Security breach - Sign-in without password

[teiva 18]

Docker Debian OMV 3.0.99 (erasmus)

Emby Server: 4.1.0.26

 

Repro:

1. Sign-in with server admin > Dashboard > Add user (via emby email) > Save
2. Select user from step1: "Users" > "Profile" > disable both...
   1. "Hide this user from login screens on the local network"
   2. "Hide this user from login screens when connected remotely"
3. Sign out of server admin
4. Select newly added user from step 1 on login screen
5. Verify no password was prompted...user automatically signed in.

Expected Behavior:

User is prompted to input password with selected user

 

Actual Behavior:

No password prompt and user is automatically signed-in. 

[Luke 37046]

Hi there, did you give the user a password?

[teiva 18]

Hi Luke,

Are you saying we have to specify a local password even though the user account is linked to an emby account? What happened to "Add Guest"? (That link has been removed) Everything was synced to the emby account (password, profile pic, etc). 

 

It's not a very intuitive flow when creating new users...nor was it clear that I was creating a local user...(post removal of add guest link which left only one option to create a user). 

 

 

...so you're implying the server admin has to go back into the user settings after user creation and click on the separate tab to specify some secondary password after the friend has created the emby account with a different password. 

 

 

 

I won't run off on a tangent of how many friends and family who get confused with the idea of local user/password vs emby user/password but at the very least the server should be enforcing a password before the user is enabled post creation. 

 

In summary my request...

1. Add a required password field onto the "add [local] user" page so that no user can be created without a password.

2. ....or automatically disable all users that don't have a password that meet the minimum requirements. Which would imply after user creation the system admin would have to go back into the user settings to add a password before the user is enabled. 

Edited April 22, 2019 by teiva

[Luke 37046]

It's a linking process. Establishing the Emby Connect link does not replace local authentication but rather supplements it. So yes you should assign a local password, but your remote user doesn't necessarily need to know what it is because if you link them to Emby Connect, they can sign in that way.

 

There's a lot of confusion around Emby Connect, and we are gradually working towards something newer that will be even better. Please let us know if this helps. Thanks.

[teiva 18]

The server admin should assign a temporary password on user creation, then it's up to the user to change to whatever they want once they sign in for the 1st time. Otherwise with the current flow the server admin could create users with null or empty passwords. 

 

I mean this is a standard flow anywhere else.... I imagine it's not too much dev work to add a required password field on the add user page. 

Edited April 22, 2019 by teiva

[Luke 37046]

Yes that's something we plan to add. Thanks.

[teiva 18]

Cool. Thanks