Jump to content

Authentication for Item Images

geppii

By geppii
in Feature Requests

 Share
Go to solution Solved by ebr,

Recommended Posts

geppii

geppii 2

Posted
Posted

Hi,

It would be nice if there were a setting to allow access to the Images endpoint only when authenticated.

Currently, you can read all images using https://my-emby-instance.com/emby/Items/1386486/Images/Primary.

Since there are no UUIDs, one can relatively easily iterate over this and potentially spoof an entire server. Somehow not so great.

Thank you.

  • Like 1
Luke Emby Team

Luke 40121

Posted
Posted

Hi, yes we're going to be doing this. It's just something that has to be planned out carefully as it will be breaking api change for all consumers, so really they need to get updated first.

geppii

geppii 2

Posted
  • Author
Posted

Oh sorry. I even searched for it but couldn't find anything.

Since that's from 2020, I'm not getting my hopes up. 😅

Luke Emby Team

Luke 40121

Posted
Posted
13 minutes ago, geppii said:

Oh sorry. I even searched for it but couldn't find anything.

Since that's from 2020, I'm not getting my hopes up. 😅

We're planning on getting it done.

  • Like 1
geppii

geppii 2

Posted
  • Author
Posted (edited)

I've secured the endpoint in a really cheap way using openresty.

Maybe it will help someone out there.

Here is my Openresty Config:

  

server {
    listen 443 ssl;
    listen 8096; 
    server_name my-emby-host.com;

    location / {
        proxy_pass http://localhost:8097;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    location /emby/Sessions/Capabilities/Full {
        proxy_pass http://localhost:8097;

        log_by_lua_block {
            local res = ngx.status
            local ip = ngx.var.remote_addr
            if res >= 200 and res < 300 then
                ngx.shared.my_cache:set(ip, true, 86400)        
            end
        }
    }

    location ~ ^/emby/Items/\d+/Images/Primary {
        access_by_lua_block {
            local ip = ngx.var.remote_addr
            local has_access = ngx.shared.my_cache:get(ip)

            if not has_access then
                ngx.exit(ngx.HTTP_FORBIDDEN)
            end
        }

        proxy_pass http://localhost:8097;
    }

    ssl_certificate /etc/letsencrypt/live/my-emby-host.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/my-emby-host.com/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
}

After that, simply set Emby's local port to 8097 and restart Openresty and Emby.

What is being done here? It checks if the IP has received a 200 status from /emby/Sessions/Capabilities/Full within the last 24 hours (apparently, all clients make a request there) and only allows image requests if that is the case.

Sure, it's not 100% clean, but it's better than nothing.

Edited by geppii
  • Like 1

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...