TeamB 2414 Posted April 9, 2020 Posted April 9, 2020 Hi What are my options for securing Plugin API endpoints? https://github.com/MediaBrowser/Emby/wiki/Creating-Api-Endpoints In the above example the API endpoints created are open to all access, no user validation is done. I want to check for valid user and what user is accessing the API.
Luke 40075 Posted April 9, 2020 Posted April 9, 2020 Just add this attribute to the class that implements IService: [Authenticated] It's in MediaBrowser.Controller.Net 1
TeamB 2414 Posted April 9, 2020 Author Posted April 9, 2020 I was just looking at the reports plugin as I thought that would be a good reference but it looks like it is not authenticated at all: /Reports/Items?IncludeItemTypes=Movie Returns all movies. Probably not what was intended as this leaves your collection data open to scraping if you have the Reports plugin installed. So then I had a think about using [Authenticated] Api's in Javascript, how do I do that? Do I need to add the Auth Token in the URL?
TeamB 2414 Posted April 9, 2020 Author Posted April 9, 2020 Crap, that means all my Playback Reports API endpoints are completely open as well.
TeamB 2414 Posted April 9, 2020 Author Posted April 9, 2020 (edited) ok api_key=<valid token> works in URLS so I am off to plug some holes. How do I get current user with an [Authenticated] endpoint? Edited April 9, 2020 by TeamB
TeamB 2414 Posted April 10, 2020 Author Posted April 10, 2020 (edited) From what I can see when using the ApiClient.ajax() it automatically adds the auth headers so this is an easy fix. ApiClient.getUserActivity = function (url_to_get) { console.log("getUserActivity Url = " + url_to_get); return this.ajax({ type: "GET", url: url_to_get, dataType: "json" }); }; @@Luke How can I get the logged in user when an API is Authenticated? I want the user ID and name of the user associated with the authentication. I had a look in IUserManager but I dont see anything for current logged in user. Edited April 10, 2020 by TeamB
Luke 40075 Posted April 10, 2020 Posted April 10, 2020 var user = _authorizationContext.GetAuthorizationInfo(Request).User; Where _authorizationContext is IAuthorizationContext, and to get Request, have your service implement IRequiresRequest 1
TeamB 2414 Posted April 10, 2020 Author Posted April 10, 2020 (edited) have your service implement IRequiresRequest How? do you have an example? EDIT: Found it, sorted now, Thanks Edited April 10, 2020 by TeamB 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now