nxenos83 52 Posted February 21, 2017 Posted February 21, 2017 It looks like this end point allows transmission of audio content without any authorization. I confirmed on a device that was not part of the LAN and was not authenticated. Sever Version 3.2.1.0
Luke 42086 Posted February 21, 2017 Posted February 21, 2017 Thanks for the report, we'll take a look.
nxenos83 52 Posted February 21, 2017 Author Posted February 21, 2017 Thanks Luke. Because of this opening, it was much easier getting an echo to play music hosted on my emby server
Luke 42086 Posted February 21, 2017 Posted February 21, 2017 Well it won't be for long. Several months ago I let all of the relevant parties know that we'd be closing this api in the future, and I think after the next release it will probably be a good time to do that.
nxenos83 52 Posted February 21, 2017 Author Posted February 21, 2017 (edited) I wonder if there are other cases when an exposed un-authenticated endpoint is needed to stream. Maybe instead of passing the static item id, there could be some sort of leasing model. A token could be created for a particular item by an authenticated users for a specified time. Write that token, the item id, and expiration time to db (or in memory). Then the token can be passed in the url instead of the item id. The end point then queries the db for the token. If token is still valid, continue processing for the item id associated with the token. Not sure how much the need is for something like this, or maybe there is an approach that already exists. Is the endpoint be decommissioned for a reason besides lack of authentication? Edited February 21, 2017 by nxenos83
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now