starred/jellyfin
1
0
Fork 0
mirror of https://github.com/jellyfin/jellyfin.git synced 2026-05-04 18:09:12 +03:00
Code Issues 822 Packages Projects Releases 10 Wiki Activity

API Password break #628

New Issue
Closed
opened 2026-02-06 19:54:56 +03:00 by OVERLORD · 21 comments
OVERLORD commented 2026-02-06 19:54:56 +03:00
Owner
Copy Link

Originally created by @Floflobel on GitHub (Apr 24, 2019).

Describe the bug
I perform the creation of my user accounts with a script in Python to facilitate the management of the parameters.
I copied my script from my Emby server to test it on a Jellyfin server, everything works fine except password management.

I look at the documentation of the API but it is not yet completed with the parameters to data.

I'm posting my script below, I was doing the password reset at first because there was a problem on Emby that forced me to go through this step.

To Reproduce

def post(post_wanted, post_data):
        response = requests.post(api_url_base + post_wanted + '?api_key=' + api_token, data=post_data, headers=headers)
        if args.debug:
                print(response.url)
                print(response.status_code)
                print("\n")

def get(get_wanted, get_data):
        response = requests.get(api_url_base + get_wanted + '?api_key=' + api_token, data=get_data, headers=headers)
        return response


for username in args.username:

        # create user
        wanted = 'Users/New'
        data_json = '{"Name":"' + username + '"}'
        post(wanted, data_json)

        # get userid
        wanted = 'Users'
        get_all_user = get(wanted, None).json()
        for user in get_all_user:
                #print user['Name'] + ' ' + user['Id']

                if username == user['Name']:
                        # post user policy for select user
                        data_json = general_policy
                        wanted = 'Users/' + user['Id'] + '/Policy'
                        post(wanted, data_json)
                        # post password for select user
                        data_json = '{\"Id\":\"' + user['Id'] + '\",\"CurrentPassword\":\"\",\"CurrentPw\":\"\",\"NewPw\":\"' + password + '\",\"ResetPassword\":true}'
                        wanted = 'Users/' + user['Id'] + '/Password'
                        post(wanted, data_json)
                        data_json = '{\"Id\":\"' + user['Id'] + '\",\"CurrentPassword\":\"\",\"CurrentPw\":\"\",\"NewPw\":\"' + password + '\",\"ResetPassword\":false}'
                        wanted = 'Users/' + user['Id'] + '/Password'
                        post(wanted, data_json)`

I also tried to spend the next json:
{"CurrentPw":"","NewPw":"test"}

Originally created by @Floflobel on GitHub (Apr 24, 2019). **Describe the bug** I perform the creation of my user accounts with a script in Python to facilitate the management of the parameters. I copied my script from my Emby server to test it on a Jellyfin server, everything works fine except password management. I look at the documentation of the API but it is not yet completed with the parameters to data. I'm posting my script below, I was doing the password reset at first because there was a problem on Emby that forced me to go through this step. **To Reproduce** ``` def post(post_wanted, post_data): response = requests.post(api_url_base + post_wanted + '?api_key=' + api_token, data=post_data, headers=headers) if args.debug: print(response.url) print(response.status_code) print("\n") def get(get_wanted, get_data): response = requests.get(api_url_base + get_wanted + '?api_key=' + api_token, data=get_data, headers=headers) return response for username in args.username: # create user wanted = 'Users/New' data_json = '{"Name":"' + username + '"}' post(wanted, data_json) # get userid wanted = 'Users' get_all_user = get(wanted, None).json() for user in get_all_user: #print user['Name'] + ' ' + user['Id'] if username == user['Name']: # post user policy for select user data_json = general_policy wanted = 'Users/' + user['Id'] + '/Policy' post(wanted, data_json) # post password for select user data_json = '{\"Id\":\"' + user['Id'] + '\",\"CurrentPassword\":\"\",\"CurrentPw\":\"\",\"NewPw\":\"' + password + '\",\"ResetPassword\":true}' wanted = 'Users/' + user['Id'] + '/Password' post(wanted, data_json) data_json = '{\"Id\":\"' + user['Id'] + '\",\"CurrentPassword\":\"\",\"CurrentPw\":\"\",\"NewPw\":\"' + password + '\",\"ResetPassword\":false}' wanted = 'Users/' + user['Id'] + '/Password' post(wanted, data_json)` ``` I also tried to spend the next json: ```{"CurrentPw":"","NewPw":"test"}```
OVERLORD added the bugquestionstale labels 2026-02-06 19:54:56 +03:00
OVERLORD commented 2026-02-06 19:55:00 +03:00
Author
Owner
Copy Link

@oddstr13 commented on GitHub (Apr 25, 2019):

See #1299 , quite possibly related.

@oddstr13 commented on GitHub (Apr 25, 2019): See #1299 , quite possibly related.
OVERLORD commented 2026-02-06 19:55:01 +03:00
Author
Owner
Copy Link

@bugfixin commented on GitHub (Apr 25, 2019):

I don't think the fix for 1299 will fix this, as the submission is json here.

Two things to check: is it possible to verify the content-type is being set to application/json correctly with the python, and is it possible to test with a user whose current password is set to a non-blank?

@bugfixin commented on GitHub (Apr 25, 2019): I don't think the fix for 1299 will fix this, as the submission is json here. Two things to check: is it possible to verify the content-type is being set to application/json correctly with the python, and is it possible to test with a user whose current password is set to a non-blank?
OVERLORD commented 2026-02-06 19:55:03 +03:00
Author
Owner
Copy Link

@oddstr13 commented on GitHub (Apr 25, 2019):

https://stackoverflow.com/a/26344315

r = requests.post('http://example.com/post', json={"key": "value"})

This should also make your code a lot cleaner!

@oddstr13 commented on GitHub (Apr 25, 2019): https://stackoverflow.com/a/26344315 ```python r = requests.post('http://example.com/post', json={"key": "value"}) ``` This should also make your code a lot cleaner!
OVERLORD commented 2026-02-06 19:55:04 +03:00
Author
Owner
Copy Link

@sparky8251 commented on GitHub (Jun 25, 2019):

Is this still an issue? If not we should close this issue.

@sparky8251 commented on GitHub (Jun 25, 2019): Is this still an issue? If not we should close this issue.
OVERLORD commented 2026-02-06 19:55:05 +03:00
Author
Owner
Copy Link

@nwithan8 commented on GitHub (Nov 9, 2019):

Reopen? This still seems to be broken. Constantly getting a 500 error

@nwithan8 commented on GitHub (Nov 9, 2019): Reopen? This still seems to be broken. Constantly getting a 500 error
OVERLORD commented 2026-02-06 19:55:06 +03:00
Author
Owner
Copy Link

@anthonylavado commented on GitHub (Nov 10, 2019):

@nwithan8 What’s happening?

@anthonylavado commented on GitHub (Nov 10, 2019): @nwithan8 What’s happening?
OVERLORD commented 2026-02-06 19:55:07 +03:00
Author
Owner
Copy Link

@nwithan8 commented on GitHub (Nov 11, 2019):

Getting a 500 error when attempting to POST request to change a user's password.

@nwithan8 commented on GitHub (Nov 11, 2019): Getting a 500 error when attempting to POST request to change a user's password.
OVERLORD commented 2026-02-06 19:55:08 +03:00
Author
Owner
Copy Link

@JustAMan commented on GitHub (Nov 22, 2019):

Could you please post your code you're trying to run, and some relevant bits from Jellyfin log?

@JustAMan commented on GitHub (Nov 22, 2019): Could you please post your code you're trying to run, and some relevant bits from Jellyfin log?
OVERLORD commented 2026-02-06 19:55:08 +03:00
Author
Owner
Copy Link

@nwithan8 commented on GitHub (Dec 2, 2019):

Demoing with a web request application:

POST https://myip.com/jellyfin/Users/{userID}/Password?api_key={apiKey}
Headers:

content-type: application/json
accept: application/json

Body:

{
  "Id": "{UserId}",
  "CurrentPw": "{currentPassword}",
  "NewPw": "{newPassword}",
  "ResetPassword": true
}

Returns:
500 Internal Server Error: Object reference not set to an instance of an object.

Log from request:

[2019-12-02 13:46:00.947 -05:00] [ERR] Error processing request
System.NullReferenceException: Object reference not set to an instance of an object.
   at MediaBrowser.Api.BaseApiService.AssertCanUpdateUser(IAuthorizationContext authContext, IUserManager userManager, Guid userId, Boolean restrictUserPreferences)
   at MediaBrowser.Api.UserService.PostAsync(UpdateUserPassword request)
   at Emby.Server.Implementations.Services.ServiceExecGeneral.GetTaskResult(Task task)
   at Emby.Server.Implementations.Services.ServiceHandler.ProcessRequestAsync(HttpListenerHost httpHost, IRequest httpReq, HttpResponse httpRes, ILogger logger, CancellationToken cancellationToken)
   at Emby.Server.Implementations.HttpServer.HttpListenerHost.RequestHandler(IHttpRequest httpReq, String urlString, String host, String localPath, CancellationToken cancellationToken)
@nwithan8 commented on GitHub (Dec 2, 2019): Demoing with a web request application: POST https://myip.com/jellyfin/Users/{userID}/Password?api_key={apiKey} Headers: ``` content-type: application/json accept: application/json ``` Body: ``` { "Id": "{UserId}", "CurrentPw": "{currentPassword}", "NewPw": "{newPassword}", "ResetPassword": true } ``` Returns: ```500 Internal Server Error: Object reference not set to an instance of an object.``` Log from request: ``` [2019-12-02 13:46:00.947 -05:00] [ERR] Error processing request System.NullReferenceException: Object reference not set to an instance of an object. at MediaBrowser.Api.BaseApiService.AssertCanUpdateUser(IAuthorizationContext authContext, IUserManager userManager, Guid userId, Boolean restrictUserPreferences) at MediaBrowser.Api.UserService.PostAsync(UpdateUserPassword request) at Emby.Server.Implementations.Services.ServiceExecGeneral.GetTaskResult(Task task) at Emby.Server.Implementations.Services.ServiceHandler.ProcessRequestAsync(HttpListenerHost httpHost, IRequest httpReq, HttpResponse httpRes, ILogger logger, CancellationToken cancellationToken) at Emby.Server.Implementations.HttpServer.HttpListenerHost.RequestHandler(IHttpRequest httpReq, String urlString, String host, String localPath, CancellationToken cancellationToken) ```
OVERLORD commented 2026-02-06 19:55:09 +03:00
Author
Owner
Copy Link

@JustAMan commented on GitHub (Dec 4, 2019):

Is this with JF 10.4.2?

@JustAMan commented on GitHub (Dec 4, 2019): Is this with JF 10.4.2?
OVERLORD commented 2026-02-06 19:55:09 +03:00
Author
Owner
Copy Link

@nwithan8 commented on GitHub (Dec 30, 2019):

I believe so. Whatever the latest Docker version is/was as of Dec. 2

@nwithan8 commented on GitHub (Dec 30, 2019): I believe so. Whatever the latest Docker version is/was as of Dec. 2
OVERLORD commented 2026-02-06 19:55:10 +03:00
Author
Owner
Copy Link

@JustAMan commented on GitHub (Jan 10, 2020):

@Bond-009 or @cvium does this ring a bell for you?

@JustAMan commented on GitHub (Jan 10, 2020): @Bond-009 or @cvium does this ring a bell for you?
OVERLORD commented 2026-02-06 19:55:11 +03:00
Author
Owner
Copy Link

@InspireToCode commented on GitHub (Jan 14, 2020):

Has anyone come to a solution for this?

@InspireToCode commented on GitHub (Jan 14, 2020): Has anyone come to a solution for this?
OVERLORD commented 2026-02-06 19:55:12 +03:00
Author
Owner
Copy Link

@nwithan8 commented on GitHub (Jan 15, 2020):

Yes, thanks to @callmekory, turns out you need to reset the password first, THEN set a password.

@nwithan8 commented on GitHub (Jan 15, 2020): Yes, thanks to @callmekory, turns out you need to reset the password first, THEN set a password.
OVERLORD commented 2026-02-06 19:55:12 +03:00
Author
Owner
Copy Link

@dkanada commented on GitHub (Jan 15, 2020):

Can you post an example here for future discussion? We definitely need to overhaul the password reset at some point.

@dkanada commented on GitHub (Jan 15, 2020): Can you post an example here for future discussion? We definitely need to overhaul the password reset at some point.
OVERLORD commented 2026-02-06 19:55:13 +03:00
Author
Owner
Copy Link

@senpaiSubby commented on GitHub (Jan 16, 2020):

Here are some examples from the code I'm working on right now for a project. Hope this helps in the future for the next person.

/**
 * Resets the password for the specified user
 * @param userID User ID of user to reset password
 */
const resetPassword = async (userID) => {
  const response = await post(`${host}/Users/${userID}/Password`)
    .headers({ 'X-Emby-Token': token })
    .send({
      Id: userID,
      ResetPassword: true
    })

  console.log(response.body)
  console.log(response.code)
}

/**
 * Set the password of the specified user
 * @param userID User ID of the user to set password
 */
const setUserPassword = async (userID, newPass) => {
  const response = await post(`${host}/Users/${userID}/Password`)
    .headers({ 'X-Emby-Token': token })
    .send({
      Id: userID,
      CurrentPw: '',
      NewPw: newPass
    })

  console.log(response.body)
  console.log(response.code)
}
@senpaiSubby commented on GitHub (Jan 16, 2020): Here are some examples from the code I'm working on right now for a project. Hope this helps in the future for the next person. ```js /** * Resets the password for the specified user * @param userID User ID of user to reset password */ const resetPassword = async (userID) => { const response = await post(`${host}/Users/${userID}/Password`) .headers({ 'X-Emby-Token': token }) .send({ Id: userID, ResetPassword: true }) console.log(response.body) console.log(response.code) } /** * Set the password of the specified user * @param userID User ID of the user to set password */ const setUserPassword = async (userID, newPass) => { const response = await post(`${host}/Users/${userID}/Password`) .headers({ 'X-Emby-Token': token }) .send({ Id: userID, CurrentPw: '', NewPw: newPass }) console.log(response.body) console.log(response.code) } ```
OVERLORD commented 2026-02-06 19:55:13 +03:00
Author
Owner
Copy Link

@senpaiSubby commented on GitHub (Jan 16, 2020):

Setting the user password will return a 204 status code

@senpaiSubby commented on GitHub (Jan 16, 2020): Setting the user password will return a 204 status code
OVERLORD commented 2026-02-06 19:55:14 +03:00
Author
Owner
Copy Link

@nwithan8 commented on GitHub (Jan 16, 2020):

In Python

"""

 Resets the password for the specified user
 :param userID: User ID of user to reset password
"""
def resetPassword(userID):
  url = '{host}/Users/{id}/Password'.format(host=JELLYFIN_URL, id=userID)
  data = {
    'Id': userID,
    'ResetPassword': 'true'
  }
  res = requests.post(url, headers={ 'X-Emby-Token': token }, data=json.dumps(data))
  print(res.content)
  print(res.status_code)
}

"""

 Set the password of the specified user
 :param userID: User ID of the user to set password
 :param newPass: New password for user
 """
def setUserPassword(userID, newPass):
  resetPassword(userID)  # resets password first
  url = '{host}/Users/{id}/Password'.format(host=JELLYFIN_URL, id=userID)
  data = {
    'Id': userID,
    'CurrentPw': "",  # will be blank because of reset
    'NewPw': newPass
  }
  res = requests.post(url, headers={ 'X-Emby-Token': token }, data=json.dumps(data))
  print(res.content)
  print(res.status_code)
@nwithan8 commented on GitHub (Jan 16, 2020): In Python ```python """ Resets the password for the specified user :param userID: User ID of user to reset password """ def resetPassword(userID): url = '{host}/Users/{id}/Password'.format(host=JELLYFIN_URL, id=userID) data = { 'Id': userID, 'ResetPassword': 'true' } res = requests.post(url, headers={ 'X-Emby-Token': token }, data=json.dumps(data)) print(res.content) print(res.status_code) } """ Set the password of the specified user :param userID: User ID of the user to set password :param newPass: New password for user """ def setUserPassword(userID, newPass): resetPassword(userID) # resets password first url = '{host}/Users/{id}/Password'.format(host=JELLYFIN_URL, id=userID) data = { 'Id': userID, 'CurrentPw': "", # will be blank because of reset 'NewPw': newPass } res = requests.post(url, headers={ 'X-Emby-Token': token }, data=json.dumps(data)) print(res.content) print(res.status_code) ```
OVERLORD commented 2026-02-06 19:55:14 +03:00
Author
Owner
Copy Link

@dkanada commented on GitHub (Jan 16, 2020):

That is the strangest way possible to design a password reset.

@dkanada commented on GitHub (Jan 16, 2020): That is the strangest way possible to design a password reset.
OVERLORD commented 2026-02-06 19:55:15 +03:00
Author
Owner
Copy Link

@senpaiSubby commented on GitHub (Jan 16, 2020):

If I could suggest that we be able to manage user accounts with only the API key? Right now you can to login via the app THEN use that auth token to make changes. We're using 2 separate authorizations atm and it could be migrated to simple the API key

@senpaiSubby commented on GitHub (Jan 16, 2020): If I could suggest that we be able to manage user accounts with only the API key? Right now you can to login via the app THEN use that auth token to make changes. We're using 2 separate authorizations atm and it could be migrated to simple the API key
OVERLORD commented 2026-02-06 19:55:16 +03:00
Author
Owner
Copy Link

@stale[bot] commented on GitHub (May 15, 2020):

This issue has gone 120 days without comment. To avoid abandoned issues, it will be closed in 21 days if there are no new comments.
If you're the original submitter of this issue, please comment confirming if this issue still affects you in the latest release or nightlies, or close the issue if it has been fixed. If you're another user also affected by this bug, please comment confirming so. Either action will remove the stale label.
This bot exists to prevent issues from becoming stale and forgotten. Jellyfin is always moving forward, and bugs are often fixed as side effects of other changes. We therefore ask that bug report authors remain vigilant about their issues to ensure they are closed if fixed, or re-confirmed - perhaps with fresh logs or reproduction examples - regularly. If you have any questions you can reach us on Matrix or Social Media.

@stale[bot] commented on GitHub (May 15, 2020): This issue has gone 120 days without comment. To avoid abandoned issues, it will be closed in 21 days if there are no new comments. If you're the original submitter of this issue, please comment confirming if this issue still affects you in the latest release or nightlies, or close the issue if it has been fixed. If you're another user also affected by this bug, please comment confirming so. Either action will remove the stale label. This bot exists to prevent issues from becoming stale and forgotten. Jellyfin is always moving forward, and bugs are often fixed as side effects of other changes. We therefore ask that bug report authors remain vigilant about their issues to ensure they are closed if fixed, or re-confirmed - perhaps with fresh logs or reproduction examples - regularly. If you have any questions you can reach us on [Matrix or Social Media](https://docs.jellyfin.org/general/getting-help.html).
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
EFjellyfin.db
area:database
awaiting-feedback
backend
blocked
breaking change: web api
bug
build
ci
confirmed
discussion needed
dotnet future
downstream
duplicate
enhancement
feature
future
github-actions
good first issue
hdr
help wanted
invalid
investigation
librarydb
live-tv
lyrics
media playback
music
needs testing
nuget
performance
platform
pull-request
Mirrored from GitHub Pull Request
 question
regression
release critical
requires-web
roadmap
security
security
stale
support
syncplay
ui & ux
upstream
wontfix
No Label bug question stale
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/jellyfin#628
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?