Roku pin behavior not as expected

[theaudcouple 2]

Hello,

With the update to 4.8 the pins for users on emby are behaving strangely.

I am using a TCL Roku tv with the emby app on 4.1 build 8

The TV software version is 12.5.5 build 4147-DK

Software update says the software is up to date.

emby is installed using docker compose on Ubuntu 22.04

I have two main profiles, kids and parents.

For kids, I have no pin, the kids are able to login as usual/expected.

On the parents, profile, I have logged in with the password and selected use pin for this user.

When I exit emby and go back into the parents profile, I am asked for a pin, but entering a pin is VERY slow, I can see the media of the parents profile behind the pin selection window, and if I just select OK, I can enter the profile without the pin.

If I try to go from the kids profile to the parents profile using the profile change (the icon of a person), the  pin selection works as expected, I can enter the pin quickly using the remote, I don't see the media of the parents profile behind the pin window, and I have to enter the correct pin to enter the parents profile.

If I enable remember me in advanced settings, then when I exit the parents profile, the pin window is responsive as other pin windows, I don't see the media behind pin window, and I have to enter the correct pin.  However, to get to the kids profile, the parents pin has to be entered, or before exiting I have to remember to enter the kids profile.  This obviously is not the desired way for the profiles to work.

 

I have deleted the emby app from the tv, reinstalled, deleted the parents profile and setup fresh, selected use pin on the screen after entering the password, but still get the unusable behavior.

This seems to be a rework of feature that existed.  It looks like it will be better (at least for what I use).  The having a pin screen instead of a password screen is visually better, having the ability to hide the curser on the pin selection screen is a great game changer for my usage.

I don't know if this would be a quick fix or even desireable, but if I could have the non pin kids profile be the default login, and have to use the user switcher to get to the parents profile, that would work.  I don't know how to have  a default profile that gets logged in regardless of which profile was last used.  If that exits, please let me know so I can use that until/instead of the entering a pin for a profile.

Thanks.

Here is the system info

 Info Main: Emby
embyserver  |     Command line: /system/EmbyServer.dll -programdata /config -ffdetect /bin/ffdetect -ffmpeg /bin/ffmpeg -ffprobe /bin/ffprobe -restartexitcode 3
embyserver  |     Operating system: Linux version 6.2.0-36-generic (buildd@lcy02-amd64-050) (x86_64-linux-gnu-gcc-11 (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0, GNU ld (GNU Binutils for Ubunt
embyserver  |     Framework: .NET 6.0.25
embyserver  |     OS/Process: x64/x64
embyserver  |     Runtime: system/System.Private.CoreLib.dll
embyserver  |     Processor count: 24
embyserver  |     Data path: /config
embyserver  |     Application path: /system
embyserver  | Info Main: Logs path: /config/logs
embyserver  | Info Main: Cache path: /config/cache
embyserver  | Info Main: Internal metadata path: /config/metadata
embyserver  | Info App: Emby Server Version: 4.8.1.0

[Luke 37070]

Hi, we are working on improving this and we'll look into these. Thanks for the feedback !

[ebr 14913]

On 2/12/2024 at 1:17 PM, theaudcouple said:

When I exit emby and go back into the parents profile, I am asked for a pin, but entering a pin is VERY slow, I can see the media of the parents profile behind the pin selection window, and if I just select OK, I can enter the profile without the pin.

Hi.  Can you explain the exact steps you went through here?

On 2/12/2024 at 1:17 PM, theaudcouple said:

I don't know if this would be a quick fix or even desireable, but if I could have the non pin kids profile be the default login, and have to use the user switcher to get to the parents profile, that would work.  I don't know how to have  a default profile that gets logged in regardless of which profile was last used.

That is a possibility as the Android TV app has that feature now.  For now, what you want to do is uncheck "Remember me" and let the app prompt you for the user on each startup.  That should work as you desire.

[theaudcouple 2]

11 hours ago, Luke said:

Hi, we are working on improving this and we'll look into these. Thanks for the feedback !

Thanks

[theaudcouple 2]

1 hour ago, ebr said:

               When I exit emby and go back into the parents profile, I am asked for a pin, but entering a pin is VERY slow, I can see the media of the parents profile behind the                                        pin selection  window, and if I just select OK, I can enter the profile without the pin.

 

Hi.  Can you explain the exact steps you went through here?

 

Yes. 

I enter the parents profile, currently by selecting the ok option at the bottom of the pin selection screen.

Press the back button on the remote,

on the "Would you like to shutdown Emby on Roku?" screen, select "Exit" and press the ok button on the remote

Select the Emby app from the Roku TV  menu and press ok on the remote

On the "Select Server" screen, I select the parents profile and press ok on the remote

The "Enter your Pin to continue." pop up appears with normal pin selection window.

This is where the problem is.

Behind the pop up window, you can see media libraries, Continue Watching, etc

at this point, after entering the parents profile from the server selection screen, the pin selection pop up screen will not accept inputs correctly.

If I try to navigate to the right, left, down or up, the highlighted item goes to "OK" after several presses in any direction on the remote.  Once the highlighted item is on "OK", if I press up several times, the highlight will go to another button, sometimes 3, sometimes the back button, sometimes delete.  It is not possible to input the pin.

Once the highlighted item is on the ok button, it can be selected and the parents profile can be entered without entering the pin.

This is the behavior right after I login with the password and select use pin, after I reset the emby from within the app, after I remove and readd the emby app from the Roku TV menu, if I press * to hide/show the highlight in the keypad.  Every time I enter the parents profile from the emby server screen this is the way the pin screen is working.

 

However, when I select the kids profile from "Select Server" screen, which does not have a pin, I can enter it with normally, without a pin. 

Once in the kids profile,  I select the icon at the top of the screen that looks like a head and shoulders

I select "Switch to parents"

The pin selection pop up window appears, I am able to navigate and enter the correct pin, and, no media or other information from the parents profile appears in the background.

Attached is a picture of the pin not working, where you can see media behind the pin popup window, which I can not enter the pin on, and a pin working picture, where there is no media behind the pin popup window and entering the pin works.

 

2 hours ago, ebr said:

That is a possibility as the Android TV app has that feature now.  For now, what you want to do is uncheck "Remember me" and let the app prompt you for the user on each startup.  That should work as you desire.

This would work if I could select the kids profile as the only one to be remembered, but the "Remember me" applies to both profiles/the entire server on my Roku TV

If I select "Remember me" in the kids profile, then use the icon of a head and shoulders to select the parents profile, enter the pin on the pin selection popup window and enter the parents profile, when I exit emby and select emby from the roku tv app screen, I am asked "Enter your PIN to continue."  I must enter the parents pin to be able to enter emby.  If I select "Cancel", the only option that can be selected without entering a pin, I get the screen "Whoops, wrong PIN.  Please try again."  with the options of "OK" "Exit" "Forgot PIN?". 

This will not work to be able to have the kids profile be entered by those without the parents pin.

The "Remember me" option for Roku TV seems to be applied to the server, not individual profiles.

Do you know of a way to have the "Remember me" option only apply to a single profile?

Thanks

 

 

 

 

 

[theaudcouple 2]

I thought a short term solution would be to spin up another server/docker container.

Unfortunately, the "Remember me" option is device wide, so even with a different server I can't work around the pin problem.

If there was a second emby app I could install on the Roku TV, I could use each app for each user.

If there was a way to select a different server on the pin pop up window, or a secondary window, that could work.

It looks like until this gets sorted out I will need to add a second device or see if jellyfin can provide a satisfactory experience for one of the users.

I wonder if jellyfin can read the thumbnails emby made?

Looking for to an emby solution!

[Luke 37070]

Hi, not to worry. We will get these kinks worked out. The profile pin feature is brand new and we are still refining it. Thanks.

[theaudcouple 2]

34 minutes ago, Luke said:

Hi, not to worry. We will get these kinks worked out. The profile pin feature is brand new and we are still refining it. Thanks.

I know, sorry if I seem unappreciative.  Emby sits in the sweet spot between Plex and jellyfin.  I find it about perfect.  Just signaling I'm not jumping ship.

[ebr 14913]

6 hours ago, theaudcouple said:

The "Remember me" option for Roku TV seems to be applied to the server, not individual profiles

As I think you've discovered, it is applied to the entire app - but it really only governs if it automatically logs into the last user.  Since you don't want this, you should be able to uncheck it and then your children should just be able to select their profile on each app start...

[theaudcouple 2]

13 hours ago, ebr said:

As I think you've discovered, it is applied to the entire app - but it really only governs if it automatically logs into the last user.  Since you don't want this, you should be able to uncheck it and then your children should just be able to select their profile on each app start...

Yes, that enables the kids profile to login without issue, but leaves me with the problem of the pin being able to be bypassed to enter the parents profile.

 

[Guest CodeCat5]

15 hours ago, theaudcouple said:

If there was a second emby app I could install on the Roku TV, I could use each app for each user.

This was basically the only solution I've found for my Android devices. The user login system in Emby just isn't very secure and it's way too easy to bypass the PIN authentication through multiple methods. So now I have the "Emby for Android TV" app setup for my kids, and the "Standard Android" app setup for myself which is locked behind parental controls, so it's not Emby's system that's controlling access. Now I just have to hope Emby sorts out the authentication before they drop support for the Android TV app.

I know Emby has a beta app for Roku so you can essentially have 2 copies of the app installed at once, so I wonder if something similar might be possible on Rokus? 

*edit*  I remembered the Roku beta requires an invite, so I guess that's probably not going to help here. 

Edited February 15 by CodeCat5

[ebr 14913]

58 minutes ago, CodeCat5 said:

and it's way too easy to bypass the PIN authentication through multiple methods

Hi.  Can you do that with the Android TV beta?

[Guest CodeCat5]

4 minutes ago, ebr said:

Hi.  Can you do that with the Android TV beta?

Last I checked around 10 days ago I could.

[theaudcouple 2]

Just to be clear, this is the Emby app on Roku, not Android TV.   The Emby on Roku may be based on the Android app, but I don't have access to Android settings on the Roku TV,

[ebr 14913]

5 minutes ago, CodeCat5 said:

Last I checked around 10 days ago I could.

The beta of Android TV did not have the feature 10 days ago...

[ebr 14913]

1 hour ago, theaudcouple said:

but leaves me with the problem of the pin being able to be bypassed to enter the parents profile

I cannot reproduce that.  Is there anything interesting about this profile?  It has both a password and a PIN, right?

[theaudcouple 2]

Yes, it has both a password and a pin on the parents profile.

I enter the password first, then am asked if I want to user the pin.  I selected yes, but have the problem with the pin.

I have tried a new docker container with 4.9.0.3 beta of emby, with the profile having both a  password and pin, only one profile, have the dns of the docker container to 8.8.8.8, 8.8.4.4, the dns of the network the TV is on is also using googles public dns servers.  The result is the same.  The pin can be bypassed, by either clicking ok or entering any numbers.

On both containers, 4.8 and beta, I have tried leaving the network settings as default, and changing the lan network and local ip to the appropriate settings for the network (192.168.1.1/24 and the ip address of the host computer).  I take down and bring up the docker container between all changes.  The network mode of the docker containers is on bridge.

Is there a beta Emby app for Roku I could try, get an invite for?

The only thing I think I can do on my end is to reset the tv, which is an option I am hesitant to take.

ebr, can I know your setup, and the steps you take.  Maybe if I do what you do, I will have a positive result

[theaudcouple 2]

56 minutes ago, ebr said:

I cannot reproduce that.  Is there anything interesting about this profile?  It has both a password and a PIN, right?

I don't think there is anything interesting on the profile.  As mentioned, I spun up a new server and then also tried the beta version of Emby on docker to eliminate any legacy issues with the profile, setup, container, network, dns settings, waiting for the network changes to promulgate.  I took the same steps with both the new 4.8 server and the beta server.  I connect the Emby app on the Roku TV to the new server which has a new user with password and pin, login to the new user with a password, select use pin.  I still have the issue of the media being seen behind the pin selection pop up and selecting a pin to be very difficult, any numbers entered will allow login, or no numbers entered and just selected ok lets a user in.  I have tried not setting up a pin at first, logging in with just a password, then adding a pin, the problem is the same and remains.  The only thing I have not made new is the TV.

[Guest CodeCat5]

1 hour ago, ebr said:

The beta of Android TV did not have the feature 10 days ago...

I just tested again and it looks like some of the authentication issues have been resolved, so that's cool. However...

Standard Android App
The biggest vulnerability in the standard app still remains. If you press the "Home" button to exit from the standard Android app or if you put your device to sleep, then it doesn't log you out. I can launch different apps, then come back to Emby and I'm logged into my admin account still without it requiring authentication. Last I saw that was still possible even a full day later (and likely longer than that, though I didn't really try to test longer periods).

I can also still get in through a "Continue Watching" section on my Android homepage. I logged out of the standard Emby Android app, but I can launch a recent show from the "Continue Watching" section on my Android home screen. It'll show the pop-up asking for my pin. Press "back" and it goes to the password login screen. Press "back" again and it starts playing the media that should be restricted. It doesn't seem to be 100% consistent, sometimes it doesn't play the media, and sometimes you don't even have to press "back" on the password screen before the media starts playing.

 

Emby for Anrdoid TV
The "Emby for Anrdoid TV" app has the same vulnerability as the standard Android app with pressing the home button or putting the app to sleep.

The vulnerability from the "Continue Watching" section in the Android TV app is even worse than the standard app. I signed out of the Android TV app, then confirmed that I was logged out by launching the app again and saw the screen to select a user. Then I launched a show from the "Continue Watching" section on my Android home screen and I was taken right into the show's page with no kind of authentication in sight. From there I can easily use the "Go to Show" option, scroll down to the "More Like This" section, and essentially access any media I can find there which should all require authentication.

I can also login to my admin account, then use the "Switch Users" option to switch to my kids account. I would think switching to my kids account should log me out of my admin account, but you can still go right back to the "Switch Users" menu and log back into my admin account with no authentication. This is happening with the "Start Up Behavior" option set to "Show Login Screen", so no auto-logins or anything like that.
This one doesn't seem consistent either though - It was letting me switch without authenticating 15 minutes ago, but now it's asking for my PIN when I try to switch accounts as I would expect. I did not change any settings or etc. The only thing I did was exit the app, relaunch, and switch accounts a few times. This last time it would not accept my PIN after 3 tries, so I entered my password and the pop-up appeared again asking if I wanted to enable a PIN, which I did. I'm guessing that's what changed and why it's requiring my PIN when switching accounts, but it should have done that from the beginning. So now it asks for my PIN if I use the "Switch to (account)" feature, but I can simply back of of that and exit Emby. Then I can relaunch Emby, select my admin account from the login screen, and it logs me in with no authentication. So as far as I can tell, the main issue here is that Emby does not treat switching accounts as logging out and is still essentially keeping my admin account logged in even after switching accounts.

 

I know this has gone off-topic at this point since this is the Roku forum, so of course feel free to move this post to a more appropriate forum if you'd like.

Edited February 15 by CodeCat5

[theaudcouple 2]

I reset a Roku TV and the pin issue is the same.

[ebr 14913]

37 minutes ago, CodeCat5 said:

The vulnerability from the "Continue Watching" section in the Android TV app is even worse than the standard app. I signed out of the Android TV app, then confirmed that I was logged out by launching the app again and saw the screen to select a user. Then I launched a show from the "Continue Watching" section on my Android home screen and I was taken right into the show's page with no kind of authentication in sight. From there I can easily use the "Go to Show" option, scroll down to the "More Like This" section, and essentially access any media I can find there which should all require authentication.

I cannot reproduce that. I get prompted for the password or PIN.  Exactly what home screen row are you choosing?  Play Next?

However, I did just find a hole in the PIN request when going through the "select user" screen and a new beta is up to resolve that.

[ebr 14913]

22 minutes ago, theaudcouple said:

I reset a Roku TV and the pin issue is the same.

Any way you could create a video or something because I cannot make it fail.  It prompts me for my PIN every time and won't accept an invalid one.

[theaudcouple 2]

Maybe, did you see the screenshot?

[Guest CodeCat5]

13 minutes ago, ebr said:

I cannot reproduce that. I get prompted for the password or PIN.  Exactly what home screen row are you choosing?  Play Next?

However, I did just find a hole in the PIN request when going through the "select user" screen and a new beta is up to resolve that.

This is from the "Watch Next" section in Projectivy Launcher, though I think most other launchers have something similar that gets a feed from Emby and other apps.  I went to test again and now it is asking me for a PIN, and I can't seem to reproduce the issue again. I saw it several times on 2 different devices and it was easily reproducible, so I know it wasn't just some sort of one-off fluke.

Before seeing your reply and testing again, I did make a somewhat significant change that may have something to do with it. My kids account has never had a password so they could easily login. I had just added a password to their account, then shortly after that I saw your post and could not reproduce the issue again. I removed the password from my kids account but still can't seem to reproduce it again, so all I can figure is that something with me updating their password is what caused the change.

In the meantime, something with all of that broke the ability for me to login to the Android TV app with the d-pad and PIN again, so I guess I'm off to troubleshoot that one now. 

 

 

[Guest CodeCat5]

2 hours ago, ebr said:

Any way you could create a video or something because I cannot make it fail.  It prompts me for my PIN every time and won't accept an invalid one.

I decided to try out of curiosity. It was easier to reproduce than I expected...

 

I'm pretty sure that this comes back to that "Remember Me?" bug that screws up the PIN entry that I told you about a couple of weeks ago.

*edit*

Yup, I confirmed it. I went into the settings and toggled "Remember Me?", then exited the app. The next time I launched Emby I could not see anything behind the PIN entry box, and pressing "OK" brings up the "Wrong PIN" pop-up instead of granting access.

However, there's still a bit of a security issue here as well. When you get to that "Wrong PIN" screen, just press the "back" button. The screen is mostly blank, but you can navigate up to the top settings cog and change anything you want there with no authentication necessary.

*edit #2*

Oh neat. From that same mostly black screen you can also use the search icon and get access to anything you search for, again, without any type of authorization. Apparently the app authenticates the user before the PIN is ever actually entered.

 

Edited February 15 by CodeCat5