sampsonight 4 Posted May 7, 2017 Posted May 7, 2017 I was reading the authentication wiki: https://github.com/MediaBrowser/Emby/wiki/Authentication Specifically the section about authing a user without a password. The web ui appears to go through a handshake and find the password used to authenticate a user whose hasPassword value is false. I can get the userId of public users, what is the url to hit to get the public users password when hasPassword is false?
sampsonight 4 Posted May 7, 2017 Author Posted May 7, 2017 I don't think so. The request to authenticateByName contains the username, password, and md5. I can see the password in the post and have used that to auth via the api. But I don't see where it is initially found when querying public users.
Luke 40076 Posted May 7, 2017 Posted May 7, 2017 The web app simply detects when there is only one single user and that user doesn't have a password, then it logs them straight in. We haven't documented this just yet because it is currently the only app doing it.
sampsonight 4 Posted May 7, 2017 Author Posted May 7, 2017 Ok, makes sense. I dug a little deeper and added a second user without a password. Looking at the web logs the same password/md5 was used to log that user in. There appears to be a single password/md5 for all users that do not have a password. Is this password/md5 unique to a server instance or will this combo work on *any* emby server where a user has not set their password?
Luke 40076 Posted May 7, 2017 Posted May 7, 2017 You always issue the same authentication request whether there is a password or not. When there is none then you just omit the password.
sampsonight 4 Posted May 7, 2017 Author Posted May 7, 2017 If I make a post to athenticateByName and I set the password in the payload to an empty string I get a 401 unauthorized. I've added the below 3 screenshots from postman demonstrating what I see. 200 if password is set, 401 if password is blank, 500 if password key is not in the json sent to server. Also I it appears that md5 is optional in a hasPassword=false user (I havn't tested with a user that has a pass)
Luke 40076 Posted May 7, 2017 Posted May 7, 2017 Yea I was stating that off of memory alone so you are right, yes.
sampsonight 4 Posted May 7, 2017 Author Posted May 7, 2017 OK. I just wanted to make sure I wasn't missing anything on the auth for users without a password. Thanks for your help
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now