Cheesegeezer 3087 Posted January 17, 2023 Share Posted January 17, 2023 not sure how to implement client side a way to store the password in the xml file but Hashed using SPA or similar.... i'm pretty sure that i can't do this as it would open up massive security vulnerabilities on the client side. It's for a new channel plugin i'm writing. I see that openSubtitles manages this but not sure on what component to inject into the js as i'm sure emby probably takes care of this. Anyways here is code and the output. <div style="display: flex; align-items: center;"> <div style="flex-grow: 1;"> <input is="emby-input" id="textPassword" type="password" label="Enter your Login Password" autocomplete="off" /> </div> </div> And here is the output from this code to the config xml file <ChannelPasswordHash>TextliteralPassword</ChannelPasswordHash> Opensubtitles is goooooood. here is the output from that, which is a Hashed password. <OpenSubtitlesPasswordHash>h:RmxpcGZsb3Ax</OpenSubtitlesPasswordHash> Any help would be spectacularly appreciated. Happy coding Link to comment Share on other sites More sharing options...
Cheesegeezer 3087 Posted January 17, 2023 Author Share Posted January 17, 2023 I think i've figured it out. I will need to inject some C#, possibly add an event to the constructor for the Channel Class when the server loads to do the hash. Link to comment Share on other sites More sharing options...
ebr 14925 Posted January 17, 2023 Share Posted January 17, 2023 Why are you storing passwords in a local xml file? Exactly what password? Link to comment Share on other sites More sharing options...
softworkz 3338 Posted January 17, 2023 Share Posted January 17, 2023 6 minutes ago, ebr said: Why are you storing passwords in a local xml file? Exactly what password? He means the password to a remote API. 1 Link to comment Share on other sites More sharing options...
softworkz 3338 Posted January 17, 2023 Share Posted January 17, 2023 (edited) @Cheesegeezer - The OpenSubtitles plugin does it as follows: It registers for the event IConfigurationManager.NamedConfigurationUpdating: https://dev.emby.media/reference/pluginapi/MediaBrowser.Common.Configuration.IConfigurationManager.html#MediaBrowser_Common_Configuration_IConfigurationManager_NamedConfigurationUpdating In the event handler it does this: if (!string.Equals(e.Key, "opensubtitles", StringComparison.OrdinalIgnoreCase)) return; OpenSubtitleOptions newConfiguration = (OpenSubtitleOptions) e.NewConfiguration; if (newConfiguration == null || string.IsNullOrWhiteSpace(newConfiguration.OpenSubtitlesPasswordHash) || newConfiguration.OpenSubtitlesPasswordHash.StartsWith("h:", StringComparison.OrdinalIgnoreCase)) return; newConfiguration.OpenSubtitlesPasswordHash = this.EncryptPassword(newConfiguration.OpenSubtitlesPasswordHash); For encrypting and decrypting, you can use IEncryptionManager: https://dev.emby.media/reference/pluginapi/MediaBrowser.Controller.Security.IEncryptionManager.html?q=IEncryptionManager private string EncryptPassword(string password) { return "h:" + this._encryption.EncryptString(password); } It prefixes the encrypted string with 'h:' to make sure that it doesn't encrypt an already encrypted string. Edited January 17, 2023 by softworkz 1 1 Link to comment Share on other sites More sharing options...
Cheesegeezer 3087 Posted January 17, 2023 Author Share Posted January 17, 2023 Yeah i kinda did something similar, but have it checking on server entry. And also when the user hits save now. all good chief but thanks very much for the pointers. You method is more elegant… naturally 1 Link to comment Share on other sites More sharing options...
Cheesegeezer 3087 Posted January 17, 2023 Author Share Posted January 17, 2023 1 hour ago, softworkz said: He means the password to a remote API. Exactly, thanks softworkz 1 Link to comment Share on other sites More sharing options...
softworkz 3338 Posted January 17, 2023 Share Posted January 17, 2023 1 minute ago, Cheesegeezer said: Yeah i kinda did something similar, but have it checking on server entry. And also when the user hits save now. all good chief but thanks very much for the pointers. You method is more elegant… naturally Just make sure that the (unencrypted) password isn't sent over the wire to the client UI, that's the one important point. It might not be visible in the textbox (showing dots or stars), but it's still easily accessible, so it must not be part of the data that the client side gets. 1 Link to comment Share on other sites More sharing options...
Cheesegeezer 3087 Posted January 17, 2023 Author Share Posted January 17, 2023 (edited) I havent called for it to be shown(retrieved) from config file or anything. It will happily sit there in the plugin configuration until i need it and decrypt and dispose. Its not a requirement for any api calls so i should be good but ill double check on wireshark. Edited January 17, 2023 by Cheesegeezer Link to comment Share on other sites More sharing options...
softworkz 3338 Posted January 17, 2023 Share Posted January 17, 2023 50 minutes ago, Cheesegeezer said: I havent called for it to be shown(retrieved) from config file or anything. It will happily sit there in the plugin configuration until i need it and decrypt and dispose. Its not a requirement for any api calls so i should be good but ill double check on wireshark. It's much easier to check in the browser (Network tab). How do you load the config data from the server when you show it in the client? Link to comment Share on other sites More sharing options...
Cheesegeezer 3087 Posted January 17, 2023 Author Share Posted January 17, 2023 (edited) 14 minutes ago, softworkz said: It's much easier to check in the browser (Network tab). How do you load the config data from the server when you show it in the client? By client you mean plugin config UI. only username/email is loaded to client and that is only if the user saves the data in their browser, keychain, etc passwords the password is never retrieved to the UI. Its blank! btw this channel I’m creating is gonna be one that will certainly utilise the user.plugin config settings that were teased a month ago. any update on when this will be available. Or is it part of the new rest api for dotnet? Edited January 17, 2023 by Cheesegeezer Link to comment Share on other sites More sharing options...
softworkz 3338 Posted January 17, 2023 Share Posted January 17, 2023 4 minutes ago, Cheesegeezer said: the password is never retrieved to the UI. Its blank! Okay, then it's all fine of course! 4 minutes ago, Cheesegeezer said: btw this channel I’m creating is gonna be one that will certainly utilise the user.plugin config settings that were teased a month ago. It's available already but works with the beta server only. It will work with the 4.8 versions of course. You just need to use the latest beta nuget package in the plugin. 1 Link to comment Share on other sites More sharing options...
Cheesegeezer 3087 Posted January 17, 2023 Author Share Posted January 17, 2023 18 minutes ago, softworkz said: Okay, then it's all fine of course! awesome!! 18 minutes ago, softworkz said: It's available already but works with the beta server only. It will work with the 4.8 versions of course. You just need to use the latest beta nuget package in the plugin. Oooo you know how to make a grown man moist 1 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now