Jump to content

security measures/api keys problem

Lee

By Lee
in General/Windows

 Share

Recommended Posts

Lee

Lee 212

Posted
Posted

the api keys are a great idea but somehow mb theatre and w8 app have been revoked/lost and now I can't get them to connect and there doesn't seem to be a straightforward way to reapply an api key, no settings for it in the w8 app and mb-theatre kicks me out so I don't know if there's settings in there???

help a brother out...

I was only wanting to have a play see how far they've come can't even get in them!!!! lol

Lee

Lee 212

Posted
  • Author
Posted

@@7illusions should a reinstall resend api key authentication??

ebr Emby Team

ebr 16184

Posted
Posted

Keys are automatically issued for any app that authenticates properly. Make sure you have the most recent versions.

7illusions

7illusions 1249

Posted
Posted

The win8 app is in testing at Microsoft.

Lee

Lee 212

Posted
  • Author
Posted

The win8 app is in testing at Microsoft.

That should only be a month or two then?? Lol
  • 5 months later...
AXP33

AXP33 2

Posted
Posted (edited)

I don´t get it !
I do not see that Api key has any Security function

If i Play a IPTV Link using the Video Bookmarks Plugin (or any other file) and then save the Video link and Revoke all the Api Keys

I can then still play the link on any Computer from everywhere ! :o

VLC/Firefox/Chrome.....

Edited by AXP33
ebr Emby Team

ebr 16184

Posted
Posted

The API key is securing access to our server, not the video content if it is copied somewhere.

AXP33

AXP33 2

Posted
Posted

Okey Thanks for the reply :)

But then i got a total open Server setup :o

:huh:

Carlo

Carlo 4561

Posted
Posted

He means for example he can copy the URL and email it to me and I can then go straight to the video without ever being prompted to login or anything using his key.

 

This shouldn't happen.

ebr Emby Team

ebr 16184

Posted
Posted

He means for example he can copy the URL and email it to me and I can then go straight to the video without ever being prompted to login or anything using his key.

 

This shouldn't happen.

 

No, I would also think that shouldn't happen.  If that is true, then the playback API isn't requiring the auth header.  That would surprise me but maybe that is the case.  Has someone verified this is true?

AXP33

AXP33 2

Posted
Posted (edited)

Verified !?

I showed it in the chat !

Why don´t you just try it yourself !?!

Edited by AXP33
ebr Emby Team

ebr 16184

Posted
Posted

Well, I suppose you could consider that a feature (and I guess it is necessary for the items to work with players).  What is the exposure?  You'd have to provide someone a link for that to work.

AXP33

AXP33 2

Posted
Posted

Yep

The exposure is that i can provide a link and got no way stopping serving it !

That´s a ............... :( option

 

ebr Emby Team

ebr 16184

Posted
Posted

So don't give out links ;).

 

The server needs to be able to deliver video content to any type of device to consume it so there is no way we could secure that and still have it work in say mpc-hc or any other video player that we didn't write ourselves.

AXP33

AXP33 2

Posted
Posted (edited)

Yes of course a way to look at it :)

But when I use eg VLC then I can change the code as it suits me

Do not understand why You do Not understand :wacko:

Edited by AXP33
AXP33

AXP33 2

Posted
Posted

 If you can use a file from a server and Admin can not change the use of it, what is Admin then ?!?

ebr Emby Team

ebr 16184

Posted
Posted

But when I use eg VLC then I can change the code as it suits me

 

No, that I don't understand.  How are you going to change the code inside VLC?

 

When we write an app to play a video, we need to give some form of video player an url or other reference to the content it needs to play.  That video player needs to be able to access that content and we cannot require any special headers or anything else (other than something on the actual url) in order for it to do so.

MSattler

MSattler 390

Posted
Posted

I honestly do not see this as a big deal, I'd rather keep allowing this so we can choose any player we want to play back the content.  Especially on the android and PC side as for me that is huge.

 

I am much more concerned about having to leave the login page to mediabrowser open to the web in order for MB Connect to work.  With my kids not having passwords on their accounts, it leaves those accounts wide open for anyone to login.  I swear there used to be a feature that would only require the passwords when being accessed from a public IP.

Luke Emby Team

Luke 42078

Posted
Posted

I honestly do not see this as a big deal, I'd rather keep allowing this so we can choose any player we want to play back the content.  Especially on the android and PC side as for me that is huge.

 

I am much more concerned about having to leave the login page to mediabrowser open to the web in order for MB Connect to work.  With my kids not having passwords on their accounts, it leaves those accounts wide open for anyone to login.  I swear there used to be a feature that would only require the passwords when being accessed from a public IP.

 

Well that isn't really true. The Connect feature has no relation to your MBS-defined passwords or visibility. Explore the user configuration area to find what you're looking for.

AXP33

AXP33 2

Posted
Posted (edited)

 I do not want to prevent one or the other progam to play my content, I just want to be able to close and open to what I please, when I feel like it ;)

 

Blocking of VLC is not what is needed...... Then what about the x000 other players !

Edited by AXP33
Luke Emby Team

Luke 42078

Posted
Posted

The playback streaming urls and image urls are basically the only two api endpoints that don't require an authentication token, and it's only to preserve compatibility with apps that haven't yet updated to use the newer security. Once we have those updated, it will change.

AXP33

AXP33 2

Posted
Posted (edited)

No, that I don't understand.  How are you going to change the code inside VLC?

 

Really :o

 

Settings

Stream-output

Http

And ;)

Edited by AXP33
MSattler

MSattler 390

Posted
Posted

Well that isn't really true. The Connect feature has no relation to your MBS-defined passwords or visibility. Explore the user configuration area to find what you're looking for.

I stand correct, it is there, but I think we have not really documented that feature anywhere?  And it's not even an option until you set a password on the account locally that you even see it as an option.  It would be nice if the easy pin code options were visible but greyed out, for folks who never set passwords for their user accounts, they would have no clue the pin settings are even there.

AXP33

AXP33 2

Posted
Posted

The playback streaming urls and image urls are basically the only two api endpoints that don't require an authentication token, and it's only to preserve compatibility with apps that haven't yet updated to use the newer security. Once we have those updated, it will change.

Why not just make an on / off option

Local or not !?

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...