API keys - Potential bug / unintended behavior invalidating API keys

[Crazytestocrionlol 0]

Hi Emby team,

After having debugged an odd issue for about an hour ive come across what i might thing is either unfortunate design, or just an oversight on how API keys are tied to ownership.

After having created an API key, i noticed after a while the key was gone and i couldnt initially figure out why - But i have now concluded that the local user account that created the API key, no longer existed, even though i accessed the API key page from a different local admin account, the API key wasnt there.

 

Going down the rabbit hole, ive discovered the following

• When you create an API key, an entry into the "Authentication.db" database in table "Devices2" is created, assigning an ID to your local user account
• The API key is placed into "Authentication.db" database in table "Tokens_2" with a reference to the device(in this case a user account) in "Devices2"
• If the user is deleted, it seems theres a relation that also deletes all "Devices" associated with the user
  • So the entry in "Devices2" is removed
• The API key in "Tokens_2" continues to exist, it is still set as "active" but it is now referencing a DeviceID that no longer exists in "Devices2"
  • This causes the key to disappear from the API key view in the emby admin panel
  • It also causes all API calls with said key to fail as if the key is invalidated

Essentially an API key follows the user which created it, technically it follows the 'device' which the user that created it, was using. In the API key overview its impossible to see which user is associated with the API key, so you could very easily accidentially delete a user and wipe an api key.

 

It appears that with this relation for API keys, a server "API key" doesnt appear to exist, as all API keys are associated with a user and not the server.

 

From a design perspective theres a few reasons this could be unfortunate, but i just wanted to check - Is this a bug? Or are you aware that the API keys essentially become broken in this scenario? The reason i assume theres a bug here, is that if the API key is actually intended to be associated with the user, why keep it in the database? Why not just delete the api key?

[Crazytestocrionlol 0]

Not able to edit or remove my own thread, but this thread can be ignored. Ive concluded that i might have made a few mistakes in my findings, and this most likely aint the problem i assumed.

[Luke 42078]

HI, thanks for following up.  Just to clarify, when a device is deleted, so too are all authentication tokens for it.