Emby for Android TV app fails login if the server is entered as a bare hostname

[MikaelKW 8]

It works if entered explicitly as:
https://emby.example.com

Setup:
-Emby Server version: 4.9.1.90
-Reverse proxy: NPMplus
-Cloudflare proxy in front
-Emby Network setting: Secure connection mode = Handled by reverse proxy
-Public HTTPS port: 443
-External domain:  emby.example.com

Browser login works correctly through the reverse proxy. The NPMplus access log shows:
POST /emby/Users/authenticatebyname ... 200

But Emby for Android TV / Android app fails login when the server is entered as a bare hostname. Initially, with Cloudflare Always Use HTTPS enabled, the login attempt appeared in the proxy log as:
GET /emby/Users/AuthenticateByName?format=json ... 401

Cloudflare was returning a 301 HTTP-to-HTTPS redirect before the request reached NPMplus.
I then disabled Cloudflare Always Use HTTPS and NPMplus Force SSL, and tested custom NPMplus redirects using 308 and 307. That changed the Android app request to:
POST /emby/Users/AuthenticateByName?format=json ... 308
and then:
POST /emby/Users/AuthenticateByName?format=json ... 307

but the app still failed to complete the login after the redirect.

So the conclusion is that the Emby for Android TV app appears not to handle HTTP to HTTPS redirects correctly during the AuthenticateByName login flow when the server is entered as a bare hostname. It either converts the login request to GET after a 301 redirect, or fails to complete login after a 307/308 redirect.

Expected behavior:
-If a user enters a bare domain like emby.example.com, the app should either default to HTTPS, follow 307/308 redirects correctly, or warn the user to enter https:// explicitly.
-The app should not fail with invalid username/password when the issue is actually HTTP-to-HTTPS redirect handling.

The workaround is the basically typing https:// first.
But it's a bit painful to try and guide my dad (nearly 65) to type https://. If i could just have him type emby.example.com that would be much easier, and maybe he could even remember it, lol.

[Luke 42640]

Hi.  Can you try searching for our standard android app (Just "Emby" on Amazon and "Emby for Android on Google) on the same device's app store and see how that compares?

Thanks.

 

[MikaelKW 8]

Hi,

I tested with the standard Emby for Android app on the same test device/BlueStacks.
Result is the same as with Emby for Android TV.

When entering the server as a bare hostname:
emby.example.com
login fails with:
Access token is invalid or expired

The proxy log shows the login request as a GET:
GET /emby/Users/authenticatebyname?X-Emby-Client=Emby+for+Android&X-Emby-Device-Name=SM-S908E&X-Emby-Device-Id=[redacted]&X-Emby-Client-Version=3.5.36&X-Emby-Language=en-us HTTP/2.0" 401

When entering the server explicitly as:
https://emby.example.com
login succeeds.

The proxy log then shows the correct POST request:
POST /emby/Users/authenticatebyname?X-Emby-Client=Emby+for+Android&X-Emby-Device-Name=SM-S908E&X-Emby-Device-Id=[redacted]&X-Emby-Client-Version=3.5.36&X-Emby-Language=en-us HTTP/2.0" 200

So it is not only Emby for Android TV. The standard Emby for Android app behaves the same where bare hostname fails, explicit "https://" works.

[ebr 16455]

Hi.  If your connection is via SSL it is currently required to enter the "https://".  We should make this easier with something like a simple checkbox.

[MikaelKW 8]

2 hours ago, ebr said:

Hi.  If your connection is via SSL it is currently required to enter the "https://".  We should make this easier with something like a simple checkbox.

Thanks, that explains the current behavior.

I understand that entering https:// is currently required for SSL connections, and I can use that as the workaround.

That said, I think this could still be improved in the app. In most modern clients, if a user enters a bare hostname like "emby.example.com", the app either tries HTTPS first, follows the HTTP to HTTPS redirect correctly, or at least shows a clear message saying that https:// must be included.

Right now the failure is a bit misleading because the app just shows "Access token is invalid or expired", but the actual issue is that the app is not using the correct HTTPS URL/not handling the redirect correctly during login. The proxy logs show that the login request becomes a GET ... AuthenticateByName ... 401 when using the bare hostname, while entering https://emby.example.com produces the correct POST ... AuthenticateByName ... 200.

So a checkbox would definitely help, but I think the best behavior would be for the app to either:
-default to HTTPS when a normal domain is entered without a scheme
-correctly handle HTTP to HTTPS redirects during login
-or show a clear validation message together with the checkbox such as "Secure connection is required, use the checkbox and choose the https" or something along those lines

That would make the setup much less confusing for users behind reverse proxies or Cloudflare as well as for people without the most technical know-how and the ability to actually troubleshoot these sort of things.

[Luke 42640]

Hi yes, there is room for improvement there. Thanks.