security measures/api keys problem

[Lee 204]

the api keys are a great idea but somehow mb theatre and w8 app have been revoked/lost and now I can't get them to connect and there doesn't seem to be a straightforward way to reapply an api key, no settings for it in the w8 app and mb-theatre kicks me out so I don't know if there's settings in there???

help a brother out...

I was only wanting to have a play see how far they've come can't even get in them!!!! lol

[Lee 204]

@@7illusions should a reinstall resend api key authentication??

[ebr 14955]

Keys are automatically issued for any app that authenticates properly. Make sure you have the most recent versions.

[7illusions 1249]

The win8 app is in testing at Microsoft.

[Lee 204]

The win8 app is in testing at Microsoft.

That should only be a month or two then?? Lol

[AXP33 2]

I don´t get it !
I do not see that Api key has any Security function

If i Play a IPTV Link using the Video Bookmarks Plugin (or any other file) and then save the Video link and Revoke all the Api Keys

I can then still play the link on any Computer from everywhere !

VLC/Firefox/Chrome.....

Edited February 11, 2015 by AXP33

[ebr 14955]

The API key is securing access to our server, not the video content if it is copied somewhere.

[AXP33 2]

Okey Thanks for the reply

But then i got a total open Server setup

[Carlo 4331]

He means for example he can copy the URL and email it to me and I can then go straight to the video without ever being prompted to login or anything using his key.

 

This shouldn't happen.

[ebr 14955]

He means for example he can copy the URL and email it to me and I can then go straight to the video without ever being prompted to login or anything using his key.

 

This shouldn't happen.

 

No, I would also think that shouldn't happen.  If that is true, then the playback API isn't requiring the auth header.  That would surprise me but maybe that is the case.  Has someone verified this is true?

[AXP33 2]

Verified !?

I showed it in the chat !

Why don´t you just try it yourself !?!

Edited February 11, 2015 by AXP33

[ebr 14955]

Well, I suppose you could consider that a feature (and I guess it is necessary for the items to work with players).  What is the exposure?  You'd have to provide someone a link for that to work.

[AXP33 2]

Yep

The exposure is that i can provide a link and got no way stopping serving it !

That´s a ............... option

 

[ebr 14955]

So don't give out links .

 

The server needs to be able to deliver video content to any type of device to consume it so there is no way we could secure that and still have it work in say mpc-hc or any other video player that we didn't write ourselves.

[AXP33 2]

Yes of course a way to look at it

But when I use eg VLC then I can change the code as it suits me

Do not understand why You do Not understand

Edited February 14, 2015 by AXP33

[AXP33 2]

 If you can use a file from a server and Admin can not change the use of it, what is Admin then ?!?

[ebr 14955]

But when I use eg VLC then I can change the code as it suits me

 

No, that I don't understand.  How are you going to change the code inside VLC?

 

When we write an app to play a video, we need to give some form of video player an url or other reference to the content it needs to play.  That video player needs to be able to access that content and we cannot require any special headers or anything else (other than something on the actual url) in order for it to do so.

[MSattler 387]

I honestly do not see this as a big deal, I'd rather keep allowing this so we can choose any player we want to play back the content.  Especially on the android and PC side as for me that is huge.

 

I am much more concerned about having to leave the login page to mediabrowser open to the web in order for MB Connect to work.  With my kids not having passwords on their accounts, it leaves those accounts wide open for anyone to login.  I swear there used to be a feature that would only require the passwords when being accessed from a public IP.

[Luke 37220]

I honestly do not see this as a big deal, I'd rather keep allowing this so we can choose any player we want to play back the content.  Especially on the android and PC side as for me that is huge.

 

I am much more concerned about having to leave the login page to mediabrowser open to the web in order for MB Connect to work.  With my kids not having passwords on their accounts, it leaves those accounts wide open for anyone to login.  I swear there used to be a feature that would only require the passwords when being accessed from a public IP.

 

Well that isn't really true. The Connect feature has no relation to your MBS-defined passwords or visibility. Explore the user configuration area to find what you're looking for.

[AXP33 2]

 I do not want to prevent one or the other progam to play my content, I just want to be able to close and open to what I please, when I feel like it

 

Blocking of VLC is not what is needed...... Then what about the x000 other players !

Edited February 15, 2015 by AXP33

[Luke 37220]

The playback streaming urls and image urls are basically the only two api endpoints that don't require an authentication token, and it's only to preserve compatibility with apps that haven't yet updated to use the newer security. Once we have those updated, it will change.

[AXP33 2]

No, that I don't understand.  How are you going to change the code inside VLC?

 

Really

 

Settings

Stream-output

Http

And

Edited February 15, 2015 by AXP33

[MSattler 387]

Well that isn't really true. The Connect feature has no relation to your MBS-defined passwords or visibility. Explore the user configuration area to find what you're looking for.

I stand correct, it is there, but I think we have not really documented that feature anywhere?  And it's not even an option until you set a password on the account locally that you even see it as an option.  It would be nice if the easy pin code options were visible but greyed out, for folks who never set passwords for their user accounts, they would have no clue the pin settings are even there.

[Luke 37220]

Sure we've documented it. Have you tried clicking the help button that is all over the web interface? The documentation will always be current to the stable release.

 

We also reference the users guide right here in this forum:

 

http://mediabrowser.tv/community/index.php?/topic/16412-users-guide/

[AXP33 2]

The playback streaming urls and image urls are basically the only two api endpoints that don't require an authentication token, and it's only to preserve compatibility with apps that haven't yet updated to use the newer security. Once we have those updated, it will change.

Why not just make an on / off option

Local or not !?