mirror of
https://github.com/jellyfin/jellyfin.git
synced 2026-07-16 05:43:54 +03:00
Refactor "Copy Stream URL" to not leak the user's session API key #5359
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @sqlstatement on GitHub (Jan 4, 2024).
The way this currently works is that, when you share the URL using the "Copy Stream URL" button in the Jellyfin Web UI, it copies the stream link and appends the API key (access token) of the current user session.
My proposal would be to modify that mechanism to create a new API key, with permissions to only view the object that was actually shared.
This has two reasons:
My idea for an implementation would be as follows: When using the "Copy Stream URL" feature, a new key with access to only that object is generated. I would also add a small selector box where the user can choose how long the link should be valid, to avoid any potential abuse/unwanted link sharing. This approach should not be a breaking change, as the user authentication and authorization mechanisms will not be changed.
I'm happy to discuss the details and would be ready to make the needed changes to the codebase in a pull request once I receive the all clear that the feature is wanted and fine to add.
@sqlstatement commented on GitHub (Jan 7, 2024):
Looks like this will be a much bigger change than anticipated, since the current API key implementation does not allow for fine grained control via its permission system. I'll have to see if this is even going to be possible.
@sqlstatement commented on GitHub (Jan 17, 2024):
From what I can see, API keys currently have unrestricted permissions, so it seems like my initial worry about this being a bigger change than anticipated has been confirmed. (https://github.com/jellyfin/jellyfin/blob/master/Jellyfin.Api/Auth/DefaultAuthorizationPolicy/DefaultAuthorizationHandler.cs#L52)
I'll do some more research to see how much needs to be changed, but the current Authorization Handlers will need some work, at the very least to remove and replace the hardcoded API key part
@TheRainstorm commented on GitHub (May 21, 2024):
It's a useful feature, especially for VRChat! I used to share my video url in VRChat without knowing its potential risk. I also found someone with a similar need: https://www.reddit.com/r/VRchat/comments/18ira6e/self_hosting_videos_from_home_with_jellyfin_cdn/
I would appreciate it if you could implement it. 👍
@silverwolf04 commented on GitHub (Jul 7, 2025):
Getting this refactored to be more secure would be great. I had stumbled across this feature and was hoping to use it for sharing photos with family members to specific photos to download that I don't want to create user accounts for.
@nEx-Ux1 commented on GitHub (Jan 6, 2026):
Has there been any progress on this issue? For the moment, the key is still shared in the URL.
As it is not possible to hide it, it should be possible to add the option to simply reset it