starred/jellyfin
1
0
Fork 0
mirror of https://github.com/jellyfin/jellyfin.git synced 2026-05-04 18:09:12 +03:00
Code Issues 822 Packages Projects Releases 10 Wiki Activity

[PR #14729] [CLOSED] Refactor authentication #14085

New Issue
Closed
opened 2026-02-07 07:24:08 +03:00 by OVERLORD · 0 comments
OVERLORD commented 2026-02-07 07:24:08 +03:00
Owner
Copy Link

📋 Pull Request Information

Original PR: https://github.com/jellyfin/jellyfin/pull/14729
Author: @stenlan
Created: 9/1/2025
Status: Closed

Base: masterHead: feature/totp-mfa

📝 Commits (10+)

  • 118e0de Start rename of some fields
  • fae2293 More refactoring progress
  • 4bad9f3 More progress
  • 3af6f5d Rename & move authenticationResult
  • 2138df1 More progress
  • e9d7247 Authentication refactor
  • f177fe3 Fix provider resolving
  • 63f4786 Databse migration
  • 6844458 Fix capabilities null reference exception
  • f4b061d Add remote endpoint to Quick Connect session creation

📊 Changes

57 files changed (+5584 additions, -2658 deletions)

View changed files

📝 Directory.Packages.props (+3 -2)
📝 Emby.Server.Implementations/ApplicationHost.cs (+57 -6)
Emby.Server.Implementations/QuickConnect/QuickConnectManager.cs (+0 -231)
📝 Emby.Server.Implementations/Session/SessionManager.cs (+43 -69)
📝 Jellyfin.Api/Controllers/QuickConnectController.cs (+80 -22)
📝 Jellyfin.Api/Controllers/SessionController.cs (+10 -3)
📝 Jellyfin.Api/Controllers/StartupController.cs (+13 -2)
📝 Jellyfin.Api/Controllers/UserController.cs (+144 -35)
📝 Jellyfin.Api/Jellyfin.Api.csproj (+1 -0)
📝 Jellyfin.Api/Models/UserDtos/AuthenticateUserByName.cs (+5 -0)
Jellyfin.Api/Models/UserDtos/SetUserMFADto.cs (+15 -0)
📝 Jellyfin.Api/Models/UserDtos/UpdateUserPassword.cs (+5 -0)
📝 Jellyfin.Server.Implementations/Devices/DeviceManager.cs (+5 -0)
📝 Jellyfin.Server.Implementations/Jellyfin.Server.Implementations.csproj (+1 -0)
📝 Jellyfin.Server.Implementations/Users/DefaultAuthenticationProvider.cs (+183 -61)
📝 Jellyfin.Server.Implementations/Users/DefaultPasswordResetProvider.cs (+14 -2)
Jellyfin.Server.Implementations/Users/InvalidAuthProvider.cs (+0 -36)
Jellyfin.Server.Implementations/Users/LegacyPlaceholderAuthenticationProvider.cs (+22 -0)
Jellyfin.Server.Implementations/Users/QuickConnectManager.cs (+91 -0)
Jellyfin.Server.Implementations/Users/UserAuthenticationManager.cs (+352 -0)

...and 37 more files

📄 Description

Draft pull request for maintainers to already see the structure of the changes that I want to make.
Will need to fix tests, a circular dependency issue (done), model migrations (done), and in-code documentation (done). More documentation to follow.

Changes

  • Completely refactors authentication in a way that more cleanly separates the responsibilities of the session manager, user manager and the new IUserAuthenticationManager, and decouples it from the username/password type of authentication and instead makes it fully generic. Added some easy to use abstract building blocks for authentication providers;
    • AbstractAuthenticationProvider (used by username password auth)
    • AbstractExternallyTriggeredAuthenticationProvider (used by quick connect auth)
    • AbstractChallengeResponseAuthenticationProvider (WIP; can be used by general challenge-response type authentication providers).
  • Adds TOTP MFA support to the back end
    • Includes legacy client authentication fallback by appending TOTP token to password for compatibility with old clients. This is not unheard of, apple has done this too: https://discussions.apple.com/thread/254488819?sortBy=rank
    • Front end/web client support pending PR (TODO: add web client PR reference)).
  • Changed IAuthenticationProvider interface to a generic IAuthenticationProvider<T> interface, where T is the type of payload data that an authentication provider takes upon authentication, so that multiple types of authentication can be supported.

Issues
Fixes #1215.
Completes this feature request

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/jellyfin/jellyfin/pull/14729 **Author:** [@stenlan](https://github.com/stenlan) **Created:** 9/1/2025 **Status:** ❌ Closed **Base:** `master` ← **Head:** `feature/totp-mfa` --- ### 📝 Commits (10+) - [`118e0de`](https://github.com/jellyfin/jellyfin/commit/118e0de1fa6950044e43eb8453c710d668d56cbf) Start rename of some fields - [`fae2293`](https://github.com/jellyfin/jellyfin/commit/fae2293b6d392de6c5528a565e73406ec7d27ff8) More refactoring progress - [`4bad9f3`](https://github.com/jellyfin/jellyfin/commit/4bad9f36598b8c6e2eb1d3dbabc3ba5fb2be899e) More progress - [`3af6f5d`](https://github.com/jellyfin/jellyfin/commit/3af6f5d42b3b6f27de3dd19a56b46ca81c00314d) Rename & move authenticationResult - [`2138df1`](https://github.com/jellyfin/jellyfin/commit/2138df1ef9d9cdf20d9688d6eac8155d3aa33aad) More progress - [`e9d7247`](https://github.com/jellyfin/jellyfin/commit/e9d72470ae897d4126e68f59084e4cede6b27975) Authentication refactor - [`f177fe3`](https://github.com/jellyfin/jellyfin/commit/f177fe322ebddb87e5c5520054369470906f1ffc) Fix provider resolving - [`63f4786`](https://github.com/jellyfin/jellyfin/commit/63f47868b1655adf08438ef57142b9b627ada883) Databse migration - [`6844458`](https://github.com/jellyfin/jellyfin/commit/684445886a7069bca5d24054cfaed9981c55f931) Fix capabilities null reference exception - [`f4b061d`](https://github.com/jellyfin/jellyfin/commit/f4b061db966feff249bfc8d168df4175c8e35629) Add remote endpoint to Quick Connect session creation ### 📊 Changes **57 files changed** (+5584 additions, -2658 deletions) <details> <summary>View changed files</summary> 📝 `Directory.Packages.props` (+3 -2) 📝 `Emby.Server.Implementations/ApplicationHost.cs` (+57 -6) ➖ `Emby.Server.Implementations/QuickConnect/QuickConnectManager.cs` (+0 -231) 📝 `Emby.Server.Implementations/Session/SessionManager.cs` (+43 -69) 📝 `Jellyfin.Api/Controllers/QuickConnectController.cs` (+80 -22) 📝 `Jellyfin.Api/Controllers/SessionController.cs` (+10 -3) 📝 `Jellyfin.Api/Controllers/StartupController.cs` (+13 -2) 📝 `Jellyfin.Api/Controllers/UserController.cs` (+144 -35) 📝 `Jellyfin.Api/Jellyfin.Api.csproj` (+1 -0) 📝 `Jellyfin.Api/Models/UserDtos/AuthenticateUserByName.cs` (+5 -0) ➕ `Jellyfin.Api/Models/UserDtos/SetUserMFADto.cs` (+15 -0) 📝 `Jellyfin.Api/Models/UserDtos/UpdateUserPassword.cs` (+5 -0) 📝 `Jellyfin.Server.Implementations/Devices/DeviceManager.cs` (+5 -0) 📝 `Jellyfin.Server.Implementations/Jellyfin.Server.Implementations.csproj` (+1 -0) 📝 `Jellyfin.Server.Implementations/Users/DefaultAuthenticationProvider.cs` (+183 -61) 📝 `Jellyfin.Server.Implementations/Users/DefaultPasswordResetProvider.cs` (+14 -2) ➖ `Jellyfin.Server.Implementations/Users/InvalidAuthProvider.cs` (+0 -36) ➕ `Jellyfin.Server.Implementations/Users/LegacyPlaceholderAuthenticationProvider.cs` (+22 -0) ➕ `Jellyfin.Server.Implementations/Users/QuickConnectManager.cs` (+91 -0) ➕ `Jellyfin.Server.Implementations/Users/UserAuthenticationManager.cs` (+352 -0) _...and 37 more files_ </details> ### 📄 Description Draft pull request for maintainers to already see the structure of the changes that I want to make. Will need to fix tests, ~a circular dependency issue~ (done), ~model migrations~ (done), ~and in-code documentation~ (done). More documentation to follow. **Changes** - Completely refactors authentication in a way that more cleanly separates the responsibilities of the session manager, user manager and the new `IUserAuthenticationManager`, and decouples it from the username/password type of authentication and instead makes it fully generic. Added some easy to use abstract building blocks for authentication providers; - `AbstractAuthenticationProvider` (used by username password auth) - `AbstractExternallyTriggeredAuthenticationProvider` (used by quick connect auth) - `AbstractChallengeResponseAuthenticationProvider` (WIP; can be used by general challenge-response type authentication providers). - Adds TOTP MFA support to the back end - Includes legacy client authentication fallback by *appending* TOTP token to password for compatibility with old clients. This is not unheard of, apple has done this too: https://discussions.apple.com/thread/254488819?sortBy=rank - Front end/web client support pending PR (TODO: add web client PR reference)). - Changed `IAuthenticationProvider` interface to a generic `IAuthenticationProvider<T>` interface, where T is the type of payload data that an authentication provider takes upon authentication, so that multiple types of authentication can be supported. **Issues** Fixes [#1215](https://github.com/jellyfin/jellyfin/issues/1215). Completes [this feature request](https://features.jellyfin.org/posts/26/add-support-for-two-factor-authentication-2fa) --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
OVERLORD added the pull-request label 2026-02-07 07:24:08 +03:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
EFjellyfin.db
area:database
awaiting-feedback
backend
blocked
breaking change: web api
bug
build
ci
confirmed
discussion needed
dotnet future
downstream
duplicate
enhancement
feature
future
github-actions
good first issue
hdr
help wanted
invalid
investigation
librarydb
live-tv
lyrics
media playback
music
needs testing
nuget
performance
platform
pull-request
Mirrored from GitHub Pull Request
 question
regression
release critical
requires-web
roadmap
security
security
stale
support
syncplay
ui & ux
upstream
wontfix
No Label pull-request
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/jellyfin#14085
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?