TeamB 2353 Posted April 9, 2020 Share Posted April 9, 2020 Hi What are my options for securing Plugin API endpoints? https://github.com/MediaBrowser/Emby/wiki/Creating-Api-Endpoints In the above example the API endpoints created are open to all access, no user validation is done. I want to check for valid user and what user is accessing the API. Link to comment Share on other sites More sharing options...
Luke 37099 Posted April 9, 2020 Share Posted April 9, 2020 Just add this attribute to the class that implements IService: [Authenticated] It's in MediaBrowser.Controller.Net 1 Link to comment Share on other sites More sharing options...
TeamB 2353 Posted April 9, 2020 Author Share Posted April 9, 2020 I was just looking at the reports plugin as I thought that would be a good reference but it looks like it is not authenticated at all: /Reports/Items?IncludeItemTypes=Movie Returns all movies. Probably not what was intended as this leaves your collection data open to scraping if you have the Reports plugin installed. So then I had a think about using [Authenticated] Api's in Javascript, how do I do that? Do I need to add the Auth Token in the URL? Link to comment Share on other sites More sharing options...
TeamB 2353 Posted April 9, 2020 Author Share Posted April 9, 2020 Crap, that means all my Playback Reports API endpoints are completely open as well. Link to comment Share on other sites More sharing options...
TeamB 2353 Posted April 9, 2020 Author Share Posted April 9, 2020 (edited) ok api_key=<valid token> works in URLS so I am off to plug some holes. How do I get current user with an [Authenticated] endpoint? Edited April 9, 2020 by TeamB Link to comment Share on other sites More sharing options...
TeamB 2353 Posted April 10, 2020 Author Share Posted April 10, 2020 (edited) From what I can see when using the ApiClient.ajax() it automatically adds the auth headers so this is an easy fix. ApiClient.getUserActivity = function (url_to_get) { console.log("getUserActivity Url = " + url_to_get); return this.ajax({ type: "GET", url: url_to_get, dataType: "json" }); }; @@Luke How can I get the logged in user when an API is Authenticated? I want the user ID and name of the user associated with the authentication. I had a look in IUserManager but I dont see anything for current logged in user. Edited April 10, 2020 by TeamB Link to comment Share on other sites More sharing options...
Luke 37099 Posted April 10, 2020 Share Posted April 10, 2020 var user = _authorizationContext.GetAuthorizationInfo(Request).User; Where _authorizationContext is IAuthorizationContext, and to get Request, have your service implement IRequiresRequest 1 Link to comment Share on other sites More sharing options...
TeamB 2353 Posted April 10, 2020 Author Share Posted April 10, 2020 (edited) have your service implement IRequiresRequest How? do you have an example? EDIT: Found it, sorted now, Thanks Edited April 10, 2020 by TeamB 1 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now