4.8.0.37+ - Plugin routes now defaulting to authenticated

[Luke 37008]

This is sure to cause temporary problems but it's for the best. Going forward, all api routes that you add will require authentication, unless you explicitly add this attribute:

[Unauthenticated]

If your plugin is creating a custom api, and if you're feeding that url to something external, then you'll need to make a decision on whether to make it unauthenticated or require the caller to provide authentication.

Please let me know if you have questions. Thanks.

@chef  @roaku @Cheesegeezer @MikePlanet @ShaneP @mickle026 @rechigo @TeamB @pünktchen

[roaku 792]

Trying to see if I follow.

I have custom API endpoints in my plugins, but they're only used in the context of an admin user visiting a plugin config page. Nothing external to Emby accesses these endpoints.

Data is retrieved from my endpoints through calls to the Emby provided  ApiClient.getJSON, which appears to load an access token into the http request by way of ApiClient.fetch.

So, my plugins should be unaffected by this change?

[Luke 37008]

7 hours ago, roaku said:

 

So, my plugins should be unaffected by this change?

Sounds like they will be unaffected.

[mickle026 400]

I litterally have no idea where this would go, is there an example anywhere?

I think i am aslo unaffected as all of my endpoints are run from admin config pages, but I would like to understand this.

[Luke 37008]

1 hour ago, mickle026 said:

 

I think i am aslo unaffected as all of my endpoints are run from admin config pages, but I would like to understand this.

Yes, sounds like it.

[TeamB 2352]

4 hours ago, mickle026 said:

I litterally have no idea where this would go, is there an example anywhere?

I think i am aslo unaffected as all of my endpoints are run from admin config pages, but I would like to understand this.

they go just above the class definition with the route

https://github.com/faush01/playback_reporting/blob/e7bef6c12978b222ab1c1f374d0f142b65edcf2c/playback_reporting/Api/UserActivityAPI.cs#L43

[mickle026 400]

I had thought that, but was getting a compiler error.

I was missing - using MediaBrowser.Controller.Net;

 

Thanks @TeamB

[Luke 37008]

New build and beta nugget package are now up. Thanks guys.

[shure 24]

After updating to 4.8.0.39, there is a changement that 

ApiClient.getPluginConfiguration()

just work for admin now.

if user use it, response 401 and Unauthorized.

 

[shure 24]

[Authenticated(FeatureIds = new String[] { "YourPluginFeatureIds" })]

is very useful if your plugin is enable for user

[Luke 37008]

On 6/9/2023 at 7:05 PM, shure said:

After updating to 4.8.0.39, there is a changement that 

ApiClient.getPluginConfiguration()

just work for admin now.

if user use it, response 401 and Unauthorized.

 

Yup.

[elsagranger 1]

I have users running clients on both 4.8.0.37+ and 4.8.0.37- (including ~4.7), how can I develop my plugin so that in both versions can achieve that there is no need to authenticate a specific api endpoint. There is no [Unauthenticated] available for the 4.7 nugget package.

 

Such as this issue: https://github.com/kookxiang/jellyfin-plugin-bangumi/issues/110 , problem raising from that client with 4.7 version is still running and I have to keep the dependency version low.

Edited February 26 by elsagranger

[Luke 37008]

3 hours ago, elsagranger said:

I have users running clients on both 4.8.0.37+ and 4.8.0.37- (including ~4.7), how can I develop my plugin so that in both versions can achieve that there is no need to authenticate a specific api endpoint. There is no [Unauthenticated] available for the 4.7 nugget package.

 

Such as this issue: https://github.com/kookxiang/jellyfin-plugin-bangumi/issues/110 , problem raising from that client with 4.7 version is still running and I have to keep the dependency version low.

With a single code base you can’t. You’ll need to develop two versions and distribute the right versions to the right people.