Emby for Android TV app fails login if the server is entered as a bare hostname

[MikaelKW 7]

It works if entered explicitly as:
https://emby.example.com

Setup:
-Emby Server version: 4.9.1.90
-Reverse proxy: NPMplus
-Cloudflare proxy in front
-Emby Network setting: Secure connection mode = Handled by reverse proxy
-Public HTTPS port: 443
-External domain:  emby.example.com

Browser login works correctly through the reverse proxy. The NPMplus access log shows:
POST /emby/Users/authenticatebyname ... 200

But Emby for Android TV / Android app fails login when the server is entered as a bare hostname. Initially, with Cloudflare Always Use HTTPS enabled, the login attempt appeared in the proxy log as:
GET /emby/Users/AuthenticateByName?format=json ... 401

Cloudflare was returning a 301 HTTP-to-HTTPS redirect before the request reached NPMplus.
I then disabled Cloudflare Always Use HTTPS and NPMplus Force SSL, and tested custom NPMplus redirects using 308 and 307. That changed the Android app request to:
POST /emby/Users/AuthenticateByName?format=json ... 308
and then:
POST /emby/Users/AuthenticateByName?format=json ... 307

but the app still failed to complete the login after the redirect.

So the conclusion is that the Emby for Android TV app appears not to handle HTTP to HTTPS redirects correctly during the AuthenticateByName login flow when the server is entered as a bare hostname. It either converts the login request to GET after a 301 redirect, or fails to complete login after a 307/308 redirect.

Expected behavior:
-If a user enters a bare domain like emby.example.com, the app should either default to HTTPS, follow 307/308 redirects correctly, or warn the user to enter https:// explicitly.
-The app should not fail with invalid username/password when the issue is actually HTTP-to-HTTPS redirect handling.

The workaround is the basically typing https:// first.
But it's a bit painful to try and guide my dad (nearly 65) to type https://. If i could just have him type emby.example.com that would be much easier, and maybe he could even remember it, lol.

[Luke 42637]

Hi.  Can you try searching for our standard android app (Just "Emby" on Amazon and "Emby for Android on Google) on the same device's app store and see how that compares?

Thanks.

 

[MikaelKW 7]

Hi,

I tested with the standard Emby for Android app on the same test device/BlueStacks.
Result is the same as with Emby for Android TV.

When entering the server as a bare hostname:
emby.example.com
login fails with:
Access token is invalid or expired

The proxy log shows the login request as a GET:
GET /emby/Users/authenticatebyname?X-Emby-Client=Emby+for+Android&X-Emby-Device-Name=SM-S908E&X-Emby-Device-Id=[redacted]&X-Emby-Client-Version=3.5.36&X-Emby-Language=en-us HTTP/2.0" 401

When entering the server explicitly as:
https://emby.example.com
login succeeds.

The proxy log then shows the correct POST request:
POST /emby/Users/authenticatebyname?X-Emby-Client=Emby+for+Android&X-Emby-Device-Name=SM-S908E&X-Emby-Device-Id=[redacted]&X-Emby-Client-Version=3.5.36&X-Emby-Language=en-us HTTP/2.0" 200

So it is not only Emby for Android TV. The standard Emby for Android app behaves the same where bare hostname fails, explicit "https://" works.