using System;
using System.Diagnostics.CodeAnalysis;
using System.Globalization;
using System.Threading.Tasks;
using Jellyfin.Data.Entities;
using MediaBrowser.Controller.Authentication;
using MediaBrowser.Model.Cryptography;
using Microsoft.Extensions.Logging;
namespace Jellyfin.Server.Implementations.Users
/// The default authentication provider.
public class DefaultAuthenticationProvider : IAuthenticationProvider, IRequiresResolvedUser
private readonly ILogger _logger;
private readonly ICryptoProvider _cryptographyProvider;
/// Initializes a new instance of the class.
/// The logger.
/// The cryptography provider.
public DefaultAuthenticationProvider(ILogger logger, ICryptoProvider cryptographyProvider)
_logger = logger;
_cryptographyProvider = cryptographyProvider;
public string Name => "Default";
public bool IsEnabled => true;
// This is dumb and an artifact of the backwards way auth providers were designed.
// This version of authenticate was never meant to be called, but needs to be here for interface compat
// Only the providers that don't provide local user support use this
public Task Authenticate(string username, string password)
throw new NotImplementedException();
// This is the version that we need to use for local users. Because reasons.
public Task Authenticate(string username, string password, User? resolvedUser)
static void ThrowAuthenticationException()
throw new AuthenticationException("Invalid username or password");
if (resolvedUser is null)
// As long as jellyfin supports password-less users, we need this little block here to accommodate
if (!HasPassword(resolvedUser) && string.IsNullOrEmpty(password))
return Task.FromResult(new ProviderAuthenticationResult
Username = username
// Handle the case when the stored password is null, but the user tried to login with a password
if (resolvedUser.Password is null)
PasswordHash readyHash = PasswordHash.Parse(resolvedUser.Password);
if (!_cryptographyProvider.Verify(readyHash, password))
// Migrate old hashes to the new default
if (!string.Equals(readyHash.Id, _cryptographyProvider.DefaultHashMethod, StringComparison.Ordinal)
|| int.Parse(readyHash.Parameters["iterations"], CultureInfo.InvariantCulture) != Constants.DefaultIterations)
_logger.LogInformation("Migrating password hash of {User} to the latest default", username);
ChangePassword(resolvedUser, password);
return Task.FromResult(new ProviderAuthenticationResult
Username = username
public bool HasPassword(User user)
=> !string.IsNullOrEmpty(user?.Password);
public Task ChangePassword(User user, string newPassword)
if (string.IsNullOrEmpty(newPassword))
user.Password = null;
return Task.CompletedTask;
PasswordHash newPasswordHash = _cryptographyProvider.CreatePasswordHash(newPassword);
user.Password = newPasswordHash.ToString();
return Task.CompletedTask;