No password required for user that used to have to enter a password

[Checkoutside 5]

On Android v2.0.90g I just found out that a user that has a pw attached does NOT need to enter it, nor does anyone switching to that user. NOT good at all!

When in the app on the TV (Sony GoogleTV) under v2.0.90g, if I bring up the app and then switch to that user, it just goes into it, where it always asked for the password that is setup for that user before. I made no changes to the server! This is NOT good gentlemen!!!!!!

I did reset the server after discovering this but it made no change. Only change I see is the Android app version!

In case it matters this is all on the same network, not outside access setup!

[Checkoutside 5]

As it has been a few days without a response, I assume that to the people that develop Emby this is a non-issue or they do not know how to deal with security issues. And as long as that is the case I will just move back to Plex or try Jellyfin again. I should have known that as soon as I paid for a lifetime license something like this would happen!

[GrimReaper 3309]

Which server version? 

[Checkoutside 5]

Server is a WD PR2100 running OS5_4.7.14.0, and it was the same on 4.7.13.0. The reason I did not include the server is that it had worked fine on 4.7.13.0 until the Android app updated on the TV. I did update the server to the 4.7.14.0 and it made no change. I did try a Firestick with app version 2.0.79 accessing the same server and it worked fine, as it did before. So, in my limited testing, it "seems" to be an issue with the android app v2.0.90g. As stated, the previous Android app version was working fine. What it appears is that it is remembering the login password on that device, and if it has been accessed it just goes in without requiring the password to be entered. If multiple use the same device, that is an absolute issue!

Thanks for the response!

[GrimReaper 3309]

I'd say this sums up pretty accurately current state of affairs:

On 9/5/2023 at 12:43 PM, pwhodges said:

The login and authorisation methods are in the process of being revamped for the next release after the security breach incident earlier this year.  This is work in progress, and requires changes to the clients as well as the server, so there are currently inconveniences mainly for those using multiple logins in the same client.  We are assured that eventually there will be a new smooth way of managing logins.

Changes and occasional inconveniences are to be expected:

Quote

2.0.90 (22 Aug)

• Better organize user menu
• Attempt to fix letter jump again
• Only sign out current user

2.0.89 (18 Aug)

• Remember all users
• Fix letter jump on second attempt
• Ensure refresh after playback
• Refine genre view for 4.8

 

Edited September 7, 2023 by GrimReaper

[ebr 14928]

Hi.  Try checking the box that says "prompt for password" in the startup settings.

[Checkoutside 5]

WOW! So in the meantime NO login security is the new norm? I would think this is NOT the way to provide better login security!

 

[Checkoutside 5]

I remember seeing that setting somewhere, but I can not find it now. Where exactly is it? Is it in the server settings or on the TV app settings? I have some with and some without passwords. Really would not want to have everyone have to have a password but if that is the case then so be it. But right now it is not very secure! Was not like that a week ago!

[pwhodges 1532]

As explained, this is a beta, and work in progress.  If you want a finished article, wait for the next stable release.

Paul

[Luke 37110]

3 minutes ago, Checkoutside said:

WOW! So in the meantime NO login security is the new norm? I would think this is NOT the way to provide better login security!

 

Hi, I don't understand. You're in complete control, right? You can give the users a password on your server.

Then after they sign into the app, they can choose whether or not the app should remember those credentials for the next time they start it.

[Luke 37110]

4 minutes ago, Checkoutside said:

WOW! So in the meantime NO login security is the new norm? I would think this is NOT the way to provide better login security!

 

I think you're misinterpreting the text of the option. If that is unchecked, it does not circumvent authentication. 

It just means that the app won't remember any credentials and the user will have to re-authenticate every time they start it up again.

[Checkoutside 5]

Maybe I am not making myself clear. I did not install a different Android version, the TV did. I am also NOT running a beta server version (versions are listed above in a previous reply). When this started, it had been working fine until the TV updated the Android app, I made no change to the server!

So let me set the scenario as it is clear you are not seeing what I am saying.

Server is running in local mode only, no outside access. It is running on the NAS.

User 1 has no password.

User 2 has no password.

User 3 has a password and has access to a folder that user 1 and user 2 do not have access to.

Previous, when in the app (after it starts on the TV) if user 1 tries to change to user 3, it ALWAYS asked for a password. NOW, if user 3 has used that device and logs in, then changes users (1 or 2) and the later changes to user 3 again it does NOT ask for a password but it did previous to the Android app version update.

Hope that clears it up.

[ebr 14928]

23 minutes ago, Checkoutside said:

Server is running in local mode only, no outside access. It is running on the NAS.

User 1 has no password.

User 2 has no password.

User 3 has a password and has access to a folder that user 1 and user 2 do not have access to.

Hi.  For your situation set the following options in the "Start Up" settings in the TV app:

Start up behavior: show login screen

Require Password: checked

That should mean the users with no passwords can switch freely and the one with a password will have to enter it.

23 minutes ago, Checkoutside said:

I did not install a different Android version, the TV did

Correct.  A new release went out last week.

[Checkoutside 5]

Just tried this. Can only change to the "show login screen" if logged in under admin user, which is okay. But the problem remains. On startup selecting user 1 works fine. BUT, if user 1 switches to user 3 it does NOT require the entering of the password that is set up for user 3. As I said earlier, it is like since this new version of the Android TV app, it is always remembering if user 3 logged into the device at all, and is letting that through, which would then allow user 1 to see the folder that only user 3 should have access to.

[ebr 14928]

3 hours ago, Checkoutside said:

Just tried this. Can only change to the "show login screen" if logged in under admin user, which is okay. But the problem remains. On startup selecting user 1 works fine. BUT, if user 1 switches to user 3 it does NOT require the entering of the password that is set up for user 3. As I said earlier, it is like since this new version of the Android TV app, it is always remembering if user 3 logged into the device at all, and is letting that through, which would then allow user 1 to see the folder that only user 3 should have access to.

Can you try the latest  beta release of the app?

 

 

[Checkoutside 5]

I have dloaded it and will try as soon as I figure out how to put it on there. Will advise then.

[Luke 37110]

25 minutes ago, Checkoutside said:

I have dloaded it and will try as soon as I figure out how to put it on there. Will advise then.

Please let us know how this goes. Thanks.

[Checkoutside 5]

I am having no luck getting this on my TV. Any chance you can put it somewhere I can get it thru the Downloader app?

[MEB 26]

I would like to say I have been having the same issue. I have two accounts for my kids that are set to log in without password on local network. My administrator account is password protected and I have it set to prompt for pin when logging in. It used to be I could close emby and it would prompt me for my pin every time. Now the only time it asks for my pin if I manually go to log out which is inconvenient. "Prompt for password" is checked and greyed out. 

[Checkoutside 5]

Ok. After much screwing around trying to get it loaded on my device I was finally able to get it loaded. It updated Emby and I am VERY happy to report that it now works as it should! I would hope you guys can get this pushed out as soon as you possibly can.

I would also like to say that I truly do appreciate the effort to get this fixed. I have not of course looked all the way through the app so if something else is not quite right I do not know. But at least for now it is working correctly.

Thanks again!