forbid("Unknown user id");
}
try
{
- return await _quickConnect.AuthorizeRequest(userId, code).ConfigureAwait(false);
+ return await _quickConnect.AuthorizeRequest(actualUserId, code).ConfigureAwait(false);
}
catch (AuthenticationException)
{