From fd73f346dc94a2b1a2c3421e9d83c0f6d9346d29 Mon Sep 17 00:00:00 2001 From: Niels van Velzen Date: Sat, 12 Nov 2022 10:19:52 +0100 Subject: [PATCH 1/2] Add userId parameter to AuthorizeQuickConnect --- Jellyfin.Api/Controllers/QuickConnectController.cs | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/Jellyfin.Api/Controllers/QuickConnectController.cs b/Jellyfin.Api/Controllers/QuickConnectController.cs index 77d88475ff..aed4d93415 100644 --- a/Jellyfin.Api/Controllers/QuickConnectController.cs +++ b/Jellyfin.Api/Controllers/QuickConnectController.cs @@ -1,3 +1,4 @@ +using System; using System.ComponentModel.DataAnnotations; using System.Threading.Tasks; using Jellyfin.Api.Constants; @@ -96,6 +97,7 @@ namespace Jellyfin.Api.Controllers /// Authorizes a pending quick connect request. /// /// Quick connect code to authorize. + /// The user the authorize. Access to the requested user is required. /// Quick connect result authorized successfully. /// Unknown user id. /// Boolean indicating if the authorization was successful. @@ -103,17 +105,19 @@ namespace Jellyfin.Api.Controllers [Authorize(Policy = Policies.DefaultAuthorization)] [ProducesResponseType(StatusCodes.Status200OK)] [ProducesResponseType(StatusCodes.Status403Forbidden)] - public async Task> AuthorizeQuickConnect([FromQuery, Required] string code) + public async Task> AuthorizeQuickConnect([FromQuery, Required] string code, [FromQuery] Guid? userId = null) { - var userId = User.GetUserId(); - if (userId.Equals(default)) + var currentUserId = User.GetUserId(); + var actualUserId = userId ?? currentUserId; + + if (actualUserId.Equals(default) || (!userId.Equals(currentUserId) && !User.IsInRole(UserRoles.Administrator))) { - return StatusCode(StatusCodes.Status403Forbidden, "Unknown user id"); + return Forbid("Unknown user id"); } try { - return await _quickConnect.AuthorizeRequest(userId, code).ConfigureAwait(false); + return await _quickConnect.AuthorizeRequest(actualUserId, code).ConfigureAwait(false); } catch (AuthenticationException) { From 722ad3fe97e6fb1ef2bc99603c8fd84efe36ca79 Mon Sep 17 00:00:00 2001 From: Niels van Velzen Date: Sat, 12 Nov 2022 10:20:40 +0100 Subject: [PATCH 2/2] Change InitiateQuickConnect to use POST request Keep the GET request for compatibility --- Jellyfin.Api/Controllers/QuickConnectController.cs | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/Jellyfin.Api/Controllers/QuickConnectController.cs b/Jellyfin.Api/Controllers/QuickConnectController.cs index aed4d93415..6dbcdae228 100644 --- a/Jellyfin.Api/Controllers/QuickConnectController.cs +++ b/Jellyfin.Api/Controllers/QuickConnectController.cs @@ -52,7 +52,7 @@ namespace Jellyfin.Api.Controllers /// Quick connect request successfully created. /// Quick connect is not active on this server. /// A with a secret and code for future use or an error message. - [HttpGet("Initiate")] + [HttpPost("Initiate")] [ProducesResponseType(StatusCodes.Status200OK)] public async Task> InitiateQuickConnect() { @@ -67,6 +67,16 @@ namespace Jellyfin.Api.Controllers } } + /// + /// Old version of using a GET method. + /// Still available to avoid breaking compatibility. + /// + /// The result of . + [Obsolete("Use POST request instead")] + [HttpGet("Initiate")] + [ApiExplorerSettings(IgnoreApi = true)] + public Task> InitiateQuickConnectLegacy() => InitiateQuickConnect(); + /// /// Attempts to retrieve authentication information. ///