Work towards reducing exposed information from /emby/users/public #1736

Open
opened 2026-02-06 21:18:09 +03:00 by OVERLORD · 2 comments
Owner

Originally created by @joshuaboniface on GitHub (May 26, 2020).

Continuation of #880

The /emby/users/public API endpoint returns a large amount of data about users, far more than it should. This issue is a continuation of the previous one to track the ideal state of this API endpoint and provide notice to client developers.

The following goals should be considered:

  • Preservation of the API's endpoint stability until all clients and consumers can be updated.
  • Determination of exactly what fields from this API endpoint are actually required to create a functional login screen.
  • Gradual deprecation and removal of endpoints by filling existing fields with null or static data until the entire API endpoint can be reworked.
Originally created by @joshuaboniface on GitHub (May 26, 2020). Continuation of #880 The `/emby/users/public` API endpoint returns a large amount of data about users, far more than it should. This issue is a continuation of the previous one to track the ideal state of this API endpoint and provide notice to client developers. The following goals should be considered: * Preservation of the API's endpoint stability until all clients and consumers can be updated. * Determination of exactly what fields from this API endpoint are actually required to create a functional login screen. * Gradual deprecation and removal of endpoints by filling existing fields with null or static data until the entire API endpoint can be reworked.
OVERLORD added the bugconfirmedsecurity labels 2026-02-06 21:18:09 +03:00
Author
Owner

@stale[bot] commented on GitHub (Sep 24, 2020):

This issue has gone 120 days without comment. To avoid abandoned issues, it will be closed in 21 days if there are no new comments.
If you're the original submitter of this issue, please comment confirming if this issue still affects you in the latest release or nightlies, or close the issue if it has been fixed. If you're another user also affected by this bug, please comment confirming so. Either action will remove the stale label.
This bot exists to prevent issues from becoming stale and forgotten. Jellyfin is always moving forward, and bugs are often fixed as side effects of other changes. We therefore ask that bug report authors remain vigilant about their issues to ensure they are closed if fixed, or re-confirmed - perhaps with fresh logs or reproduction examples - regularly. If you have any questions you can reach us on Matrix or Social Media.

@stale[bot] commented on GitHub (Sep 24, 2020): This issue has gone 120 days without comment. To avoid abandoned issues, it will be closed in 21 days if there are no new comments. If you're the original submitter of this issue, please comment confirming if this issue still affects you in the latest release or nightlies, or close the issue if it has been fixed. If you're another user also affected by this bug, please comment confirming so. Either action will remove the stale label. This bot exists to prevent issues from becoming stale and forgotten. Jellyfin is always moving forward, and bugs are often fixed as side effects of other changes. We therefore ask that bug report authors remain vigilant about their issues to ensure they are closed if fixed, or re-confirmed - perhaps with fresh logs or reproduction examples - regularly. If you have any questions you can reach us on [Matrix or Social Media](https://docs.jellyfin.org/general/getting-help.html).
Author
Owner

@ebkalderon commented on GitHub (Apr 25, 2024):

I believe this should also be labeled "security", correct?

For reference, the original issue (#880) had that label before it was closed by PR #2492, which was later reverted by PR #3187 for breaking existing Jellyfin clients.

@ebkalderon commented on GitHub (Apr 25, 2024): I believe this should also be labeled "security", correct? For reference, the original issue (#880) had that label before it was closed by PR #2492, which was later reverted by PR #3187 for breaking existing Jellyfin clients.
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/jellyfin#1736