starred/jellyfin
1
0
Fork 0
mirror of https://github.com/jellyfin/jellyfin.git synced 2026-01-23 23:20:51 +01:00
Code Issues 725 Projects Packages Wiki Activity Actions 2

Refactor "Copy Stream URL" to not leak the user's session API key #5360

New issue
Open
opened 2025-12-22 01:35:38 +01:00 by backuprepo · 4 comments
backuprepo commented 2025-12-22 01:35:38 +01:00
Owner
Copy link

Originally created by @sqlstatement on GitHub (Jan 4, 2024).

The way this currently works is that, when you share the URL using the "Copy Stream URL" button in the Jellyfin Web UI, it copies the stream link and appends the API key (access token) of the current user session.

My proposal would be to modify that mechanism to create a new API key, with permissions to only view the object that was actually shared.

This has two reasons:

  • Sharing the link with people, regardless of trust is dangerous as the API key can be used to log in as that user
  • Embedding the content on websites etc. is very impractical, because the API key currently expires once the session ends (the user logs out)

My idea for an implementation would be as follows: When using the "Copy Stream URL" feature, a new key with access to only that object is generated. I would also add a small selector box where the user can choose how long the link should be valid, to avoid any potential abuse/unwanted link sharing. This approach should not be a breaking change, as the user authentication and authorization mechanisms will not be changed.

I'm happy to discuss the details and would be ready to make the needed changes to the codebase in a pull request once I receive the all clear that the feature is wanted and fine to add.

Originally created by @sqlstatement on GitHub (Jan 4, 2024). The way this currently works is that, when you share the URL using the "Copy Stream URL" button in the Jellyfin Web UI, it copies the stream link and appends the API key (access token) of the current user session. My proposal would be to modify that mechanism to create a new API key, with permissions to only view the object that was actually shared. This has two reasons: * Sharing the link with people, regardless of trust is dangerous as the API key can be used to log in as that user * Embedding the content on websites etc. is very impractical, because the API key currently expires once the session ends (the user logs out) My idea for an implementation would be as follows: When using the "Copy Stream URL" feature, a new key with access to only that object is generated. I would also add a small selector box where the user can choose how long the link should be valid, to avoid any potential abuse/unwanted link sharing. This approach should not be a breaking change, as the user authentication and authorization mechanisms will not be changed. I'm happy to discuss the details and would be ready to make the needed changes to the codebase in a pull request once I receive the all clear that the feature is wanted and fine to add.
backuprepo added the
security
 label 2025-12-22 01:35:38 +01:00
backuprepo commented 2025-12-22 01:35:40 +01:00
Author
Owner
Copy link

@sqlstatement commented on GitHub (Jan 7, 2024):

Looks like this will be a much bigger change than anticipated, since the current API key implementation does not allow for fine grained control via its permission system. I'll have to see if this is even going to be possible.

@sqlstatement commented on GitHub (Jan 7, 2024): Looks like this will be a much bigger change than anticipated, since the current API key implementation does not allow for fine grained control via its permission system. I'll have to see if this is even going to be possible.
backuprepo commented 2025-12-22 01:35:41 +01:00
Author
Owner
Copy link

@sqlstatement commented on GitHub (Jan 17, 2024):

From what I can see, API keys currently have unrestricted permissions, so it seems like my initial worry about this being a bigger change than anticipated has been confirmed. (https://github.com/jellyfin/jellyfin/blob/master/Jellyfin.Api/Auth/DefaultAuthorizationPolicy/DefaultAuthorizationHandler.cs#L52)

I'll do some more research to see how much needs to be changed, but the current Authorization Handlers will need some work, at the very least to remove and replace the hardcoded API key part

@sqlstatement commented on GitHub (Jan 17, 2024): From what I can see, API keys currently have unrestricted permissions, so it seems like my initial worry about this being a bigger change than anticipated has been confirmed. (https://github.com/jellyfin/jellyfin/blob/master/Jellyfin.Api/Auth/DefaultAuthorizationPolicy/DefaultAuthorizationHandler.cs#L52) I'll do some more research to see how much needs to be changed, but the current Authorization Handlers will need some work, at the very least to remove and replace the hardcoded API key part
backuprepo commented 2025-12-22 01:35:43 +01:00
Author
Owner
Copy link

@TheRainstorm commented on GitHub (May 21, 2024):

I'm happy to discuss the details and would be ready to make the needed changes to the codebase in a pull request once I receive the all clear that the feature is wanted and fine to add.

It's a useful feature, especially for VRChat! I used to share my video url in VRChat without knowing its potential risk. I also found someone with a similar need: https://www.reddit.com/r/VRchat/comments/18ira6e/self_hosting_videos_from_home_with_jellyfin_cdn/

I would appreciate it if you could implement it. 👍

@TheRainstorm commented on GitHub (May 21, 2024): > I'm happy to discuss the details and would be ready to make the needed changes to the codebase in a pull request once I receive the all clear that the feature is wanted and fine to add. It's a useful feature, especially for VRChat! I used to share my video url in VRChat without knowing its potential risk. I also found someone with a similar need: https://www.reddit.com/r/VRchat/comments/18ira6e/self_hosting_videos_from_home_with_jellyfin_cdn/ I would appreciate it if you could implement it. 👍
backuprepo commented 2025-12-22 01:35:45 +01:00
Author
Owner
Copy link

@silverwolf04 commented on GitHub (Jul 7, 2025):

Getting this refactored to be more secure would be great. I had stumbled across this feature and was hoping to use it for sharing photos with family members to specific photos to download that I don't want to create user accounts for.

@silverwolf04 commented on GitHub (Jul 7, 2025): Getting this refactored to be more secure would be great. I had stumbled across this feature and was hoping to use it for sharing photos with family members to specific photos to download that I don't want to create user accounts for.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
renovate/ci-deps
release-10.11.z
renovate/major-swashbuckle-aspnetcore-monorepo
renovate/svg.skia-3.x
explicit-load-v2
explicit-load
renovate/skiasharp-monorepo
only-count-folder-item
openapi-cache
release-10.10.z
release-10.9.z
feature/entity-framework
release-10.8.z
release-10.7.z
EraYaN-add-management-interface
release-10.6.z
release-10.5.z
release-10.4.z
release-10.3.z
release-10.2.z
release-10.1.0
v10.11.6
v10.11.5
v10.11.4
v10.11.3
v10.11.2
v10.11.1
v10.11.0
v10.11.0-rc9
v10.11.0-rc8
v10.11.0-rc7
v10.11.0-rc6
v10.11.0-rc5
v10.11.0-rc4
v10.11.0-rc3
v10.11.0-rc2
v10.11.0-rc1
v10.10.7
v10.10.6
v10.10.5
v10.10.4
v10.10.3
v10.10.2
v10.10.1
v10.10.0
v10.9.11
v10.9.10
v10.9.9
v10.9.8
v10.9.7
v10.9.6
v10.9.5
v10.9.4
v10.9.3
v10.9.2
v10.9.1
v10.9.0
v10.8.13
v10.8.12
v10.8.11
v10.8.10
v10.8.9
v10.8.8
v10.8.7
v10.8.6
v10.8.5
v10.8.4
v10.8.3
v10.8.2
v10.8.1
v10.8.0
v10.8.0-beta3
v10.8.0-beta2
v10.8.0-beta1
v10.8.0-alpha5
v10.8.0-alpha4
v10.8.0-alpha3
v10.8.0-alpha2
v10.8.0-alpha1
v10.7.7
v10.7.6
v10.7.5
v10.7.4
v10.7.3
v10.7.2
v10.7.1
v10.7.0
v10.7.0-rc4
v10.7.0-rc3
v10.7.0-rc2
v10.7.0-rc1
v10.6.4
v10.6.3
v10.6.2
v10.6.1
v10.6.0
v10.5.5
v10.5.4
v10.5.3
v10.5.2
v10.5.1
v10.5.0
v10.4.3
v10.4.2
v10.4.1
v10.4.0
v10.3.7
v10.3.6
v10.3.5
v10.3.4
v10.3.3
v10.3.2
v10.3.1
v10.3.0
v10.3.0-rc2
v10.3.0-rc1
v10.2.2
v10.2.1
v10.2.0
v10.1.0
v10.0.1
v10.0.0
v10.0.2
v3.5.2-5
Labels
Clear labels   
area:database

   
awaiting-feedback

   
backend

   
blocked

   
breaking change: web api

   
bug

   
build

   
ci

   
confirmed

   
discussion needed

   
dotnet future

   
downstream

   
duplicate

   
EFjellyfin.db

   
enhancement

   
feature

   
future

   
github-actions

   
good first issue

   
hdr

   
help wanted

   
invalid

   
investigation

   
librarydb

   
live-tv

   
lyrics

   
media playback

   
music

   
needs testing

   
nuget

   
performance

   
platform

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
regression

   
release critical

   
requires-web

   
roadmap

   
security

   
security

   
stale

   
support

   
syncplay

   
ui & ux

   
upstream

   
wontfix
No labels
area:database
awaiting-feedback
backend
blocked
breaking change: web api
bug
build
ci
confirmed
discussion needed
dotnet future
downstream
duplicate
EFjellyfin.db
enhancement
feature
future
github-actions
good first issue
hdr
help wanted
invalid
investigation
librarydb
live-tv
lyrics
media playback
music
needs testing
nuget
performance
platform
pull-request
question
regression
release critical
requires-web
roadmap
security
security
stale
support
syncplay
ui & ux
upstream
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: starred/jellyfin#5360
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?